From 19439e9a2a0ac0b4b3b1210e89695418beb1c883 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 2 Jul 2014 15:28:40 +1000
Subject:    - djm@cvs.openbsd.org 2014/06/24 02:19:48      [ssh.c]      don't
 fatal() when hostname canonicalisation fails with a      ProxyCommand in use;
 continue and allow the ProxyCommand to      connect anyway (e.g. to a host
 with a name outside the DNS      behind a bastion)

---
 ChangeLog |  6 ++++++
 ssh.c     | 14 +++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e821f6de2..95b4895d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -44,6 +44,12 @@
      Dempsky and Ron Bowes for a detailed review a few months ago.
      NB. This commit also removes portable OpenSSH support for OpenSSL
      <0.9.8e.
+   - djm@cvs.openbsd.org 2014/06/24 02:19:48
+     [ssh.c]
+     don't fatal() when hostname canonicalisation fails with a
+     ProxyCommand in use; continue and allow the ProxyCommand to
+     connect anyway (e.g. to a host with a name outside the DNS
+     behind a bastion)
 
 20140618
  - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare
diff --git a/ssh.c b/ssh.c
index d369b68e9..35fc7ddf9 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.402 2014/04/29 18:01:49 markus Exp $ */
+/* $OpenBSD: ssh.c,v 1.403 2014/06/24 02:19:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -930,10 +930,14 @@ main(int ac, char **av)
 	if (addrs == NULL && options.num_permitted_cnames != 0 &&
 	    (option_clear_or_none(options.proxy_command) ||
             options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
-		if ((addrs = resolve_host(host, options.port, 1,
-		    cname, sizeof(cname))) == NULL)
-			cleanup_exit(255); /* resolve_host logs the error */
-		check_follow_cname(&host, cname);
+		if ((addrs = resolve_host(host, options.port,
+		    option_clear_or_none(options.proxy_command),
+		    cname, sizeof(cname))) == NULL) {
+			/* Don't fatal proxied host names not in the DNS */
+			if (option_clear_or_none(options.proxy_command))
+				cleanup_exit(255); /* logged in resolve_host */
+		} else
+			check_follow_cname(&host, cname);
 	}
 
 	/*
-- 
cgit v1.2.3