From 941ac459ce52af15caddcfafce3cf611138600ce Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 4 Jun 2003 20:31:53 +1000 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/06/04 08:25:18 [sshconnect.c] disable challenge/response and keyboard-interactive auth methods upon hostkey mismatch. based on patch from fcusack AT fcusack.com. bz #580; ok markus@ --- ChangeLog | 8 +++++++- sshconnect.c | 15 +++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ee5624fec..70e2bb77f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,12 @@ Patch from larsch@trustcenter.de; ok markus@ - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from larsch@trustcenter.de; ok markus@ + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/06/04 08:25:18 + [sshconnect.c] + disable challenge/response and keyboard-interactive auth methods + upon hostkey mismatch. based on patch from fcusack AT fcusack.com. + bz #580; ok markus@ 20030603 - (djm) Replace setproctitle replacement with code derived from @@ -433,4 +439,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2773 2003/06/04 09:22:06 djm Exp $ +$Id: ChangeLog,v 1.2774 2003/06/04 10:31:53 djm Exp $ diff --git a/sshconnect.c b/sshconnect.c index 0ff4b2bcc..b8a77a2a3 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.143 2003/05/26 12:54:40 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $"); #include @@ -796,7 +796,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, /* * If strict host key checking has not been requested, allow - * the connection but without password authentication or + * the connection but without MITM-able authentication or * agent forwarding. */ if (options.password_authentication) { @@ -804,6 +804,17 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, "man-in-the-middle attacks."); options.password_authentication = 0; } + if (options.kbd_interactive_authentication) { + error("Keyboard-interactive authentication is disabled" + " to avoid man-in-the-middle attacks."); + options.kbd_interactive_authentication = 0; + options.challenge_response_authentication = 0; + } + if (options.challenge_response_authentication) { + error("Challenge/response authentication is disabled" + " to avoid man-in-the-middle attacks."); + options.challenge_response_authentication = 0; + } if (options.forward_agent) { error("Agent forwarding is disabled to avoid " "man-in-the-middle attacks."); -- cgit v1.2.3