*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.155 2003/12/09 21:53:37 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.148 2003/09/18 07:52:54 markus Exp $");
#include <openssl/bn.h>
#include "misc.h"
#include "readpass.h"
+#ifdef DNS
#include "dns.h"
+#endif
char *client_version_string = NULL;
char *server_version_string = NULL;
-int matching_host_key_dns = 0;
+#ifdef DNS
+int verified_host_key_dns = 0;
+#endif
/* import */
extern Options options;
#endif
static int show_other_keys(const char *, Key *);
-static void warn_changed_key(Key *);
/*
* Connect to the given ssh server using a proxy command.
* Build the final command string in the buffer by making the
* appropriate substitutions to the given proxy command.
*
- * Use "exec" to avoid "sh -c" processes on some platforms
+ * Use "exec" to avoid "sh -c" processes on some platforms
* (e.g. Solaris)
*/
buffer_init(&command);
break;
case -1:
/* Select error */
- debug("select: %s", strerror(errno));
+ debug("select: %s", strerror(errno));
break;
case 1:
/* Completed or failed */
optval = 0;
optlen = sizeof(optval);
- if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,
+ if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,
&optlen) == -1) {
- debug("getsockopt: %s", strerror(errno));
+ debug("getsockopt: %s", strerror(errno));
break;
}
if (optval != 0) {
debug("Connection established.");
- /* Set SO_KEEPALIVE if requested. */
- if (options.tcp_keep_alive &&
+ /* Set keepalives if requested. */
+ if (options.keepalives &&
setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
int readonly, const char *user_hostfile, const char *system_hostfile)
{
Key *file_key;
- const char *type = key_type(host_key);
+ char *type = key_type(host_key);
char *ip = NULL;
char hostline[1000], *hostp, *fp;
HostStatus host_status;
/* The default */
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
msg2[0] = '\0';
+#ifdef DNS
if (options.verify_host_key_dns) {
- if (matching_host_key_dns)
+ if (verified_host_key_dns)
snprintf(msg2, sizeof(msg2),
"Matching host key fingerprint"
" found in DNS.\n");
"No matching host key fingerprint"
" found in DNS.\n");
}
+#endif
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
error("Offending key for IP in %s:%d", ip_file, ip_line);
}
/* The host key has changed. */
- warn_changed_key(host_key);
+ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
+ error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
+ error("It is also possible that the %s host key has just been changed.", type);
+ error("The fingerprint for the %s key sent by the remote host is\n%s.",
+ type, fp);
+ error("Please contact your system administrator.");
error("Add correct host key in %.100s to get rid of this message.",
user_hostfile);
error("Offending key in %s:%d", host_file, host_line);
+ xfree(fp);
/*
* If strict host key checking is in use, the user will have
verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
struct stat st;
- int flags = 0;
-
- if (options.verify_host_key_dns &&
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-
- if (flags & DNS_VERIFY_FOUND) {
- if (options.verify_host_key_dns == 1 &&
- flags & DNS_VERIFY_MATCH &&
- flags & DNS_VERIFY_SECURE)
- return 0;
-
- if (flags & DNS_VERIFY_MATCH) {
- matching_host_key_dns = 1;
- } else {
- warn_changed_key(host_key);
- error("Update the SSHFP RR in DNS with the new "
- "host key to get rid of this message.");
- }
+#ifdef DNS
+ if (options.verify_host_key_dns) {
+ switch(verify_host_key_dns(host, hostaddr, host_key)) {
+ case DNS_VERIFY_OK:
+#ifdef DNSSEC
+ return 0;
+#else
+ verified_host_key_dns = 1;
+ break;
+#endif
+ case DNS_VERIFY_FAILED:
+ return -1;
+ case DNS_VERIFY_ERROR:
+ break;
+ default:
+ debug3("bad return value from verify_host_key_dns");
+ break;
}
}
+#endif /* DNS */
/* return ok if the key can be found in an old keyfile */
if (stat(options.system_hostfile2, &st) == 0 ||
}
return (found);
}
-
-static void
-warn_changed_key(Key *host_key)
-{
- char *fp;
- const char *type = key_type(host_key);
-
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
- error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
- error("It is also possible that the %s host key has just been changed.", type);
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
- type, fp);
- error("Please contact your system administrator.");
-
- xfree(fp);
-}