-/* $OpenBSD: sshconnect.c,v 1.193 2006/07/22 20:48:23 stevesk Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.200 2006/10/10 10:12:45 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/socket.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
#include <netinet/in.h>
+#include <arpa/inet.h>
#include <ctype.h>
#include <errno.h>
-#if defined(HAVE_NETDB_H)
-# include <netdb.h>
-#endif
+#include <netdb.h>
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
#include <pwd.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
-#include "ssh.h"
#include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "ssh.h"
#include "rsa.h"
#include "buffer.h"
#include "packet.h"
gai_strerror(gaierr));
for (attempt = 0; attempt < connection_attempts; attempt++) {
- if (attempt > 0)
+ if (attempt > 0) {
+ /* Sleep a moment before retrying. */
+ sleep(1);
debug("Trying again...");
-
+ }
/*
* Loop through addresses for this host, and try each one in
* sequence until the connection succeeds.
}
if (sock != -1)
break; /* Successful connection. */
-
- /* Sleep a moment before retrying. */
- sleep(1);
}
freeaddrinfo(aitop);
* check whether the supplied host key is valid, return -1 if the key
* is not valid. the user_hostfile will not be updated if 'readonly' is true.
*/
+#define RDRW 0
+#define RDONLY 1
+#define ROQUIET 2
static int
-check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key,
- int readonly, const char *user_hostfile, const char *system_hostfile)
+check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+ Key *host_key, int readonly, const char *user_hostfile,
+ const char *system_hostfile)
{
Key *file_key;
const char *type = key_type(host_key);
if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
NULL, 0, NI_NUMERICHOST) != 0)
fatal("check_host_key: getnameinfo failed");
- ip = put_host_port(ntop, options.port);
+ ip = put_host_port(ntop, port);
} else {
ip = xstrdup("<no hostip for proxy command>");
}
host = xstrdup(options.host_key_alias);
debug("using hostkeyalias: %s", host);
} else {
- host = put_host_port(hostname, options.port);
+ host = put_host_port(hostname, port);
}
/*
}
break;
case HOST_NEW:
+ if (options.host_key_alias == NULL && port != 0 &&
+ port != SSH_DEFAULT_PORT) {
+ debug("checking without port identifier");
+ if (check_host_key(hostname, hostaddr, 0, host_key, 2,
+ user_hostfile, system_hostfile) == 0) {
+ debug("found matching key w/out port");
+ break;
+ }
+ }
if (readonly)
goto fail;
/* The host is new. */
"list of known hosts.", hostp, type);
break;
case HOST_CHANGED:
+ if (readonly == ROQUIET)
+ goto fail;
if (options.check_host_ip && host_ip_differ) {
char *key_msg;
if (ip_status == HOST_NEW)
/*
* If strict host key checking has not been requested, allow
* the connection but without MITM-able authentication or
- * agent forwarding.
+ * forwarding.
*/
if (options.password_authentication) {
error("Password authentication is disabled to avoid "
options.num_local_forwards =
options.num_remote_forwards = 0;
}
+ if (options.tun_open != SSH_TUNMODE_NO) {
+ error("Tunnel forwarding is disabled to avoid "
+ "man-in-the-middle attacks.");
+ options.tun_open = SSH_TUNMODE_NO;
+ }
/*
* XXX Should permit the user to change to use the new id.
* This could be done by converting the host key to an
/* return ok if the key can be found in an old keyfile */
if (stat(options.system_hostfile2, &st) == 0 ||
stat(options.user_hostfile2, &st) == 0) {
- if (check_host_key(host, hostaddr, host_key, /*readonly*/ 1,
- options.user_hostfile2, options.system_hostfile2) == 0)
+ if (check_host_key(host, hostaddr, options.port, host_key,
+ RDONLY, options.user_hostfile2,
+ options.system_hostfile2) == 0)
return 0;
}
- return check_host_key(host, hostaddr, host_key, /*readonly*/ 0,
- options.user_hostfile, options.system_hostfile);
+ return check_host_key(host, hostaddr, options.port, host_key,
+ RDRW, options.user_hostfile, options.system_hostfile);
}
/*
andersk / openssh.git / blobdiff