*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.141 2003/05/15 14:55:25 djm Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.147 2003/06/29 12:44:38 markus Exp $");
#include <openssl/bn.h>
char *client_version_string = NULL;
char *server_version_string = NULL;
+#ifdef DNS
+int verified_host_key_dns = 0;
+#endif
+
/* import */
extern Options options;
extern char *__progname;
fd_set *fdset;
struct timeval tv;
socklen_t optlen;
- int fdsetsz, optval, rc;
+ int fdsetsz, optval, rc, result = -1;
if (timeout <= 0)
return (connect(sockfd, serv_addr, addrlen));
fdsetsz = howmany(sockfd + 1, NFDBITS) * sizeof(fd_mask);
fdset = (fd_set *)xmalloc(fdsetsz);
- memset(fdset, '\0', fdsetsz);
+ memset(fdset, 0, fdsetsz);
FD_SET(sockfd, fdset);
tv.tv_sec = timeout;
tv.tv_usec = 0;
case 0:
/* Timed out */
errno = ETIMEDOUT;
- return (-1);
+ break;
case -1:
/* Select error */
debug("select: %s", strerror(errno));
- return (-1);
+ break;
case 1:
/* Completed or failed */
optval = 0;
if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,
&optlen) == -1)
debug("getsockopt: %s", strerror(errno));
- return (-1);
+ break;
if (optval != 0) {
errno = optval;
- return (-1);
+ break;
}
+ result = 0;
break;
default:
/* Should not occur */
fatal("Bogus return (%d) from select()", rc);
}
- return (0);
+ xfree(fdset);
+ return (result);
}
/*
compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
compat20 ? PROTOCOL_MINOR_2 : minor1,
SSH_VERSION);
- if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))
+ if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
fatal("write: %.100s", strerror(errno));
client_version_string = xstrdup(buf);
chop(client_version_string);
int salen;
char ntop[NI_MAXHOST];
char msg[1024];
- int len, host_line, ip_line, has_keys;
+ int len, host_line, ip_line;
const char *host_file = NULL, *ip_file = NULL;
/*
"have requested strict checking.", type, host);
goto fail;
} else if (options.strict_host_key_checking == 2) {
- has_keys = show_other_keys(host, host_key);
+ char msg1[1024], msg2[1024];
+
+ if (show_other_keys(host, host_key))
+ snprintf(msg1, sizeof(msg1),
+ "\nbut keys of different type are already"
+ " known for this host.");
+ else
+ snprintf(msg1, sizeof(msg1), ".");
/* The default */
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ msg2[0] = '\0';
+#ifdef DNS
+ if (options.verify_host_key_dns) {
+ if (verified_host_key_dns)
+ snprintf(msg2, sizeof(msg2),
+ "Matching host key fingerprint"
+ " found in DNS.\n");
+ else
+ snprintf(msg2, sizeof(msg2),
+ "No matching host key fingerprint"
+ " found in DNS.\n");
+ }
+#endif
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
- "%s key fingerprint is %s.\n"
+ "%s key fingerprint is %s.\n%s"
"Are you sure you want to continue connecting "
"(yes/no)? ",
- host, ip,
- has_keys ? ",\nbut keys of different type are already "
- "known for this host." : ".",
- type, fp);
+ host, ip, msg1, type, fp, msg2);
xfree(fp);
if (!confirm(msg))
goto fail;
/*
* If strict host key checking has not been requested, allow
- * the connection but without password authentication or
+ * the connection but without MITM-able authentication or
* agent forwarding.
*/
if (options.password_authentication) {
"man-in-the-middle attacks.");
options.password_authentication = 0;
}
+ if (options.kbd_interactive_authentication) {
+ error("Keyboard-interactive authentication is disabled"
+ " to avoid man-in-the-middle attacks.");
+ options.kbd_interactive_authentication = 0;
+ options.challenge_response_authentication = 0;
+ }
+ if (options.challenge_response_authentication) {
+ error("Challenge/response authentication is disabled"
+ " to avoid man-in-the-middle attacks.");
+ options.challenge_response_authentication = 0;
+ }
if (options.forward_agent) {
error("Agent forwarding is disabled to avoid "
"man-in-the-middle attacks.");
host_file, host_line);
}
if (options.strict_host_key_checking == 1) {
- logit(msg);
+ logit("%s", msg);
error("Exiting, you have requested strict checking.");
goto fail;
} else if (options.strict_host_key_checking == 2) {
if (!confirm(msg))
goto fail;
} else {
- logit(msg);
+ logit("%s", msg);
}
}
if (options.verify_host_key_dns) {
switch(verify_host_key_dns(host, hostaddr, host_key)) {
case DNS_VERIFY_OK:
+#ifdef DNSSEC
return 0;
+#else
+ verified_host_key_dns = 1;
+ break;
+#endif
case DNS_VERIFY_FAILED:
return -1;
case DNS_VERIFY_ERROR: