*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.143 2003/05/26 12:54:40 djm Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.150 2003/11/03 09:09:41 jakob Exp $");
#include <openssl/bn.h>
#include "misc.h"
#include "readpass.h"
-#ifdef DNS
#include "dns.h"
-#endif
char *client_version_string = NULL;
char *server_version_string = NULL;
+int verified_host_key_dns = 0;
+
/* import */
extern Options options;
extern char *__progname;
#endif
static int show_other_keys(const char *, Key *);
+static void warn_changed_key(Key *);
/*
* Connect to the given ssh server using a proxy command.
fdsetsz = howmany(sockfd + 1, NFDBITS) * sizeof(fd_mask);
fdset = (fd_set *)xmalloc(fdsetsz);
- memset(fdset, '\0', fdsetsz);
+ memset(fdset, 0, fdsetsz);
FD_SET(sockfd, fdset);
tv.tv_sec = timeout;
tv.tv_usec = 0;
optval = 0;
optlen = sizeof(optval);
if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,
- &optlen) == -1)
+ &optlen) == -1) {
debug("getsockopt: %s", strerror(errno));
break;
+ }
if (optval != 0) {
errno = optval;
break;
compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
compat20 ? PROTOCOL_MINOR_2 : minor1,
SSH_VERSION);
- if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))
+ if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
fatal("write: %.100s", strerror(errno));
client_version_string = xstrdup(buf);
chop(client_version_string);
int salen;
char ntop[NI_MAXHOST];
char msg[1024];
- int len, host_line, ip_line, has_keys;
+ int len, host_line, ip_line;
const char *host_file = NULL, *ip_file = NULL;
/*
"have requested strict checking.", type, host);
goto fail;
} else if (options.strict_host_key_checking == 2) {
- has_keys = show_other_keys(host, host_key);
+ char msg1[1024], msg2[1024];
+
+ if (show_other_keys(host, host_key))
+ snprintf(msg1, sizeof(msg1),
+ "\nbut keys of different type are already"
+ " known for this host.");
+ else
+ snprintf(msg1, sizeof(msg1), ".");
/* The default */
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ msg2[0] = '\0';
+ if (options.verify_host_key_dns) {
+ if (verified_host_key_dns)
+ snprintf(msg2, sizeof(msg2),
+ "Matching host key fingerprint"
+ " found in DNS.\n");
+ else
+ snprintf(msg2, sizeof(msg2),
+ "No matching host key fingerprint"
+ " found in DNS.\n");
+ }
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
- "%s key fingerprint is %s.\n"
+ "%s key fingerprint is %s.\n%s"
"Are you sure you want to continue connecting "
"(yes/no)? ",
- host, ip,
- has_keys ? ",\nbut keys of different type are already "
- "known for this host." : ".",
- type, fp);
+ host, ip, msg1, type, fp, msg2);
xfree(fp);
if (!confirm(msg))
goto fail;
error("Offending key for IP in %s:%d", ip_file, ip_line);
}
/* The host key has changed. */
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
- error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
- error("It is also possible that the %s host key has just been changed.", type);
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
- type, fp);
- error("Please contact your system administrator.");
+ warn_changed_key(host_key);
error("Add correct host key in %.100s to get rid of this message.",
user_hostfile);
error("Offending key in %s:%d", host_file, host_line);
- xfree(fp);
/*
* If strict host key checking is in use, the user will have
/*
* If strict host key checking has not been requested, allow
- * the connection but without password authentication or
+ * the connection but without MITM-able authentication or
* agent forwarding.
*/
if (options.password_authentication) {
"man-in-the-middle attacks.");
options.password_authentication = 0;
}
+ if (options.kbd_interactive_authentication) {
+ error("Keyboard-interactive authentication is disabled"
+ " to avoid man-in-the-middle attacks.");
+ options.kbd_interactive_authentication = 0;
+ options.challenge_response_authentication = 0;
+ }
+ if (options.challenge_response_authentication) {
+ error("Challenge/response authentication is disabled"
+ " to avoid man-in-the-middle attacks.");
+ options.challenge_response_authentication = 0;
+ }
if (options.forward_agent) {
error("Agent forwarding is disabled to avoid "
"man-in-the-middle attacks.");
{
struct stat st;
-#ifdef DNS
if (options.verify_host_key_dns) {
switch(verify_host_key_dns(host, hostaddr, host_key)) {
case DNS_VERIFY_OK:
+#ifdef DNSSEC
return 0;
+#else
+ verified_host_key_dns = 1;
+ break;
+#endif
case DNS_VERIFY_FAILED:
return -1;
case DNS_VERIFY_ERROR:
break;
}
}
-#endif /* DNS */
/* return ok if the key can be found in an old keyfile */
if (stat(options.system_hostfile2, &st) == 0 ||
}
return (found);
}
+
+static void
+warn_changed_key(Key *host_key)
+{
+ char *fp;
+ char *type = key_type(host_key);
+
+ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
+ error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
+ error("It is also possible that the %s host key has just been changed.", type);
+ error("The fingerprint for the %s key sent by the remote host is\n%s.",
+ type, fp);
+ error("Please contact your system administrator.");
+
+ xfree(fp);
+ xfree(type);
+}
andersk / openssh.git / blobdiff