*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.148 2003/09/18 07:52:54 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.160 2005/03/01 10:40:27 djm Exp $");
#include <openssl/bn.h>
#include "readconf.h"
#include "atomicio.h"
#include "misc.h"
-#include "readpass.h"
-#ifdef DNS
#include "dns.h"
-#endif
char *client_version_string = NULL;
char *server_version_string = NULL;
-#ifdef DNS
-int verified_host_key_dns = 0;
-#endif
+int matching_host_key_dns = 0;
/* import */
extern Options options;
#endif
static int show_other_keys(const char *, Key *);
+static void warn_changed_key(Key *);
/*
* Connect to the given ssh server using a proxy command.
* Build the final command string in the buffer by making the
* appropriate substitutions to the given proxy command.
*
- * Use "exec" to avoid "sh -c" processes on some platforms
+ * Use "exec" to avoid "sh -c" processes on some platforms
* (e.g. Solaris)
*/
buffer_init(&command);
if (timeout <= 0)
return (connect(sockfd, serv_addr, addrlen));
- if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0)
- return (-1);
-
+ set_nonblock(sockfd);
rc = connect(sockfd, serv_addr, addrlen);
- if (rc == 0)
+ if (rc == 0) {
+ unset_nonblock(sockfd);
return (0);
+ }
if (errno != EINPROGRESS)
return (-1);
break;
case -1:
/* Select error */
- debug("select: %s", strerror(errno));
+ debug("select: %s", strerror(errno));
break;
case 1:
/* Completed or failed */
optval = 0;
optlen = sizeof(optval);
- if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,
+ if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,
&optlen) == -1) {
- debug("getsockopt: %s", strerror(errno));
+ debug("getsockopt: %s", strerror(errno));
break;
}
if (optval != 0) {
break;
}
result = 0;
+ unset_nonblock(sockfd);
break;
default:
/* Should not occur */
* second). If proxy_command is non-NULL, it specifies the command (with %h
* and %p substituted for host and port, respectively) to use to contact
* the daemon.
- * Return values:
- * 0 for OK
- * ECONNREFUSED if we got a "Connection Refused" by the peer on any address
- * ECONNABORTED if we failed without a "Connection refused"
- * Suitable error messages for the connection failure will already have been
- * printed.
*/
int
ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
struct addrinfo hints, *ai, *aitop;
struct servent *sp;
- /*
- * Did we get only other errors than "Connection refused" (which
- * should block fallback to rsh and similar), or did we get at least
- * one "Connection refused"?
- */
- int full_failure = 1;
debug2("ssh_connect: needpriv %d", needpriv);
memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
break;
} else {
- if (errno == ECONNREFUSED)
- full_failure = 0;
debug("connect to address %s port %s: %s",
ntop, strport, strerror(errno));
/*
/* Return failure if we didn't get a successful connection. */
if (attempt >= connection_attempts) {
- logit("ssh: connect to host %s port %s: %s",
+ error("ssh: connect to host %s port %s: %s",
host, strport, strerror(errno));
- return full_failure ? ECONNABORTED : ECONNREFUSED;
+ return (-1);
}
debug("Connection established.");
- /* Set keepalives if requested. */
- if (options.keepalives &&
+ /* Set SO_KEEPALIVE if requested. */
+ if (options.tcp_keep_alive &&
setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
sizeof(on)) < 0)
error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
int readonly, const char *user_hostfile, const char *system_hostfile)
{
Key *file_key;
- char *type = key_type(host_key);
+ const char *type = key_type(host_key);
char *ip = NULL;
char hostline[1000], *hostp, *fp;
HostStatus host_status;
"'%.128s' not in list of known hosts.",
type, ip);
else if (!add_host_to_hostfile(user_hostfile, ip,
- host_key))
+ host_key, options.hash_known_hosts))
logit("Failed to add the %s host key for IP "
"address '%.128s' to the list of known "
"hosts (%.30s).", type, ip, user_hostfile);
/* The default */
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
msg2[0] = '\0';
-#ifdef DNS
if (options.verify_host_key_dns) {
- if (verified_host_key_dns)
+ if (matching_host_key_dns)
snprintf(msg2, sizeof(msg2),
"Matching host key fingerprint"
" found in DNS.\n");
"No matching host key fingerprint"
" found in DNS.\n");
}
-#endif
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
* If not in strict mode, add the key automatically to the
* local known_hosts file.
*/
- if (!add_host_to_hostfile(user_hostfile, hostp, host_key))
+ if (!add_host_to_hostfile(user_hostfile, hostp, host_key,
+ options.hash_known_hosts))
logit("Failed to add the host to the list of known "
"hosts (%.500s).", user_hostfile);
else
break;
case HOST_CHANGED:
if (options.check_host_ip && host_ip_differ) {
- char *msg;
+ char *key_msg;
if (ip_status == HOST_NEW)
- msg = "is unknown";
+ key_msg = "is unknown";
else if (ip_status == HOST_OK)
- msg = "is unchanged";
+ key_msg = "is unchanged";
else
- msg = "has a different value";
+ key_msg = "has a different value";
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("The %s host key for %s has changed,", type, host);
error("and the key for the according IP address %s", ip);
- error("%s. This could either mean that", msg);
+ error("%s. This could either mean that", key_msg);
error("DNS SPOOFING is happening or the IP address for the host");
error("and its host key have changed at the same time.");
if (ip_status != HOST_NEW)
error("Offending key for IP in %s:%d", ip_file, ip_line);
}
/* The host key has changed. */
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
- error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
- error("It is also possible that the %s host key has just been changed.", type);
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
- type, fp);
- error("Please contact your system administrator.");
+ warn_changed_key(host_key);
error("Add correct host key in %.100s to get rid of this message.",
user_hostfile);
error("Offending key in %s:%d", host_file, host_line);
- xfree(fp);
/*
* If strict host key checking is in use, the user will have
verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
struct stat st;
+ int flags = 0;
-#ifdef DNS
- if (options.verify_host_key_dns) {
- switch(verify_host_key_dns(host, hostaddr, host_key)) {
- case DNS_VERIFY_OK:
-#ifdef DNSSEC
- return 0;
-#else
- verified_host_key_dns = 1;
- break;
-#endif
- case DNS_VERIFY_FAILED:
- return -1;
- case DNS_VERIFY_ERROR:
- break;
- default:
- debug3("bad return value from verify_host_key_dns");
- break;
+ if (options.verify_host_key_dns &&
+ verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+
+ if (flags & DNS_VERIFY_FOUND) {
+
+ if (options.verify_host_key_dns == 1 &&
+ flags & DNS_VERIFY_MATCH &&
+ flags & DNS_VERIFY_SECURE)
+ return 0;
+
+ if (flags & DNS_VERIFY_MATCH) {
+ matching_host_key_dns = 1;
+ } else {
+ warn_changed_key(host_key);
+ error("Update the SSHFP RR in DNS with the new "
+ "host key to get rid of this message.");
+ }
}
}
-#endif /* DNS */
/* return ok if the key can be found in an old keyfile */
if (stat(options.system_hostfile2, &st) == 0 ||
}
return (found);
}
+
+static void
+warn_changed_key(Key *host_key)
+{
+ char *fp;
+ const char *type = key_type(host_key);
+
+ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
+ error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
+ error("It is also possible that the %s host key has just been changed.", type);
+ error("The fingerprint for the %s key sent by the remote host is\n%s.",
+ type, fp);
+ error("Please contact your system administrator.");
+
+ xfree(fp);
+}
andersk / openssh.git / blobdiff