+20060805
+ - (djm) OpenBSD CVS Sync
+ - stevesk@cvs.openbsd.org 2006/07/24 13:58:22
+ [sshconnect.c]
+ disable tunnel forwarding when no strict host key checking
+ and key changed; ok djm@ markus@ dtucker@
+
20060804
- (dtucker) [configure.ac] The "crippled AES" test does not work on recent
versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
-/* $OpenBSD: sshconnect.c,v 1.193 2006/07/22 20:48:23 stevesk Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.194 2006/07/24 13:58:22 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
/*
* If strict host key checking has not been requested, allow
* the connection but without MITM-able authentication or
- * agent forwarding.
+ * forwarding.
*/
if (options.password_authentication) {
error("Password authentication is disabled to avoid "
options.num_local_forwards =
options.num_remote_forwards = 0;
}
+ if (options.tun_open != SSH_TUNMODE_NO) {
+ error("Tunnel forwarding is disabled to avoid "
+ "man-in-the-middle attacks.");
+ options.tun_open = SSH_TUNMODE_NO;
+ }
/*
* XXX Should permit the user to change to use the new id.
* This could be done by converting the host key to an