From 1432b5c4519f29bfacc5a8957ac6047a6bb9a59a Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 11 Jun 2003 12:05:25 +0000 Subject: [PATCH] - jakob@cvs.openbsd.org 2003/06/11 10:16:16 [sshconnect.c] clean up check_host_key() and improve SSHFP feedback. ok markus@ --- ChangeLog | 3 +++ sshconnect.c | 42 ++++++++++++++++++++++++++++++++++-------- 2 files changed, 37 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9538b5d2..08ffa7a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - deraadt@cvs.openbsd.org 2003/06/10 22:20:52 [packet.c progressmeter.c] mostly ansi cleanup; pval ok + - jakob@cvs.openbsd.org 2003/06/11 10:16:16 + [sshconnect.c] + clean up check_host_key() and improve SSHFP feedback. ok markus@ 20030609 diff --git a/sshconnect.c b/sshconnect.c index b8a77a2a..82f5539c 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.145 2003/06/11 10:16:16 jakob Exp $"); #include @@ -40,6 +40,10 @@ RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $"); char *client_version_string = NULL; char *server_version_string = NULL; +#ifdef DNS +int verified_host_key_dns = 0; +#endif + /* import */ extern Options options; extern char *__progname; @@ -570,7 +574,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, int salen; char ntop[NI_MAXHOST]; char msg[1024]; - int len, host_line, ip_line, has_keys; + int len, host_line, ip_line; const char *host_file = NULL, *ip_file = NULL; /* @@ -714,19 +718,36 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, "have requested strict checking.", type, host); goto fail; } else if (options.strict_host_key_checking == 2) { - has_keys = show_other_keys(host, host_key); + char msg1[1024], msg2[1024]; + + if (show_other_keys(host, host_key)) + snprintf(msg1, sizeof(msg1), + "\nbut keys of different type are already" + " known for this host."); + else + snprintf(msg1, sizeof(msg1), "."); /* The default */ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); + msg2[0] = '\0'; +#ifdef DNS + if (options.verify_host_key_dns) { + if (verified_host_key_dns) + snprintf(msg2, sizeof(msg2), + "Matching host key fingerprint" + " found in DNS.\n"); + else + snprintf(msg2, sizeof(msg2), + "No matching host key fingerprint" + " found in DNS.\n"); + } +#endif snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" - "%s key fingerprint is %s.\n" + "%s key fingerprint is %s.\n%s" "Are you sure you want to continue connecting " "(yes/no)? ", - host, ip, - has_keys ? ",\nbut keys of different type are already " - "known for this host." : ".", - type, fp); + host, ip, msg1, type, fp, msg2); xfree(fp); if (!confirm(msg)) goto fail; @@ -890,7 +911,12 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) if (options.verify_host_key_dns) { switch(verify_host_key_dns(host, hostaddr, host_key)) { case DNS_VERIFY_OK: +#ifdef DNSSEC return 0; +#else + verified_host_key_dns = 1; + break; +#endif case DNS_VERIFY_FAILED: return -1; case DNS_VERIFY_ERROR: -- 2.45.1