Commit da828395 authored by Damien Miller's avatar Damien Miller

- dtucker@cvs.openbsd.org 2006/08/01 11:34:36

     [sshconnect.c]
     Allow fallback to known_hosts entries without port qualifiers for
     non-standard ports too, so that all existing known_hosts entries will be
     recognised.  Requested by, feedback and ok markus@
parent 1a5b4041
...@@ -35,6 +35,11 @@ ...@@ -35,6 +35,11 @@
avoid confusing wording in HashKnownHosts: avoid confusing wording in HashKnownHosts:
originally spotted by alan amesbury; originally spotted by alan amesbury;
ok deraadt ok deraadt
- dtucker@cvs.openbsd.org 2006/08/01 11:34:36
[sshconnect.c]
Allow fallback to known_hosts entries without port qualifiers for
non-standard ports too, so that all existing known_hosts entries will be
recognised. Requested by, feedback and ok markus@
20060804 20060804
- (dtucker) [configure.ac] The "crippled AES" test does not work on recent - (dtucker) [configure.ac] The "crippled AES" test does not work on recent
...@@ -5105,4 +5110,4 @@ ...@@ -5105,4 +5110,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.4448 2006/08/05 01:35:23 djm Exp $ $Id: ChangeLog,v 1.4449 2006/08/05 01:35:45 djm Exp $
/* $OpenBSD: sshconnect.c,v 1.196 2006/07/26 13:57:17 stevesk Exp $ */ /* $OpenBSD: sshconnect.c,v 1.197 2006/08/01 11:34:36 dtucker Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
...@@ -521,9 +521,13 @@ confirm(const char *prompt) ...@@ -521,9 +521,13 @@ confirm(const char *prompt)
* check whether the supplied host key is valid, return -1 if the key * check whether the supplied host key is valid, return -1 if the key
* is not valid. the user_hostfile will not be updated if 'readonly' is true. * is not valid. the user_hostfile will not be updated if 'readonly' is true.
*/ */
#define RDRW 0
#define RDONLY 1
#define ROQUIET 2
static int static int
check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
int readonly, const char *user_hostfile, const char *system_hostfile) Key *host_key, int readonly, const char *user_hostfile,
const char *system_hostfile)
{ {
Key *file_key; Key *file_key;
const char *type = key_type(host_key); const char *type = key_type(host_key);
...@@ -578,7 +582,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, ...@@ -578,7 +582,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key,
if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop), if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
NULL, 0, NI_NUMERICHOST) != 0) NULL, 0, NI_NUMERICHOST) != 0)
fatal("check_host_key: getnameinfo failed"); fatal("check_host_key: getnameinfo failed");
ip = put_host_port(ntop, options.port); ip = put_host_port(ntop, port);
} else { } else {
ip = xstrdup("<no hostip for proxy command>"); ip = xstrdup("<no hostip for proxy command>");
} }
...@@ -600,7 +604,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, ...@@ -600,7 +604,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key,
host = xstrdup(options.host_key_alias); host = xstrdup(options.host_key_alias);
debug("using hostkeyalias: %s", host); debug("using hostkeyalias: %s", host);
} else { } else {
host = put_host_port(hostname, options.port); host = put_host_port(hostname, port);
} }
/* /*
...@@ -669,6 +673,15 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, ...@@ -669,6 +673,15 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key,
} }
break; break;
case HOST_NEW: case HOST_NEW:
if (options.host_key_alias == NULL && port != 0 &&
port != SSH_DEFAULT_PORT) {
debug("checking without port identifier");
if (check_host_key(hostname, hostaddr, 0, host_key, 2,
user_hostfile, system_hostfile) == 0) {
debug("found matching key w/out port");
break;
}
}
if (readonly) if (readonly)
goto fail; goto fail;
/* The host is new. */ /* The host is new. */
...@@ -748,6 +761,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, ...@@ -748,6 +761,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key,
"list of known hosts.", hostp, type); "list of known hosts.", hostp, type);
break; break;
case HOST_CHANGED: case HOST_CHANGED:
if (readonly == ROQUIET)
goto fail;
if (options.check_host_ip && host_ip_differ) { if (options.check_host_ip && host_ip_differ) {
char *key_msg; char *key_msg;
if (ip_status == HOST_NEW) if (ip_status == HOST_NEW)
...@@ -906,12 +921,13 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) ...@@ -906,12 +921,13 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
/* return ok if the key can be found in an old keyfile */ /* return ok if the key can be found in an old keyfile */
if (stat(options.system_hostfile2, &st) == 0 || if (stat(options.system_hostfile2, &st) == 0 ||
stat(options.user_hostfile2, &st) == 0) { stat(options.user_hostfile2, &st) == 0) {
if (check_host_key(host, hostaddr, host_key, /*readonly*/ 1, if (check_host_key(host, hostaddr, options.port, host_key,
options.user_hostfile2, options.system_hostfile2) == 0) RDONLY, options.user_hostfile2,
options.system_hostfile2) == 0)
return 0; return 0;
} }
return check_host_key(host, hostaddr, host_key, /*readonly*/ 0, return check_host_key(host, hostaddr, options.port, host_key,
options.user_hostfile, options.system_hostfile); RDRW, options.user_hostfile, options.system_hostfile);
} }
/* /*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment