src/usr.bin/ssh/sshconnect.c - diff

Return to sshconnect.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/sshconnect.c between version 1.137.2.1 and 1.137.2.2

version 1.137.2.1, 2003/09/16 20:50:44

version 1.137.2.2, 2004/03/04 18:18:17

Line 33

#include "misc.h"

#include "readpass.h"

#ifdef DNS

#include "dns.h"

#endif

char *client_version_string = NULL;

char *server_version_string = NULL;

#ifdef DNS

int matching_host_key_dns = 0;

int verified_host_key_dns = 0;

#endif

/* import */

extern Options options;

Line 52

Line 48

extern pid_t proxy_command_pid;

static int show_other_keys(const char *, Key *);

static void warn_changed_key(Key *);

* Connect to the given ssh server using a proxy command.

Line 73

Line 70

* Build the final command string in the buffer by making the

* appropriate substitutions to the given proxy command.

* Use "exec" to avoid "sh -c" processes on some platforms

* (e.g. Solaris)

buffer_init(&command);

Line 230

Line 227

if (timeout <= 0)

return (connect(sockfd, serv_addr, addrlen));

if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0)

set_nonblock(sockfd);

return (-1);

rc = connect(sockfd, serv_addr, addrlen);

if (rc == 0)

if (rc == 0) {

unset_nonblock(sockfd);

return (0);

}

if (errno != EINPROGRESS)

return (-1);

Line 260

Line 257

break;

case -1:

/* Select error */

debug("select: %s", strerror(errno));

break;

case 1:

/* Completed or failed */

optval = 0;

optlen = sizeof(optval);

if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,

&optlen) == -1)

&optlen) == -1) {

debug("getsockopt: %s", strerror(errno));

break;

}

if (optval != 0) {

errno = optval;

break;

}

result = 0;

unset_nonblock(sockfd);

break;

default:

/* Should not occur */

Line 413

Line 412

debug("Connection established.");

/* Set keepalives if requested. */

/* Set SO_KEEPALIVE if requested. */

if (options.keepalives &&

if (options.tcp_keep_alive &&

setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,

sizeof(on)) < 0)

error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));

Line 561

Line 560

int readonly, const char *user_hostfile, const char *system_hostfile)

{

Key *file_key;

char *type = key_type(host_key);

const char *type = key_type(host_key);

char *ip = NULL;

char hostline[1000], *hostp, *fp;

HostStatus host_status;

Line 721

Line 720

/* The default */

fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);

msg2[0] = '\0';

#ifdef DNS

if (options.verify_host_key_dns) {

if (verified_host_key_dns)

if (matching_host_key_dns)

snprintf(msg2, sizeof(msg2),

"Matching host key fingerprint"

" found in DNS.\n");

Line 732

Line 730

"No matching host key fingerprint"

" found in DNS.\n");

}

#endif

snprintf(msg, sizeof(msg),

"The authenticity of host '%.200s (%s)' can't be "

"established%s\n"

Line 782

Line 779

error("Offending key for IP in %s:%d", ip_file, ip_line);

}

/* The host key has changed. */

fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);

warn_changed_key(host_key);

error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");

error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");

error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");

error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");

error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");

error("It is also possible that the %s host key has just been changed.", type);

error("The fingerprint for the %s key sent by the remote host is\n%s.",

type, fp);

error("Please contact your system administrator.");

error("Add correct host key in %.100s to get rid of this message.",

user_hostfile);

error("Offending key in %s:%d", host_file, host_line);

xfree(fp);

* If strict host key checking is in use, the user will have

Line 898

Line 885

verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)

{

struct stat st;

int flags = 0;

#ifdef DNS

if (options.verify_host_key_dns &&

if (options.verify_host_key_dns) {

verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {

switch(verify_host_key_dns(host, hostaddr, host_key)) {

case DNS_VERIFY_OK:

if (flags & DNS_VERIFY_FOUND) {

#ifdef DNSSEC

return 0;

if (options.verify_host_key_dns == 1 &&

#else

flags & DNS_VERIFY_MATCH &&

verified_host_key_dns = 1;

flags & DNS_VERIFY_SECURE)

break;

return 0;

#endif

case DNS_VERIFY_FAILED:

if (flags & DNS_VERIFY_MATCH) {

return -1;

matching_host_key_dns = 1;

case DNS_VERIFY_ERROR:

} else {

break;

warn_changed_key(host_key);

default:

error("Update the SSHFP RR in DNS with the new "

debug3("bad return value from verify_host_key_dns");

"host key to get rid of this message.");

break;

}

#endif /* DNS */

/* return ok if the key can be found in an old keyfile */

if (stat(options.system_hostfile2, &st) == 0 ||

Line 1043

Line 1030

debug2("no key of type %d for host %s", type[i], host);

}

return (found);

}

static void

warn_changed_key(Key *host_key)

{

char *fp;

const char *type = key_type(host_key);

fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);

error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");

error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");

error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");

error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");

error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");

error("It is also possible that the %s host key has just been changed.", type);

error("The fingerprint for the %s key sent by the remote host is\n%s.",

type, fp);

error("Please contact your system administrator.");

xfree(fp);

}