version 1.246, 2014/02/06 22:21:01 |
version 1.247, 2014/04/01 03:34:10 |
|
|
{ |
{ |
int flags = 0; |
int flags = 0; |
char *fp; |
char *fp; |
|
Key *plain = NULL; |
|
|
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); |
debug("Server host key: %s %s", key_type(host_key), fp); |
debug("Server host key: %s %s", key_type(host_key), fp); |
free(fp); |
free(fp); |
|
|
/* XXX certs are not yet supported for DNS */ |
if (options.verify_host_key_dns) { |
if (!key_is_cert(host_key) && options.verify_host_key_dns && |
/* |
verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { |
* XXX certs are not yet supported for DNS, so downgrade |
if (flags & DNS_VERIFY_FOUND) { |
* them and try the plain key. |
|
*/ |
if (options.verify_host_key_dns == 1 && |
plain = key_from_private(host_key); |
flags & DNS_VERIFY_MATCH && |
if (key_is_cert(plain)) |
flags & DNS_VERIFY_SECURE) |
key_drop_cert(plain); |
return 0; |
if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { |
|
if (flags & DNS_VERIFY_FOUND) { |
if (flags & DNS_VERIFY_MATCH) { |
if (options.verify_host_key_dns == 1 && |
matching_host_key_dns = 1; |
flags & DNS_VERIFY_MATCH && |
} else { |
flags & DNS_VERIFY_SECURE) { |
warn_changed_key(host_key); |
key_free(plain); |
error("Update the SSHFP RR in DNS with the new " |
return 0; |
"host key to get rid of this message."); |
} |
|
if (flags & DNS_VERIFY_MATCH) { |
|
matching_host_key_dns = 1; |
|
} else { |
|
warn_changed_key(plain); |
|
error("Update the SSHFP RR in DNS " |
|
"with the new host key to get rid " |
|
"of this message."); |
|
} |
} |
} |
} |
} |
|
key_free(plain); |
} |
} |
|
|
return check_host_key(host, hostaddr, options.port, host_key, RDRW, |
return check_host_key(host, hostaddr, options.port, host_key, RDRW, |