version 1.340, 2020/10/12 08:36:37 |
version 1.341, 2020/10/18 11:32:02 |
|
|
*/ |
*/ |
if (!debug_flag && options.control_path != NULL && |
if (!debug_flag && options.control_path != NULL && |
options.control_persist && stdfd_devnull(0, 0, 1) == -1) |
options.control_persist && stdfd_devnull(0, 0, 1) == -1) |
error("%s: stdfd_devnull failed", __func__); |
error_f("stdfd_devnull failed"); |
|
|
argv[0] = shell; |
argv[0] = shell; |
argv[1] = "-c"; |
argv[1] = "-c"; |
|
|
*/ |
*/ |
if (!debug_flag && options.control_path != NULL && |
if (!debug_flag && options.control_path != NULL && |
options.control_persist && stdfd_devnull(0, 0, 1) == -1) |
options.control_persist && stdfd_devnull(0, 0, 1) == -1) |
error("%s: stdfd_devnull failed", __func__); |
error_f("stdfd_devnull failed"); |
|
|
argv[0] = shell; |
argv[0] = shell; |
argv[1] = "-c"; |
argv[1] = "-c"; |
|
|
htonl(INADDR_LOOPBACK)) |
htonl(INADDR_LOOPBACK)) |
continue; |
continue; |
if (*rlenp < sizeof(struct sockaddr_in)) { |
if (*rlenp < sizeof(struct sockaddr_in)) { |
error("%s: v4 addr doesn't fit", |
error_f("v4 addr doesn't fit"); |
__func__); |
|
return -1; |
return -1; |
} |
} |
*rlenp = sizeof(struct sockaddr_in); |
*rlenp = sizeof(struct sockaddr_in); |
|
|
IN6_IS_ADDR_LOOPBACK(v6addr))) |
IN6_IS_ADDR_LOOPBACK(v6addr))) |
continue; |
continue; |
if (*rlenp < sizeof(struct sockaddr_in6)) { |
if (*rlenp < sizeof(struct sockaddr_in6)) { |
error("%s: v6 addr doesn't fit", |
error_f("v6 addr doesn't fit"); |
__func__); |
|
return -1; |
return -1; |
} |
} |
*rlenp = sizeof(struct sockaddr_in6); |
*rlenp = sizeof(struct sockaddr_in6); |
|
|
} |
} |
if ((r = getnameinfo((struct sockaddr *)&bindaddr, bindaddrlen, |
if ((r = getnameinfo((struct sockaddr *)&bindaddr, bindaddrlen, |
ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST)) != 0) { |
ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST)) != 0) { |
error("%s: getnameinfo failed: %s", __func__, |
error_f("getnameinfo failed: %s", ssh_gai_strerror(r)); |
ssh_gai_strerror(r)); |
|
goto fail; |
goto fail; |
} |
} |
if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) { |
if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) { |
error("bind %s: %s", ntop, strerror(errno)); |
error("bind %s: %s", ntop, strerror(errno)); |
goto fail; |
goto fail; |
} |
} |
debug("%s: bound to %s", __func__, ntop); |
debug_f("bound to %s", ntop); |
/* success */ |
/* success */ |
goto out; |
goto out; |
fail: |
fail: |
|
|
char ntop[NI_MAXHOST], strport[NI_MAXSERV]; |
char ntop[NI_MAXHOST], strport[NI_MAXSERV]; |
struct addrinfo *ai; |
struct addrinfo *ai; |
|
|
debug2("%s", __func__); |
debug3_f("entering"); |
memset(ntop, 0, sizeof(ntop)); |
memset(ntop, 0, sizeof(ntop)); |
memset(strport, 0, sizeof(strport)); |
memset(strport, 0, sizeof(strport)); |
|
|
|
|
ntop, sizeof(ntop), strport, sizeof(strport), |
ntop, sizeof(ntop), strport, sizeof(strport), |
NI_NUMERICHOST|NI_NUMERICSERV) != 0) { |
NI_NUMERICHOST|NI_NUMERICSERV) != 0) { |
oerrno = errno; |
oerrno = errno; |
error("%s: getnameinfo failed", __func__); |
error_f("getnameinfo failed"); |
errno = oerrno; |
errno = oerrno; |
continue; |
continue; |
} |
} |
|
|
(out = dup(STDOUT_FILENO)) == -1) { |
(out = dup(STDOUT_FILENO)) == -1) { |
if (in >= 0) |
if (in >= 0) |
close(in); |
close(in); |
error("%s: dup() in/out failed", __func__); |
error_f("dup() in/out failed"); |
return -1; /* ssh_packet_set_connection logs error */ |
return -1; /* ssh_packet_set_connection logs error */ |
} |
} |
if ((ssh_packet_set_connection(ssh, in, out)) == NULL) |
if ((ssh_packet_set_connection(ssh, in, out)) == NULL) |
|
|
} |
} |
if ((r = sshkey_check_cert_sigtype(key, |
if ((r = sshkey_check_cert_sigtype(key, |
options.ca_sign_algorithms)) != 0) { |
options.ca_sign_algorithms)) != 0) { |
logit("%s: certificate signature algorithm %s: %s", __func__, |
logit_fr(r, "certificate signature algorithm %s", |
(key->cert == NULL || key->cert->signature_type == NULL) ? |
(key->cert == NULL || key->cert->signature_type == NULL) ? |
"(null)" : key->cert->signature_type, ssh_err(r)); |
"(null)" : key->cert->signature_type); |
return 0; |
return 0; |
} |
} |
/* Do not attempt hostkey update if a certificate was successful */ |
/* Do not attempt hostkey update if a certificate was successful */ |
if (options.update_hostkeys != 0) { |
if (options.update_hostkeys != 0) { |
options.update_hostkeys = 0; |
options.update_hostkeys = 0; |
debug3("%s: certificate host key in use; disabling " |
debug3_f("certificate host key in use; disabling UpdateHostkeys"); |
"UpdateHostkeys", __func__); |
|
} |
} |
return 1; |
return 1; |
} |
} |
|
|
if (options.proxy_command == NULL) { |
if (options.proxy_command == NULL) { |
if (getnameinfo(hostaddr, hostaddr->sa_len, |
if (getnameinfo(hostaddr, hostaddr->sa_len, |
ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) |
ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) |
fatal("%s: getnameinfo failed", __func__); |
fatal_f("getnameinfo failed"); |
*hostfile_ipaddr = put_host_port(ntop, port); |
*hostfile_ipaddr = put_host_port(ntop, port); |
} else { |
} else { |
*hostfile_ipaddr = xstrdup("<no hostip for proxy " |
*hostfile_ipaddr = xstrdup("<no hostip for proxy " |
|
|
path_in_hostfiles(ip_found->file, |
path_in_hostfiles(ip_found->file, |
system_hostfiles, num_system_hostfiles)))) { |
system_hostfiles, num_system_hostfiles)))) { |
options.update_hostkeys = 0; |
options.update_hostkeys = 0; |
debug3("%s: host key found in GlobalKnownHostsFile; " |
debug3_f("host key found in GlobalKnownHostsFile; " |
"disabling UpdateHostkeys", __func__); |
"disabling UpdateHostkeys"); |
} |
} |
if (options.check_host_ip && ip_status == HOST_NEW) { |
if (options.check_host_ip && ip_status == HOST_NEW) { |
if (readonly || want_cert) |
if (readonly || want_cert) |
|
|
ra = sshkey_fingerprint(host_key, |
ra = sshkey_fingerprint(host_key, |
options.fingerprint_hash, SSH_FP_RANDOMART); |
options.fingerprint_hash, SSH_FP_RANDOMART); |
if (fp == NULL || ra == NULL) |
if (fp == NULL || ra == NULL) |
fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint failed"); |
logit("Host key fingerprint is %s\n%s", fp, ra); |
logit("Host key fingerprint is %s\n%s", fp, ra); |
free(ra); |
free(ra); |
free(fp); |
free(fp); |
|
|
ra = sshkey_fingerprint(host_key, |
ra = sshkey_fingerprint(host_key, |
options.fingerprint_hash, SSH_FP_RANDOMART); |
options.fingerprint_hash, SSH_FP_RANDOMART); |
if (fp == NULL || ra == NULL) |
if (fp == NULL || ra == NULL) |
fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint failed"); |
msg2[0] = '\0'; |
msg2[0] = '\0'; |
if (options.verify_host_key_dns) { |
if (options.verify_host_key_dns) { |
if (matching_host_key_dns) |
if (matching_host_key_dns) |
|
|
} |
} |
|
|
if (!hostkey_trusted && options.update_hostkeys) { |
if (!hostkey_trusted && options.update_hostkeys) { |
debug("%s: hostkey not known or explicitly trusted: " |
debug_f("hostkey not known or explicitly trusted: " |
"disabling UpdateHostkeys", __func__); |
"disabling UpdateHostkeys"); |
options.update_hostkeys = 0; |
options.update_hostkeys = 0; |
} |
} |
|
|
|
|
*/ |
*/ |
debug("No matching CA found. Retry with plain key"); |
debug("No matching CA found. Retry with plain key"); |
if ((r = sshkey_from_private(host_key, &raw_key)) != 0) |
if ((r = sshkey_from_private(host_key, &raw_key)) != 0) |
fatal("%s: sshkey_from_private: %s", |
fatal_fr(r, "decode key"); |
__func__, ssh_err(r)); |
|
if ((r = sshkey_drop_cert(raw_key)) != 0) |
if ((r = sshkey_drop_cert(raw_key)) != 0) |
fatal("Couldn't drop certificate: %s", ssh_err(r)); |
fatal_r(r, "Couldn't drop certificate"); |
host_key = raw_key; |
host_key = raw_key; |
goto retry; |
goto retry; |
} |
} |
|
|
|
|
if ((fp = sshkey_fingerprint(host_key, |
if ((fp = sshkey_fingerprint(host_key, |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { |
error("%s: fingerprint host key: %s", __func__, ssh_err(r)); |
error_fr(r, "fingerprint host key"); |
r = -1; |
r = -1; |
goto out; |
goto out; |
} |
} |
|
|
if (sshkey_is_cert(host_key)) { |
if (sshkey_is_cert(host_key)) { |
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, |
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { |
error("%s: fingerprint CA key: %s", |
error_fr(r, "fingerprint CA key"); |
__func__, ssh_err(r)); |
|
r = -1; |
r = -1; |
goto out; |
goto out; |
} |
} |
|
|
} |
} |
|
|
if (sshkey_equal(previous_host_key, host_key)) { |
if (sshkey_equal(previous_host_key, host_key)) { |
debug2("%s: server host key %s %s matches cached key", |
debug2_f("server host key %s %s matches cached key", |
__func__, sshkey_type(host_key), fp); |
sshkey_type(host_key), fp); |
r = 0; |
r = 0; |
goto out; |
goto out; |
} |
} |
|
|
r = -1; |
r = -1; |
goto out; |
goto out; |
default: |
default: |
error("Error checking host key %s %s in " |
error_r(r, "Error checking host key %s %s in " |
"revoked keys file %s: %s", sshkey_type(host_key), |
"revoked keys file %s", sshkey_type(host_key), |
fp, options.revoked_host_keys, ssh_err(r)); |
fp, options.revoked_host_keys); |
r = -1; |
r = -1; |
goto out; |
goto out; |
} |
} |
|
|
ra = sshkey_fingerprint(found->key, |
ra = sshkey_fingerprint(found->key, |
options.fingerprint_hash, SSH_FP_RANDOMART); |
options.fingerprint_hash, SSH_FP_RANDOMART); |
if (fp == NULL || ra == NULL) |
if (fp == NULL || ra == NULL) |
fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint fail"); |
logit("WARNING: %s key found for host %s\n" |
logit("WARNING: %s key found for host %s\n" |
"in %s:%lu\n" |
"in %s:%lu\n" |
"%s key fingerprint %s.", |
"%s key fingerprint %s.", |
|
|
fp = sshkey_fingerprint(host_key, options.fingerprint_hash, |
fp = sshkey_fingerprint(host_key, options.fingerprint_hash, |
SSH_FP_DEFAULT); |
SSH_FP_DEFAULT); |
if (fp == NULL) |
if (fp == NULL) |
fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint fail"); |
|
|
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); |
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); |