| version 1.340, 2020/10/12 08:36:37 |
version 1.341, 2020/10/18 11:32:02 |
|
|
| */ |
*/ |
| if (!debug_flag && options.control_path != NULL && |
if (!debug_flag && options.control_path != NULL && |
| options.control_persist && stdfd_devnull(0, 0, 1) == -1) |
options.control_persist && stdfd_devnull(0, 0, 1) == -1) |
| error("%s: stdfd_devnull failed", __func__); |
error_f("stdfd_devnull failed"); |
| |
|
| argv[0] = shell; |
argv[0] = shell; |
| argv[1] = "-c"; |
argv[1] = "-c"; |
|
|
| */ |
*/ |
| if (!debug_flag && options.control_path != NULL && |
if (!debug_flag && options.control_path != NULL && |
| options.control_persist && stdfd_devnull(0, 0, 1) == -1) |
options.control_persist && stdfd_devnull(0, 0, 1) == -1) |
| error("%s: stdfd_devnull failed", __func__); |
error_f("stdfd_devnull failed"); |
| |
|
| argv[0] = shell; |
argv[0] = shell; |
| argv[1] = "-c"; |
argv[1] = "-c"; |
|
|
| htonl(INADDR_LOOPBACK)) |
htonl(INADDR_LOOPBACK)) |
| continue; |
continue; |
| if (*rlenp < sizeof(struct sockaddr_in)) { |
if (*rlenp < sizeof(struct sockaddr_in)) { |
| error("%s: v4 addr doesn't fit", |
error_f("v4 addr doesn't fit"); |
| __func__); |
|
| return -1; |
return -1; |
| } |
} |
| *rlenp = sizeof(struct sockaddr_in); |
*rlenp = sizeof(struct sockaddr_in); |
|
|
| IN6_IS_ADDR_LOOPBACK(v6addr))) |
IN6_IS_ADDR_LOOPBACK(v6addr))) |
| continue; |
continue; |
| if (*rlenp < sizeof(struct sockaddr_in6)) { |
if (*rlenp < sizeof(struct sockaddr_in6)) { |
| error("%s: v6 addr doesn't fit", |
error_f("v6 addr doesn't fit"); |
| __func__); |
|
| return -1; |
return -1; |
| } |
} |
| *rlenp = sizeof(struct sockaddr_in6); |
*rlenp = sizeof(struct sockaddr_in6); |
|
|
| } |
} |
| if ((r = getnameinfo((struct sockaddr *)&bindaddr, bindaddrlen, |
if ((r = getnameinfo((struct sockaddr *)&bindaddr, bindaddrlen, |
| ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST)) != 0) { |
ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST)) != 0) { |
| error("%s: getnameinfo failed: %s", __func__, |
error_f("getnameinfo failed: %s", ssh_gai_strerror(r)); |
| ssh_gai_strerror(r)); |
|
| goto fail; |
goto fail; |
| } |
} |
| if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) { |
if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) { |
| error("bind %s: %s", ntop, strerror(errno)); |
error("bind %s: %s", ntop, strerror(errno)); |
| goto fail; |
goto fail; |
| } |
} |
| debug("%s: bound to %s", __func__, ntop); |
debug_f("bound to %s", ntop); |
| /* success */ |
/* success */ |
| goto out; |
goto out; |
| fail: |
fail: |
|
|
| char ntop[NI_MAXHOST], strport[NI_MAXSERV]; |
char ntop[NI_MAXHOST], strport[NI_MAXSERV]; |
| struct addrinfo *ai; |
struct addrinfo *ai; |
| |
|
| debug2("%s", __func__); |
debug3_f("entering"); |
| memset(ntop, 0, sizeof(ntop)); |
memset(ntop, 0, sizeof(ntop)); |
| memset(strport, 0, sizeof(strport)); |
memset(strport, 0, sizeof(strport)); |
| |
|
|
|
| ntop, sizeof(ntop), strport, sizeof(strport), |
ntop, sizeof(ntop), strport, sizeof(strport), |
| NI_NUMERICHOST|NI_NUMERICSERV) != 0) { |
NI_NUMERICHOST|NI_NUMERICSERV) != 0) { |
| oerrno = errno; |
oerrno = errno; |
| error("%s: getnameinfo failed", __func__); |
error_f("getnameinfo failed"); |
| errno = oerrno; |
errno = oerrno; |
| continue; |
continue; |
| } |
} |
|
|
| (out = dup(STDOUT_FILENO)) == -1) { |
(out = dup(STDOUT_FILENO)) == -1) { |
| if (in >= 0) |
if (in >= 0) |
| close(in); |
close(in); |
| error("%s: dup() in/out failed", __func__); |
error_f("dup() in/out failed"); |
| return -1; /* ssh_packet_set_connection logs error */ |
return -1; /* ssh_packet_set_connection logs error */ |
| } |
} |
| if ((ssh_packet_set_connection(ssh, in, out)) == NULL) |
if ((ssh_packet_set_connection(ssh, in, out)) == NULL) |
|
|
| } |
} |
| if ((r = sshkey_check_cert_sigtype(key, |
if ((r = sshkey_check_cert_sigtype(key, |
| options.ca_sign_algorithms)) != 0) { |
options.ca_sign_algorithms)) != 0) { |
| logit("%s: certificate signature algorithm %s: %s", __func__, |
logit_fr(r, "certificate signature algorithm %s", |
| (key->cert == NULL || key->cert->signature_type == NULL) ? |
(key->cert == NULL || key->cert->signature_type == NULL) ? |
| "(null)" : key->cert->signature_type, ssh_err(r)); |
"(null)" : key->cert->signature_type); |
| return 0; |
return 0; |
| } |
} |
| /* Do not attempt hostkey update if a certificate was successful */ |
/* Do not attempt hostkey update if a certificate was successful */ |
| if (options.update_hostkeys != 0) { |
if (options.update_hostkeys != 0) { |
| options.update_hostkeys = 0; |
options.update_hostkeys = 0; |
| debug3("%s: certificate host key in use; disabling " |
debug3_f("certificate host key in use; disabling UpdateHostkeys"); |
| "UpdateHostkeys", __func__); |
|
| } |
} |
| return 1; |
return 1; |
| } |
} |
|
|
| if (options.proxy_command == NULL) { |
if (options.proxy_command == NULL) { |
| if (getnameinfo(hostaddr, hostaddr->sa_len, |
if (getnameinfo(hostaddr, hostaddr->sa_len, |
| ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) |
ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0) |
| fatal("%s: getnameinfo failed", __func__); |
fatal_f("getnameinfo failed"); |
| *hostfile_ipaddr = put_host_port(ntop, port); |
*hostfile_ipaddr = put_host_port(ntop, port); |
| } else { |
} else { |
| *hostfile_ipaddr = xstrdup("<no hostip for proxy " |
*hostfile_ipaddr = xstrdup("<no hostip for proxy " |
|
|
| path_in_hostfiles(ip_found->file, |
path_in_hostfiles(ip_found->file, |
| system_hostfiles, num_system_hostfiles)))) { |
system_hostfiles, num_system_hostfiles)))) { |
| options.update_hostkeys = 0; |
options.update_hostkeys = 0; |
| debug3("%s: host key found in GlobalKnownHostsFile; " |
debug3_f("host key found in GlobalKnownHostsFile; " |
| "disabling UpdateHostkeys", __func__); |
"disabling UpdateHostkeys"); |
| } |
} |
| if (options.check_host_ip && ip_status == HOST_NEW) { |
if (options.check_host_ip && ip_status == HOST_NEW) { |
| if (readonly || want_cert) |
if (readonly || want_cert) |
|
|
| ra = sshkey_fingerprint(host_key, |
ra = sshkey_fingerprint(host_key, |
| options.fingerprint_hash, SSH_FP_RANDOMART); |
options.fingerprint_hash, SSH_FP_RANDOMART); |
| if (fp == NULL || ra == NULL) |
if (fp == NULL || ra == NULL) |
| fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint failed"); |
| logit("Host key fingerprint is %s\n%s", fp, ra); |
logit("Host key fingerprint is %s\n%s", fp, ra); |
| free(ra); |
free(ra); |
| free(fp); |
free(fp); |
|
|
| ra = sshkey_fingerprint(host_key, |
ra = sshkey_fingerprint(host_key, |
| options.fingerprint_hash, SSH_FP_RANDOMART); |
options.fingerprint_hash, SSH_FP_RANDOMART); |
| if (fp == NULL || ra == NULL) |
if (fp == NULL || ra == NULL) |
| fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint failed"); |
| msg2[0] = '\0'; |
msg2[0] = '\0'; |
| if (options.verify_host_key_dns) { |
if (options.verify_host_key_dns) { |
| if (matching_host_key_dns) |
if (matching_host_key_dns) |
|
|
| } |
} |
| |
|
| if (!hostkey_trusted && options.update_hostkeys) { |
if (!hostkey_trusted && options.update_hostkeys) { |
| debug("%s: hostkey not known or explicitly trusted: " |
debug_f("hostkey not known or explicitly trusted: " |
| "disabling UpdateHostkeys", __func__); |
"disabling UpdateHostkeys"); |
| options.update_hostkeys = 0; |
options.update_hostkeys = 0; |
| } |
} |
| |
|
|
|
| */ |
*/ |
| debug("No matching CA found. Retry with plain key"); |
debug("No matching CA found. Retry with plain key"); |
| if ((r = sshkey_from_private(host_key, &raw_key)) != 0) |
if ((r = sshkey_from_private(host_key, &raw_key)) != 0) |
| fatal("%s: sshkey_from_private: %s", |
fatal_fr(r, "decode key"); |
| __func__, ssh_err(r)); |
|
| if ((r = sshkey_drop_cert(raw_key)) != 0) |
if ((r = sshkey_drop_cert(raw_key)) != 0) |
| fatal("Couldn't drop certificate: %s", ssh_err(r)); |
fatal_r(r, "Couldn't drop certificate"); |
| host_key = raw_key; |
host_key = raw_key; |
| goto retry; |
goto retry; |
| } |
} |
|
|
| |
|
| if ((fp = sshkey_fingerprint(host_key, |
if ((fp = sshkey_fingerprint(host_key, |
| options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { |
| error("%s: fingerprint host key: %s", __func__, ssh_err(r)); |
error_fr(r, "fingerprint host key"); |
| r = -1; |
r = -1; |
| goto out; |
goto out; |
| } |
} |
|
|
| if (sshkey_is_cert(host_key)) { |
if (sshkey_is_cert(host_key)) { |
| if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, |
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, |
| options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { |
options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) { |
| error("%s: fingerprint CA key: %s", |
error_fr(r, "fingerprint CA key"); |
| __func__, ssh_err(r)); |
|
| r = -1; |
r = -1; |
| goto out; |
goto out; |
| } |
} |
|
|
| } |
} |
| |
|
| if (sshkey_equal(previous_host_key, host_key)) { |
if (sshkey_equal(previous_host_key, host_key)) { |
| debug2("%s: server host key %s %s matches cached key", |
debug2_f("server host key %s %s matches cached key", |
| __func__, sshkey_type(host_key), fp); |
sshkey_type(host_key), fp); |
| r = 0; |
r = 0; |
| goto out; |
goto out; |
| } |
} |
|
|
| r = -1; |
r = -1; |
| goto out; |
goto out; |
| default: |
default: |
| error("Error checking host key %s %s in " |
error_r(r, "Error checking host key %s %s in " |
| "revoked keys file %s: %s", sshkey_type(host_key), |
"revoked keys file %s", sshkey_type(host_key), |
| fp, options.revoked_host_keys, ssh_err(r)); |
fp, options.revoked_host_keys); |
| r = -1; |
r = -1; |
| goto out; |
goto out; |
| } |
} |
|
|
| ra = sshkey_fingerprint(found->key, |
ra = sshkey_fingerprint(found->key, |
| options.fingerprint_hash, SSH_FP_RANDOMART); |
options.fingerprint_hash, SSH_FP_RANDOMART); |
| if (fp == NULL || ra == NULL) |
if (fp == NULL || ra == NULL) |
| fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint fail"); |
| logit("WARNING: %s key found for host %s\n" |
logit("WARNING: %s key found for host %s\n" |
| "in %s:%lu\n" |
"in %s:%lu\n" |
| "%s key fingerprint %s.", |
"%s key fingerprint %s.", |
|
|
| fp = sshkey_fingerprint(host_key, options.fingerprint_hash, |
fp = sshkey_fingerprint(host_key, options.fingerprint_hash, |
| SSH_FP_DEFAULT); |
SSH_FP_DEFAULT); |
| if (fp == NULL) |
if (fp == NULL) |
| fatal("%s: sshkey_fingerprint fail", __func__); |
fatal_f("sshkey_fingerprint fail"); |
| |
|
| error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); |
| error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); |
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshconnect.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh