version 1.87, 2000/12/28 14:25:03 |
version 1.88, 2001/01/02 20:50:56 |
|
|
FILE *f; |
FILE *f; |
int retval = -1; |
int retval = -1; |
|
|
if (isatty(0)) |
if (isatty(STDIN_FILENO)) |
f = stdin; |
f = stdin; |
else |
else |
f = fopen("/dev/tty", "rw"); |
f = fopen("/dev/tty", "rw"); |
|
|
HostStatus ip_status; |
HostStatus ip_status; |
int local = 0, host_ip_differ = 0; |
int local = 0, host_ip_differ = 0; |
char ntop[NI_MAXHOST]; |
char ntop[NI_MAXHOST]; |
int host_line = -1, ip_line = -1; |
int host_line, ip_line; |
const char *host_file = NULL, *ip_file = NULL; |
const char *host_file = NULL, *ip_file = NULL; |
|
|
/* |
/* |
|
|
local = 0; |
local = 0; |
break; |
break; |
} |
} |
if (local) { |
if (local && options.host_key_alias == NULL) { |
if (options.host_key_alias == NULL) { |
debug("Forcing accepting of host key for " |
debug("Forcing accepting of host key for " |
"loopback/localhost."); |
"loopback/localhost."); |
return; |
return; |
|
} |
|
if (options.check_host_ip) |
|
options.check_host_ip = 0; |
|
} |
} |
|
|
/* |
/* |
* Turn off check_host_ip for proxy connects, since |
* We don't have the remote ip-address for connections |
* we don't have the remote ip-address |
* using a proxy command |
*/ |
*/ |
if (options.proxy_command != NULL && options.check_host_ip) |
|
options.check_host_ip = 0; |
|
|
|
if (options.proxy_command == NULL) { |
if (options.proxy_command == NULL) { |
if (getnameinfo(hostaddr, hostaddr->sa_len, ntop, sizeof(ntop), |
if (getnameinfo(hostaddr, hostaddr->sa_len, ntop, sizeof(ntop), |
NULL, 0, NI_NUMERICHOST) != 0) |
NULL, 0, NI_NUMERICHOST) != 0) |
|
|
} else { |
} else { |
ip = xstrdup("<no hostip for proxy command>"); |
ip = xstrdup("<no hostip for proxy command>"); |
} |
} |
|
/* |
|
* Turn off check_host_ip if the connection is to localhost, via proxy |
|
* command or if we don't have a hostname to compare with |
|
*/ |
|
if (options.check_host_ip && |
|
(local || strcmp(host, ip) == 0 || options.proxy_command != NULL)) |
|
options.check_host_ip = 0; |
|
|
/* |
/* |
* Allow the user to record the key under a different name. This is |
* Allow the user to record the key under a different name. This is |
|
|
* Also perform check for the ip address, skip the check if we are |
* Also perform check for the ip address, skip the check if we are |
* localhost or the hostname was an ip address to begin with |
* localhost or the hostname was an ip address to begin with |
*/ |
*/ |
if (options.check_host_ip && !local && strcmp(host, ip)) { |
if (options.check_host_ip) { |
Key *ip_key = key_new(host_key->type); |
Key *ip_key = key_new(host_key->type); |
|
|
ip_file = user_hostfile; |
ip_file = user_hostfile; |
|
|
debug("Host '%.200s' is known and matches the %s host key.", |
debug("Host '%.200s' is known and matches the %s host key.", |
host, type); |
host, type); |
debug("Found key in %s:%d", host_file, host_line); |
debug("Found key in %s:%d", host_file, host_line); |
if (options.check_host_ip) { |
if (options.check_host_ip && ip_status == HOST_NEW) { |
if (ip_status == HOST_NEW) { |
if (!add_host_to_hostfile(user_hostfile, ip, host_key)) |
if (!add_host_to_hostfile(user_hostfile, ip, host_key)) |
log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).", |
log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).", |
type, ip, user_hostfile); |
type, ip, user_hostfile); |
else |
else |
log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.", |
log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.", |
type, ip); |
type, ip); |
|
} else if (ip_status != HOST_OK) { |
|
log("Warning: the %s host key for '%.200s' differs from the key for the IP address '%.30s'", |
|
type, host, ip); |
|
log("Found key in %s:%d", host_file, host_line); |
|
if (ip_line != -1) |
|
log("Offending key for IP in %s:%d", ip_file, ip_line); |
|
} |
|
} |
} |
break; |
break; |
case HOST_NEW: |
case HOST_NEW: |
|
|
if (!read_yes_or_no(prompt, -1)) |
if (!read_yes_or_no(prompt, -1)) |
fatal("Aborted by user!\n"); |
fatal("Aborted by user!\n"); |
} |
} |
if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) { |
if (options.check_host_ip && ip_status == HOST_NEW) { |
snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); |
snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); |
hostp = hostline; |
hostp = hostline; |
} else |
} else |
|
|
error("%s. This could either mean that", msg); |
error("%s. This could either mean that", msg); |
error("DNS SPOOFING is happening or the IP address for the host"); |
error("DNS SPOOFING is happening or the IP address for the host"); |
error("and its host key have changed at the same time."); |
error("and its host key have changed at the same time."); |
if (ip_line != -1) |
if (ip_status != HOST_NEW) |
error("Offending key for IP in %s:%d", ip_file, ip_line); |
error("Offending key for IP in %s:%d", ip_file, ip_line); |
} |
} |
/* The host key has changed. */ |
/* The host key has changed. */ |
|
|
* accept the authentication. |
* accept the authentication. |
*/ |
*/ |
break; |
break; |
|
} |
|
|
|
if (options.check_host_ip && host_status != HOST_CHANGED && |
|
ip_status == HOST_CHANGED) { |
|
log("Warning: the %s host key for '%.200s' " |
|
"differs from the key for the IP address '%.30s'", |
|
type, host, ip); |
|
if (host_status == HOST_OK) |
|
log("Matching host key in %s:%d", host_file, host_line); |
|
log("Offending key for IP in %s:%d", ip_file, ip_line); |
|
if (options.strict_host_key_checking == 1) { |
|
fatal("Exiting, you have requested strict checking."); |
|
} else if (options.strict_host_key_checking == 2) { |
|
if (!read_yes_or_no("Continue?", -1)) |
|
fatal("Aborted by user!\n"); |
|
} |
} |
} |
|
|
xfree(ip); |
xfree(ip); |