===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshconnect.c,v
retrieving revision 1.156.2.2
retrieving revision 1.157
diff -u -r1.156.2.2 -r1.157
--- src/usr.bin/ssh/sshconnect.c	2005/03/10 17:15:05	1.156.2.2
+++ src/usr.bin/ssh/sshconnect.c	2004/05/08 00:21:31	1.157
@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.156.2.2 2005/03/10 17:15:05 brad Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.157 2004/05/08 00:21:31 djm Exp $");
 
 #include <openssl/bn.h>
 
@@ -293,6 +293,12 @@
  * second).  If proxy_command is non-NULL, it specifies the command (with %h
  * and %p substituted for host and port, respectively) to use to contact
  * the daemon.
+ * Return values:
+ *    0 for OK
+ *    ECONNREFUSED if we got a "Connection Refused" by the peer on any address
+ *    ECONNABORTED if we failed without a "Connection refused"
+ * Suitable error messages for the connection failure will already have been
+ * printed.
  */
 int
 ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
@@ -305,6 +311,12 @@
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
 	struct addrinfo hints, *ai, *aitop;
 	struct servent *sp;
+	/*
+	 * Did we get only other errors than "Connection refused" (which
+	 * should block fallback to rsh and similar), or did we get at least
+	 * one "Connection refused"?
+	 */
+	int full_failure = 1;
 
 	debug2("ssh_connect: needpriv %d", needpriv);
 
@@ -365,6 +377,8 @@
 				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
 				break;
 			} else {
+				if (errno == ECONNREFUSED)
+					full_failure = 0;
 				debug("connect to address %s port %s: %s",
 				    ntop, strport, strerror(errno));
 				/*
@@ -390,9 +404,9 @@
 
 	/* Return failure if we didn't get a successful connection. */
 	if (attempt >= connection_attempts) {
-		error("ssh: connect to host %s port %s: %s",
+		logit("ssh: connect to host %s port %s: %s",
 		    host, strport, strerror(errno));
-		return (-1);
+		return full_failure ? ECONNABORTED : ECONNREFUSED;
 	}
 
 	debug("Connection established.");
@@ -550,7 +564,7 @@
 	char hostline[1000], *hostp, *fp;
 	HostStatus host_status;
 	HostStatus ip_status;
-	int r, local = 0, host_ip_differ = 0;
+	int local = 0, host_ip_differ = 0;
 	char ntop[NI_MAXHOST];
 	char msg[1024];
 	int len, host_line, ip_line;
@@ -670,7 +684,7 @@
 				    "'%.128s' not in list of known hosts.",
 				    type, ip);
 			else if (!add_host_to_hostfile(user_hostfile, ip,
-			    host_key, options.hash_known_hosts))
+			    host_key))
 				logit("Failed to add the %s host key for IP "
 				    "address '%.128s' to the list of known "
 				    "hosts (%.30s).", type, ip, user_hostfile);
@@ -726,33 +740,17 @@
 			if (!confirm(msg))
 				goto fail;
 		}
-		/*
-		 * If not in strict mode, add the key automatically to the
-		 * local known_hosts file.
-		 */
 		if (options.check_host_ip && ip_status == HOST_NEW) {
-			snprintf(hostline, sizeof(hostline), "%s,%s",
-			    host, ip);
+			snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
 			hostp = hostline;
-			if (options.hash_known_hosts) {
-				/* Add hash of host and IP separately */
-				r = add_host_to_hostfile(user_hostfile, host,
-				    host_key, options.hash_known_hosts) &&
-				    add_host_to_hostfile(user_hostfile, ip,
-				    host_key, options.hash_known_hosts);
-			} else {
-				/* Add unhashed "host,ip" */
-				r = add_host_to_hostfile(user_hostfile,
-				    hostline, host_key,
-				    options.hash_known_hosts);
-			}
-		} else {
-			r = add_host_to_hostfile(user_hostfile, host, host_key,
-			    options.hash_known_hosts);
+		} else
 			hostp = host;
-		}
 
-		if (!r)
+		/*
+		 * If not in strict mode, add the key automatically to the
+		 * local known_hosts file.
+		 */
+		if (!add_host_to_hostfile(user_hostfile, hostp, host_key))
 			logit("Failed to add the host to the list of known "
 			    "hosts (%.500s).", user_hostfile);
 		else
@@ -761,19 +759,19 @@
 		break;
 	case HOST_CHANGED:
 		if (options.check_host_ip && host_ip_differ) {
-			char *key_msg;
+			char *msg;
 			if (ip_status == HOST_NEW)
-				key_msg = "is unknown";
+				msg = "is unknown";
 			else if (ip_status == HOST_OK)
-				key_msg = "is unchanged";
+				msg = "is unchanged";
 			else
-				key_msg = "has a different value";
+				msg = "has a different value";
 			error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 			error("@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @");
 			error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 			error("The %s host key for %s has changed,", type, host);
 			error("and the key for the according IP address %s", ip);
-			error("%s. This could either mean that", key_msg);
+			error("%s. This could either mean that", msg);
 			error("DNS SPOOFING is happening or the IP address for the host");
 			error("and its host key have changed at the same time.");
 			if (ip_status != HOST_NEW)