tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-26 23:34:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

- dtucker@cvs.openbsd.org 2008/07/01 07:20:52

Browse Source 
[sshconnect.c]
     Check ExitOnForwardFailure if forwardings are disabled due to a failed
     host key check.  ok djm@
This commit is contained in:
Darren Tucker 2008-07-02 22:33:55 +10:00
parent 1f781b194f
commit 068e01f53f
2 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -13,6 +13,10 @@
- djm@cvs.openbsd.org 2008/06/30 12:18:34 - djm@cvs.openbsd.org 2008/06/30 12:18:34
[PROTOCOL] [PROTOCOL]
clarify that eow@openssh.com is only sent on session channels clarify that eow@openssh.com is only sent on session channels
- dtucker@cvs.openbsd.org 2008/07/01 07:20:52
[sshconnect.c]
Check ExitOnForwardFailure if forwardings are disabled due to a failed
host key check. ok djm@
20080630 20080630
- (djm) OpenBSD CVS Sync - (djm) OpenBSD CVS Sync
@ -4496,4 +4500,4 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@ passwords between UnixWare and OpenServer they will still work. OK dtucker@
$Id: ChangeLog,v 1.5042 2008/07/02 12:33:16 dtucker Exp $ $Id: ChangeLog,v 1.5043 2008/07/02 12:33:55 dtucker Exp $

15
sshconnect.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.209 2008/06/26 11:46:31 grunk Exp $ */ /* $OpenBSD: sshconnect.c,v 1.210 2008/07/01 07:20:52 dtucker Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -596,7 +596,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
int salen; int salen;
char ntop[NI_MAXHOST]; char ntop[NI_MAXHOST];
char msg[1024]; char msg[1024];
int len, host_line, ip_line; int len, host_line, ip_line, cancelled_forwarding = 0;
const char *host_file = NULL, *ip_file = NULL; const char *host_file = NULL, *ip_file = NULL;
/* /*
@ -878,27 +878,32 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
error("Password authentication is disabled to avoid " error("Password authentication is disabled to avoid "
"man-in-the-middle attacks."); "man-in-the-middle attacks.");
options.password_authentication = 0; options.password_authentication = 0;
cancelled_forwarding = 1;
} }
if (options.kbd_interactive_authentication) { if (options.kbd_interactive_authentication) {
error("Keyboard-interactive authentication is disabled" error("Keyboard-interactive authentication is disabled"
" to avoid man-in-the-middle attacks."); " to avoid man-in-the-middle attacks.");
options.kbd_interactive_authentication = 0; options.kbd_interactive_authentication = 0;
options.challenge_response_authentication = 0; options.challenge_response_authentication = 0;
cancelled_forwarding = 1;
} }
if (options.challenge_response_authentication) { if (options.challenge_response_authentication) {
error("Challenge/response authentication is disabled" error("Challenge/response authentication is disabled"
" to avoid man-in-the-middle attacks."); " to avoid man-in-the-middle attacks.");
options.challenge_response_authentication = 0; options.challenge_response_authentication = 0;
cancelled_forwarding = 1;
} }
if (options.forward_agent) { if (options.forward_agent) {
error("Agent forwarding is disabled to avoid " error("Agent forwarding is disabled to avoid "
"man-in-the-middle attacks."); "man-in-the-middle attacks.");
options.forward_agent = 0; options.forward_agent = 0;
cancelled_forwarding = 1;
} }
if (options.forward_x11) { if (options.forward_x11) {
error("X11 forwarding is disabled to avoid " error("X11 forwarding is disabled to avoid "
"man-in-the-middle attacks."); "man-in-the-middle attacks.");
options.forward_x11 = 0; options.forward_x11 = 0;
cancelled_forwarding = 1;
} }
if (options.num_local_forwards > 0 || if (options.num_local_forwards > 0 ||
options.num_remote_forwards > 0) { options.num_remote_forwards > 0) {
@ -906,12 +911,18 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
"man-in-the-middle attacks."); "man-in-the-middle attacks.");
options.num_local_forwards = options.num_local_forwards =
options.num_remote_forwards = 0; options.num_remote_forwards = 0;
cancelled_forwarding = 1;
} }
if (options.tun_open != SSH_TUNMODE_NO) { if (options.tun_open != SSH_TUNMODE_NO) {
error("Tunnel forwarding is disabled to avoid " error("Tunnel forwarding is disabled to avoid "
"man-in-the-middle attacks."); "man-in-the-middle attacks.");
options.tun_open = SSH_TUNMODE_NO; options.tun_open = SSH_TUNMODE_NO;
cancelled_forwarding = 1;
} }
if (options.exit_on_forward_failure && cancelled_forwarding)
fatal("Error: forwarding disabled due to host key "
"check failure");
/* /*
* XXX Should permit the user to change to use the new id. * XXX Should permit the user to change to use the new id.
* This could be done by converting the host key to an * This could be done by converting the host key to an