20010103

- (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD tree (mainly positioning) - (bal) OpenSSH CVS Update - markus@cvs.openbsd.org 2001/01/02 20:41:02 [packet.c] log remote ip on disconnect; PR 1600 from jcs@rt.fm - markus@cvs.openbsd.org 2001/01/02 20:50:56 [sshconnect.c] strict_host_key_checking for host_status != HOST_CHANGED && ip_status == HOST_CHANGED
2025-07-31 01:35:11 +02:00 · 2001-01-03 03:51:15 +00:00 · 2001-01-03 03:51:15 +00:00 · 5c1fbabc5d
commit 5c1fbabc5d
parent 88c33974b2
3 changed files with 68 additions and 48 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
 20010103
 - (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD
   tree (mainly positioning)
 - (bal) OpenSSH CVS Update
   - markus@cvs.openbsd.org 2001/01/02 20:41:02
     [packet.c]
     log remote ip on disconnect; PR 1600 from jcs@rt.fm
   - markus@cvs.openbsd.org 2001/01/02 20:50:56
     [sshconnect.c]
     strict_host_key_checking for host_status != HOST_CHANGED && 
     ip_status == HOST_CHANGED
 20010102
 - (bal) OpenBSD CVS Update
   - markus@cvs.openbsd.org 2001/01/01 14:52:49
--- a/packet.c
+++ b/packet.c
@ -37,7 +37,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.40 2000/12/19 23:17:57 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.41 2001/01/02 20:41:02 markus Exp $");
 #include "xmalloc.h"
 #include "buffer.h"
@ -979,7 +979,8 @@ packet_read_poll(int *payload_len_ptr)
 			case SSH2_MSG_DISCONNECT:
 				reason = packet_get_int();
 				msg = packet_get_string(NULL);
-				log("Received disconnect: %d: %.900s", reason, msg);
+				log("Received disconnect from %s: %d: %.400s", get_remote_ipaddr(),
 					reason, msg);
 				xfree(msg);
 				fatal_cleanup();
 				break;
@ -998,7 +999,8 @@ packet_read_poll(int *payload_len_ptr)
 				break;
 			case SSH_MSG_DISCONNECT:
 				msg = packet_get_string(NULL);
-				log("Received disconnect: %.900s", msg);
+				log("Received disconnect from %s: %.400s", get_remote_ipaddr(),
 					msg);
 				fatal_cleanup();
 				xfree(msg);
 				break;
--- a/sshconnect.c
+++ b/sshconnect.c
@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.87 2000/12/28 14:25:03 markus Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.88 2001/01/02 20:50:56 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
@ -417,7 +417,7 @@ read_yes_or_no(const char *prompt, int defval)
 	FILE *f;
 	int retval = -1;
-	if (isatty(0))
+	if (isatty(STDIN_FILENO))
 		f = stdin;
 	else
 		f = fopen("/dev/tty", "rw");
@ -472,7 +472,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 	int local = 0, host_ip_differ = 0;
 	int salen;
 	char ntop[NI_MAXHOST];
-	int host_line = -1, ip_line = -1;
+	int host_line, ip_line;
 	const char *host_file = NULL, *ip_file = NULL;
 	/*
@ -498,38 +498,36 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 		salen = sizeof(struct sockaddr_storage);
 		break;
 	}
-	if (local) {
+	if (local && options.host_key_alias == NULL) {
-		if (options.host_key_alias == NULL) {
+		debug("Forcing accepting of host key for "
-			debug("Forcing accepting of host key for "
+		    "loopback/localhost.");
-			    "loopback/localhost.");
+		return;
 			return;
 		}
 		if (options.check_host_ip)
 			options.check_host_ip = 0;
 	}
 	/*
-	 * Turn off check_host_ip for proxy connects, since
+	 * We don't have the remote ip-address for connections
-	 * we don't have the remote ip-address
+	 * using a proxy command
 	 */
-	if (options.proxy_command != NULL && options.check_host_ip)
+	if (options.proxy_command == NULL) {
 		if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
 		    NULL, 0, NI_NUMERICHOST) != 0)
 			fatal("check_host_key: getnameinfo failed");
 		ip = xstrdup(ntop);
 	} else {
 		ip = xstrdup("<no hostip for proxy command>");
 	}
 	/*
 	 * Turn off check_host_ip if the connection is to localhost, via proxy
 	 * command or if we don't have a hostname to compare with
 	 */
 	if (options.check_host_ip &&
 	    (local || strcmp(host, ip) == 0 || options.proxy_command != NULL))
 		options.check_host_ip = 0;
 	if (options.proxy_command == NULL) {
 		if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
 		    NULL, 0, NI_NUMERICHOST) != 0)
 			fatal("check_host_key: getnameinfo failed");
 		ip = xstrdup(ntop);
 	} else {
 		ip = xstrdup("<no hostip for proxy command>");
 	}
 	/*
-  	 * Allow the user to record the key under a different name. This is
+	 * Allow the user to record the key under a different name. This is
 	 * useful for ssh tunneling over forwarded connections or if you run
-         * multiple sshd's on different ports on the same machine.
+	 * multiple sshd's on different ports on the same machine.
 	 */
 	if (options.host_key_alias != NULL) {
 		host = options.host_key_alias;
@ -556,7 +554,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 	 * Also perform check for the ip address, skip the check if we are
 	 * localhost or the hostname was an ip address to begin with
 	 */
-	if (options.check_host_ip && !local && strcmp(host, ip)) {
+	if (options.check_host_ip) {
 		Key *ip_key = key_new(host_key->type);
 		ip_file = user_hostfile;
@ -581,21 +579,13 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 		debug("Host '%.200s' is known and matches the %s host key.",
 		    host, type);
 		debug("Found key in %s:%d", host_file, host_line);
-		if (options.check_host_ip) {
+		if (options.check_host_ip && ip_status == HOST_NEW) {
-			if (ip_status == HOST_NEW) {
+			if (!add_host_to_hostfile(user_hostfile, ip, host_key))
-				if (!add_host_to_hostfile(user_hostfile, ip, host_key))
+				log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).",
-					log("Failed to add the %s host key for IP address '%.30s' to the list of known hosts (%.30s).",
+				    type, ip, user_hostfile);
-					    type, ip, user_hostfile);
+			else
-				else
+				log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.",
-					log("Warning: Permanently added the %s host key for IP address '%.30s' to the list of known hosts.",
+				    type, ip);
 					    type, ip);
 			} else if (ip_status != HOST_OK) {
 				log("Warning: the %s host key for '%.200s' differs from the key for the IP address '%.30s'",
 				    type, host, ip);
 				log("Found key in %s:%d", host_file, host_line);
 				if (ip_line != -1)
 					log("Offending key for IP in %s:%d", ip_file, ip_line);
 			}
 		}
 		break;
 	case HOST_NEW:
@ -615,7 +605,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 			if (!read_yes_or_no(prompt, -1))
 				fatal("Aborted by user!\n");
 		}
-		if (options.check_host_ip && ip_status == HOST_NEW && strcmp(host, ip)) {
+		if (options.check_host_ip && ip_status == HOST_NEW) {
 			snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
 			hostp = hostline;
 		} else
@ -646,7 +636,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 			error("%s. This could either mean that", msg);
 			error("DNS SPOOFING is happening or the IP address for the host");
 			error("and its host key have changed at the same time.");
-			if (ip_line != -1)
+			if (ip_status != HOST_NEW)
 				error("Offending key for IP in %s:%d", ip_file, ip_line);
 		}
 		/* The host key has changed. */
@ -701,6 +691,22 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 		break;
 	}
 	if (options.check_host_ip && host_status != HOST_CHANGED &&
 	    ip_status == HOST_CHANGED) {
 		log("Warning: the %s host key for '%.200s' "
 		    "differs from the key for the IP address '%.30s'",
 		    type, host, ip);
 		if (host_status == HOST_OK)
 			log("Matching host key in %s:%d", host_file, host_line);
 		log("Offending key for IP in %s:%d", ip_file, ip_line);
 		if (options.strict_host_key_checking == 1) {
 			fatal("Exiting, you have requested strict checking.");
 		} else if (options.strict_host_key_checking == 2) {
 			if (!read_yes_or_no("Continue?", -1))
 				fatal("Aborted by user!\n");
 		}
 	}
 	xfree(ip);
 }