tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- (djm) OpenBSD CVS Sync 

- djm@cvs.openbsd.org 2003/06/04 08:25:18
     [sshconnect.c]
     disable challenge/response and keyboard-interactive auth methods
     upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
     bz #580; ok markus@
This commit is contained in:
Damien Miller 2003-06-04 20:31:53 +10:00
parent 2527f5755a
commit 941ac459ce
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -5,6 +5,12 @@
Patch from larsch@trustcenter.de; ok markus@ Patch from larsch@trustcenter.de; ok markus@
- (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from
larsch@trustcenter.de; ok markus@ larsch@trustcenter.de; ok markus@
- (djm) OpenBSD CVS Sync
- djm@cvs.openbsd.org 2003/06/04 08:25:18
[sshconnect.c]
disable challenge/response and keyboard-interactive auth methods
upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
bz #580; ok markus@
20030603 20030603
- (djm) Replace setproctitle replacement with code derived from - (djm) Replace setproctitle replacement with code derived from
@ -433,4 +439,4 @@
- Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
Report from murple@murple.net, diagnosis from dtucker@zip.com.au Report from murple@murple.net, diagnosis from dtucker@zip.com.au
$Id: ChangeLog,v 1.2773 2003/06/04 09:22:06 djm Exp $ $Id: ChangeLog,v 1.2774 2003/06/04 10:31:53 djm Exp $

15
sshconnect.c
View File

@ -13,7 +13,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: sshconnect.c,v 1.143 2003/05/26 12:54:40 djm Exp $"); RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $");
#include <openssl/bn.h> #include <openssl/bn.h>
@ -796,7 +796,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
/* /*
* If strict host key checking has not been requested, allow * If strict host key checking has not been requested, allow
* the connection but without password authentication or * the connection but without MITM-able authentication or
* agent forwarding. * agent forwarding.
*/ */
if (options.password_authentication) { if (options.password_authentication) {
@ -804,6 +804,17 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
"man-in-the-middle attacks."); "man-in-the-middle attacks.");
options.password_authentication = 0; options.password_authentication = 0;
} }
if (options.kbd_interactive_authentication) {
error("Keyboard-interactive authentication is disabled"
" to avoid man-in-the-middle attacks.");
options.kbd_interactive_authentication = 0;
options.challenge_response_authentication = 0;
}
if (options.challenge_response_authentication) {
error("Challenge/response authentication is disabled"
" to avoid man-in-the-middle attacks.");
options.challenge_response_authentication = 0;
}
if (options.forward_agent) { if (options.forward_agent) {
error("Agent forwarding is disabled to avoid " error("Agent forwarding is disabled to avoid "
"man-in-the-middle attacks."); "man-in-the-middle attacks.");