Bugzilla – Attachment 946 Details for
Bug 910
known_hosts port numbers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Implement port spec as per sshd(8) ListenAddress
openssh-bug910.patch (text/plain), 11.17 KB, created by
Darren Tucker
on 2005-08-09 23:09:11 AEST
(
hide
)
Description:
Implement port spec as per sshd(8) ListenAddress
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2005-08-09 23:09:11 AEST
Size:
11.17 KB
patch
obsolete
>Index: misc.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/misc.c,v >retrieving revision 1.34 >diff -u -p -r1.34 misc.c >--- misc.c 2005/07/08 09:26:18 1.34 >+++ misc.c 2005/08/09 13:03:49 >@@ -29,6 +29,7 @@ RCSID("$OpenBSD: misc.c,v 1.34 2005/07/0 > #include "misc.h" > #include "log.h" > #include "xmalloc.h" >+#include "ssh.h" > > /* remove newline at end of string */ > char * >@@ -268,6 +269,55 @@ convtime(const char *s) > } > > return total; >+} >+ >+/* >+ * Returns hostname and optional port. >+ * Side effect: modifies arg. >+ */ >+int >+get_host_port(char *arg, char **host, u_short *port) >+{ >+ char *p; >+ >+ if (arg == NULL || *arg == '\0') >+ return -1; /* missing address */ >+ >+ /* check for bare IPv6 address: no "[]" and 2 or more ":" */ >+ if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL >+ && strchr(p+1, ':') != NULL) { >+ *host = arg; >+ *port = 0; >+ return 0; >+ } >+ p = hpdelim(&arg); >+ if (p == NULL) >+ return -2; /* missing port after ":" */ >+ *host = cleanhostname(p); >+ if (arg == NULL) >+ *port = 0; >+ else if ((*port = a2port(arg)) == 0) >+ return -3; /* bad port argument */ >+ return 0; >+} >+ >+char * >+put_host_port(const char *host, u_short port) >+{ >+ int ret; >+ char *p; >+ >+ if (port == 0 || port == SSH_DEFAULT_PORT) >+ return(xstrdup(host)); >+ if ((p = strchr(host, ':')) != NULL && strchr(p+1, ':') != NULL) >+ ret = asprintf(&p, "[%s]:%hd", host, port); /* IPv6 */ >+ else >+ ret = asprintf(&p, "%s:%hd", host, port); >+ >+ if (ret == -1) >+ fatal("put_host_port: %s", strerror(errno)); >+ debug3("put_host_port: %s", p); >+ return p; > } > > /* >Index: misc.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/misc.h,v >retrieving revision 1.25 >diff -u -p -r1.25 misc.h >--- misc.h 2005/07/14 04:00:43 1.25 >+++ misc.h 2005/08/09 13:03:49 >@@ -20,6 +20,8 @@ int set_nonblock(int); > int unset_nonblock(int); > void set_nodelay(int); > int a2port(const char *); >+int get_host_port(char *, char **, u_short *); >+char *put_host_port(const char *, u_short); > char *hpdelim(char **); > char *cleanhostname(char *); > char *colon(char *); >Index: servconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.c,v >retrieving revision 1.144 >diff -u -p -r1.144 servconf.c >--- servconf.c 2005/08/06 10:03:12 1.144 >+++ servconf.c 2005/08/09 13:03:49 >@@ -473,27 +473,24 @@ parse_time: > > case sListenAddress: > arg = strdelim(&cp); >- if (arg == NULL || *arg == '\0') >+ switch (get_host_port(arg, &p, &port)) { >+ case -1: > fatal("%s line %d: missing address", > filename, linenum); >- /* check for bare IPv6 address: no "[]" and 2 or more ":" */ >- if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL >- && strchr(p+1, ':') != NULL) { >- add_listen_addr(options, arg, 0); >- break; >- } >- p = hpdelim(&arg); >- if (p == NULL) >+ break;; >+ case -2: > fatal("%s line %d: bad address:port usage", > filename, linenum); >- p = cleanhostname(p); >- if (arg == NULL) >- port = 0; >- else if ((port = a2port(arg)) == 0) >+ break;; >+ case -3: > fatal("%s line %d: bad port number", filename, linenum); >- >- add_listen_addr(options, p, port); >- >+ break; >+ case 0: >+ add_listen_addr(options, p, port); >+ break; >+ default: >+ fatal("Internal error: get_host_port"); >+ } > break; > > case sAddressFamily: >Index: sshconnect.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v >retrieving revision 1.168 >diff -u -p -r1.168 sshconnect.c >--- sshconnect.c 2005/07/17 07:17:55 1.168 >+++ sshconnect.c 2005/08/09 13:03:50 >@@ -520,7 +520,7 @@ check_host_key(char *host, struct sockad > { > Key *file_key; > const char *type = key_type(host_key); >- char *ip = NULL; >+ char *ip = NULL, *hoststr = NULL, *ipstr = NULL; > char hostline[1000], *hostp, *fp; > HostStatus host_status; > HostStatus ip_status; >@@ -580,14 +580,19 @@ check_host_key(char *host, struct sockad > options.check_host_ip = 0; > > /* >- * Allow the user to record the key under a different name. This is >- * useful for ssh tunneling over forwarded connections or if you run >- * multiple sshd's on different ports on the same machine. >+ * Allow the user to record the key under a different name or >+ * differentiate a non-standard port. This is useful for ssh >+ * tunneling over forwarded connections or if you run multiple >+ * sshd's on different ports on the same machine. > */ > if (options.host_key_alias != NULL) { > host = options.host_key_alias; > debug("using hostkeyalias: %s", host); >+ hoststr = xstrdup(host); >+ } else { >+ hoststr = put_host_port(host, options.port); > } >+ ipstr = put_host_port(ip, options.port); > > /* > * Store the host key from the known host file in here so that we can >@@ -600,12 +605,12 @@ check_host_key(char *host, struct sockad > * hosts or in the systemwide list. > */ > host_file = user_hostfile; >- host_status = check_host_in_hostfile(host_file, host, host_key, >+ host_status = check_host_in_hostfile(host_file, hoststr, host_key, > file_key, &host_line); > if (host_status == HOST_NEW) { > host_file = system_hostfile; >- host_status = check_host_in_hostfile(host_file, host, host_key, >- file_key, &host_line); >+ host_status = check_host_in_hostfile(host_file, hoststr, >+ host_key, file_key, &host_line); > } > /* > * Also perform check for the ip address, skip the check if we are >@@ -615,11 +620,11 @@ check_host_key(char *host, struct sockad > Key *ip_key = key_new(host_key->type); > > ip_file = user_hostfile; >- ip_status = check_host_in_hostfile(ip_file, ip, host_key, >+ ip_status = check_host_in_hostfile(ip_file, ipstr, host_key, > ip_key, &ip_line); > if (ip_status == HOST_NEW) { > ip_file = system_hostfile; >- ip_status = check_host_in_hostfile(ip_file, ip, >+ ip_status = check_host_in_hostfile(ip_file, ipstr, > host_key, ip_key, &ip_line); > } > if (host_status == HOST_CHANGED && >@@ -636,22 +641,23 @@ check_host_key(char *host, struct sockad > case HOST_OK: > /* The host is known and the key matches. */ > debug("Host '%.200s' is known and matches the %s host key.", >- host, type); >+ hoststr, type); > debug("Found key in %s:%d", host_file, host_line); > if (options.check_host_ip && ip_status == HOST_NEW) { > if (readonly) > logit("%s host key for IP address " > "'%.128s' not in list of known hosts.", >- type, ip); >+ type, ipstr); > else if (!add_host_to_hostfile(user_hostfile, ip, > host_key, options.hash_known_hosts)) > logit("Failed to add the %s host key for IP " > "address '%.128s' to the list of known " >- "hosts (%.30s).", type, ip, user_hostfile); >+ "hosts (%.30s).", type, ipstr, >+ user_hostfile); > else > logit("Warning: Permanently added the %s host " > "key for IP address '%.128s' to the list " >- "of known hosts.", type, ip); >+ "of known hosts.", type, ipstr); > } > break; > case HOST_NEW: >@@ -665,12 +671,12 @@ check_host_key(char *host, struct sockad > * alternative left is to abort. > */ > error("No %s host key is known for %.200s and you " >- "have requested strict checking.", type, host); >+ "have requested strict checking.", type, hoststr); > goto fail; > } else if (options.strict_host_key_checking == 2) { > char msg1[1024], msg2[1024]; > >- if (show_other_keys(host, host_key)) >+ if (show_other_keys(hoststr, host_key)) > snprintf(msg1, sizeof(msg1), > "\nbut keys of different type are already" > " known for this host."); >@@ -695,7 +701,7 @@ check_host_key(char *host, struct sockad > "%s key fingerprint is %s.\n%s" > "Are you sure you want to continue connecting " > "(yes/no)? ", >- host, ip, msg1, type, fp, msg2); >+ hoststr, ipstr, msg1, type, fp, msg2); > xfree(fp); > if (!confirm(msg)) > goto fail; >@@ -706,13 +712,13 @@ check_host_key(char *host, struct sockad > */ > if (options.check_host_ip && ip_status == HOST_NEW) { > snprintf(hostline, sizeof(hostline), "%s,%s", >- host, ip); >+ hoststr, ipstr); > hostp = hostline; > if (options.hash_known_hosts) { > /* Add hash of host and IP separately */ >- r = add_host_to_hostfile(user_hostfile, host, >+ r = add_host_to_hostfile(user_hostfile, hoststr, > host_key, options.hash_known_hosts) && >- add_host_to_hostfile(user_hostfile, ip, >+ add_host_to_hostfile(user_hostfile, ipstr, > host_key, options.hash_known_hosts); > } else { > /* Add unhashed "host,ip" */ >@@ -721,9 +727,9 @@ check_host_key(char *host, struct sockad > options.hash_known_hosts); > } > } else { >- r = add_host_to_hostfile(user_hostfile, host, host_key, >- options.hash_known_hosts); >- hostp = host; >+ r = add_host_to_hostfile(user_hostfile, hoststr, >+ host_key, options.hash_known_hosts); >+ hostp = hoststr; > } > > if (!r) >@@ -745,8 +751,8 @@ check_host_key(char *host, struct sockad > error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); > error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); > error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); >- error("The %s host key for %s has changed,", type, host); >- error("and the key for the according IP address %s", ip); >+ error("The %s host key for %s has changed,", type, hoststr); >+ error("and the key for the according IP address %s", ipstr); > error("%s. This could either mean that", key_msg); > error("DNS SPOOFING is happening or the IP address for the host"); > error("and its host key have changed at the same time."); >@@ -765,7 +771,7 @@ check_host_key(char *host, struct sockad > */ > if (options.strict_host_key_checking) { > error("%s host key for %.200s has changed and you have " >- "requested strict checking.", type, host); >+ "requested strict checking.", type, hoststr); > goto fail; > } > >@@ -826,7 +832,7 @@ check_host_key(char *host, struct sockad > "Warning: the %s host key for '%.200s' " > "differs from the key for the IP address '%.128s'" > "\nOffending key for IP in %s:%d", >- type, host, ip, ip_file, ip_line); >+ type, hoststr, ipstr, ip_file, ip_line); > if (host_status == HOST_OK) { > len = strlen(msg); > snprintf(msg + len, sizeof(msg) - len, >@@ -848,10 +854,14 @@ check_host_key(char *host, struct sockad > } > > xfree(ip); >+ xfree(hoststr); >+ xfree(ipstr); > return 0; > > fail: > xfree(ip); >+ xfree(hoststr); >+ xfree(ipstr); > return -1; > } > >Index: sshd.8 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd.8,v >retrieving revision 1.208 >diff -u -p -r1.208 sshd.8 >--- sshd.8 2005/06/08 03:50:00 1.208 >+++ sshd.8 2005/08/09 13:03:50 >@@ -530,6 +530,15 @@ A pattern may also be preceded by > to indicate negation: if the host name matches a negated > pattern, it is not accepted (by that line) even if it matched another > pattern on the line. >+A hostname may optionally be followed by a >+.Ql : >+and then a non-standard port number. >+If an IPv6 address has a non-standard port number then the address must >+be enclosed within >+.Ql [ >+and >+.Ql ] >+brackets. > .Pp > Alternately, hostnames may be stored in a hashed form which hides host names > and addresses should the file's contents be disclosed.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=946">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 910
:
716
|
717
|
719
|
912
|
913
|
914
|
920
|
946
|
954
|
980
|
1051
|
1052
|
1073
|
1131
|
1132