Bugzilla – Attachment 913 Details for
Bug 910
known_hosts port numbers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
A key of "hostname" implies port 22, also fix HashKnownHosts
openssh-knownhosts-port.patch (text/plain), 11.64 KB, created by
Darren Tucker
on 2005-05-14 19:33:16 AEST
(
hide
)
Description:
A key of "hostname" implies port 22, also fix HashKnownHosts
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2005-05-14 19:33:16 AEST
Size:
11.64 KB
patch
obsolete
>Index: sshconnect.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshconnect.c,v >retrieving revision 1.129 >diff -u -p -r1.129 sshconnect.c >--- sshconnect.c 14 Mar 2005 12:08:12 -0000 1.129 >+++ sshconnect.c 14 May 2005 09:29:26 -0000 >@@ -545,12 +545,15 @@ confirm(const char *prompt) > * is not valid. the user_hostfile will not be updated if 'readonly' is true. > */ > static int >-check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, >- int readonly, const char *user_hostfile, const char *system_hostfile) >+check_host_key(char *host, u_short port, struct sockaddr *hostaddr, >+ Key *host_key, int readonly, const char *user_hostfile, >+ const char *system_hostfile) > { > Key *file_key; > const char *type = key_type(host_key); > char *ip = NULL; >+ char *hoststr = NULL; >+ char *ipstr = NULL; > char hostline[1000], *hostp, *fp; > HostStatus host_status; > HostStatus ip_status; >@@ -621,6 +624,24 @@ check_host_key(char *host, struct sockad > if (options.host_key_alias != NULL) { > host = options.host_key_alias; > debug("using hostkeyalias: %s", host); >+ hoststr = xstrdup(host); >+ ipstr = xstrdup(ip); >+ } else { >+ /* we have no HostKeyAlias */ >+ if (port == 0 || port == SSH_DEFAULT_PORT) { >+ /* default or unspecified port */ >+ hoststr = xstrdup(host); >+ ipstr = xstrdup(ip); >+ } else { >+ /* append port identifier */ >+ r = snprintf(msg, sizeof(msg), "%hu", port); >+ len = r + strlen(host) + 2; >+ hoststr = xmalloc(len); >+ snprintf(hoststr, len, "%s@%hu", host, port); >+ len = r + strlen(ip) + 2; >+ ipstr = xmalloc(len); >+ snprintf(ipstr, len, "%s@%hu", ip, port); >+ } > } > > /* >@@ -634,13 +655,14 @@ check_host_key(char *host, struct sockad > * hosts or in the systemwide list. > */ > host_file = user_hostfile; >- host_status = check_host_in_hostfile(host_file, host, host_key, >+ host_status = check_host_in_hostfile(host_file, hoststr, host_key, > file_key, &host_line); > if (host_status == HOST_NEW) { > host_file = system_hostfile; >- host_status = check_host_in_hostfile(host_file, host, host_key, >- file_key, &host_line); >+ host_status = check_host_in_hostfile(host_file, hoststr, >+ host_key, file_key, &host_line); > } >+ > /* > * Also perform check for the ip address, skip the check if we are > * localhost or the hostname was an ip address to begin with >@@ -649,11 +671,11 @@ check_host_key(char *host, struct sockad > Key *ip_key = key_new(host_key->type); > > ip_file = user_hostfile; >- ip_status = check_host_in_hostfile(ip_file, ip, host_key, >+ ip_status = check_host_in_hostfile(ip_file, ipstr, host_key, > ip_key, &ip_line); > if (ip_status == HOST_NEW) { > ip_file = system_hostfile; >- ip_status = check_host_in_hostfile(ip_file, ip, >+ ip_status = check_host_in_hostfile(ip_file, ipstr, > host_key, ip_key, &ip_line); > } > if (host_status == HOST_CHANGED && >@@ -670,22 +692,23 @@ check_host_key(char *host, struct sockad > case HOST_OK: > /* The host is known and the key matches. */ > debug("Host '%.200s' is known and matches the %s host key.", >- host, type); >+ hoststr, type); > debug("Found key in %s:%d", host_file, host_line); > if (options.check_host_ip && ip_status == HOST_NEW) { > if (readonly) > logit("%s host key for IP address " > "'%.128s' not in list of known hosts.", >- type, ip); >+ type, ipstr); > else if (!add_host_to_hostfile(user_hostfile, ip, > host_key, options.hash_known_hosts)) > logit("Failed to add the %s host key for IP " > "address '%.128s' to the list of known " >- "hosts (%.30s).", type, ip, user_hostfile); >+ "hosts (%.30s).", type, ipstr, >+ user_hostfile); > else > logit("Warning: Permanently added the %s host " > "key for IP address '%.128s' to the list " >- "of known hosts.", type, ip); >+ "of known hosts.", type, ipstr); > } > break; > case HOST_NEW: >@@ -699,12 +722,12 @@ check_host_key(char *host, struct sockad > * alternative left is to abort. > */ > error("No %s host key is known for %.200s and you " >- "have requested strict checking.", type, host); >+ "have requested strict checking.", type, hoststr); > goto fail; > } else if (options.strict_host_key_checking == 2) { > char msg1[1024], msg2[1024]; > >- if (show_other_keys(host, host_key)) >+ if (show_other_keys(hoststr, host_key)) > snprintf(msg1, sizeof(msg1), > "\nbut keys of different type are already" > " known for this host."); >@@ -729,7 +752,7 @@ check_host_key(char *host, struct sockad > "%s key fingerprint is %s.\n%s" > "Are you sure you want to continue connecting " > "(yes/no)? ", >- host, ip, msg1, type, fp, msg2); >+ hoststr, ipstr, msg1, type, fp, msg2); > xfree(fp); > if (!confirm(msg)) > goto fail; >@@ -740,13 +763,13 @@ check_host_key(char *host, struct sockad > */ > if (options.check_host_ip && ip_status == HOST_NEW) { > snprintf(hostline, sizeof(hostline), "%s,%s", >- host, ip); >+ hoststr, ipstr); > hostp = hostline; > if (options.hash_known_hosts) { > /* Add hash of host and IP separately */ >- r = add_host_to_hostfile(user_hostfile, host, >+ r = add_host_to_hostfile(user_hostfile, hoststr, > host_key, options.hash_known_hosts) && >- add_host_to_hostfile(user_hostfile, ip, >+ add_host_to_hostfile(user_hostfile, ipstr, > host_key, options.hash_known_hosts); > } else { > /* Add unhashed "host,ip" */ >@@ -757,7 +780,7 @@ check_host_key(char *host, struct sockad > } else { > r = add_host_to_hostfile(user_hostfile, host, host_key, > options.hash_known_hosts); >- hostp = host; >+ hostp = hoststr; > } > > if (!r) >@@ -779,8 +802,8 @@ check_host_key(char *host, struct sockad > error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); > error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); > error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); >- error("The %s host key for %s has changed,", type, host); >- error("and the key for the according IP address %s", ip); >+ error("The %s host key for %s has changed,", type, hoststr); >+ error("and the key for the according IP address %s", ipstr); > error("%s. This could either mean that", key_msg); > error("DNS SPOOFING is happening or the IP address for the host"); > error("and its host key have changed at the same time."); >@@ -799,7 +822,7 @@ check_host_key(char *host, struct sockad > */ > if (options.strict_host_key_checking) { > error("%s host key for %.200s has changed and you have " >- "requested strict checking.", type, host); >+ "requested strict checking.", type, hoststr); > goto fail; > } > >@@ -860,7 +883,7 @@ check_host_key(char *host, struct sockad > "Warning: the %s host key for '%.200s' " > "differs from the key for the IP address '%.128s'" > "\nOffending key for IP in %s:%d", >- type, host, ip, ip_file, ip_line); >+ type, hoststr, ipstr, ip_file, ip_line); > if (host_status == HOST_OK) { > len = strlen(msg); > snprintf(msg + len, sizeof(msg) - len, >@@ -882,16 +905,21 @@ check_host_key(char *host, struct sockad > } > > xfree(ip); >+ xfree(hoststr); >+ xfree(ipstr); > return 0; > > fail: > xfree(ip); >+ xfree(hoststr); >+ xfree(ipstr); > return -1; > } > > /* returns 0 if key verifies or -1 if key does NOT verify */ > int >-verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) >+verify_host_key(char *host, u_short port, struct sockaddr *hostaddr, >+ Key *host_key) > { > struct stat st; > int flags = 0; >@@ -919,11 +947,11 @@ verify_host_key(char *host, struct socka > /* return ok if the key can be found in an old keyfile */ > if (stat(options.system_hostfile2, &st) == 0 || > stat(options.user_hostfile2, &st) == 0) { >- if (check_host_key(host, hostaddr, host_key, /*readonly*/ 1, >+ if (check_host_key(host, port, hostaddr, host_key, /*readonly*/ 1, > options.user_hostfile2, options.system_hostfile2) == 0) > return 0; > } >- return check_host_key(host, hostaddr, host_key, /*readonly*/ 0, >+ return check_host_key(host, port, hostaddr, host_key, /*readonly*/ 0, > options.user_hostfile, options.system_hostfile); > } > >@@ -940,6 +968,7 @@ ssh_login(Sensitive *sensitive, const ch > { > char *host, *cp; > char *server_user, *local_user; >+ u_short port = options.port ? options.port : SSH_DEFAULT_PORT; > > local_user = xstrdup(pw->pw_name); > server_user = options.user ? options.user : local_user; >@@ -959,10 +988,10 @@ ssh_login(Sensitive *sensitive, const ch > /* key exchange */ > /* authenticate user */ > if (compat20) { >- ssh_kex2(host, hostaddr); >+ ssh_kex2(host, port, hostaddr); > ssh_userauth2(local_user, server_user, host, sensitive); > } else { >- ssh_kex(host, hostaddr); >+ ssh_kex(host, port, hostaddr); > ssh_userauth1(local_user, server_user, host, sensitive); > } > } >Index: sshconnect.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshconnect.h,v >retrieving revision 1.18 >diff -u -p -r1.18 sshconnect.h >--- sshconnect.h 21 Jun 2002 00:41:53 -0000 1.18 >+++ sshconnect.h 14 May 2005 08:32:26 -0000 >@@ -40,10 +40,10 @@ ssh_connect(const char *, struct sockadd > void > ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *); > >-int verify_host_key(char *, struct sockaddr *, Key *); >+int verify_host_key(char *, u_short, struct sockaddr *, Key *); > >-void ssh_kex(char *, struct sockaddr *); >-void ssh_kex2(char *, struct sockaddr *); >+void ssh_kex(char *, u_short, struct sockaddr *); >+void ssh_kex2(char *, u_short, struct sockaddr *); > > void ssh_userauth1(const char *, const char *, char *, Sensitive *); > void ssh_userauth2(const char *, const char *, char *, Sensitive *); >Index: sshconnect1.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshconnect1.c,v >retrieving revision 1.61 >diff -u -p -r1.61 sshconnect1.c >--- sshconnect1.c 12 Aug 2004 12:40:25 -0000 1.61 >+++ sshconnect1.c 14 May 2005 08:32:04 -0000 >@@ -465,7 +465,7 @@ try_password_authentication(char *prompt > * SSH1 key exchange > */ > void >-ssh_kex(char *host, struct sockaddr *hostaddr) >+ssh_kex(char *host, u_short port, struct sockaddr *hostaddr) > { > int i; > BIGNUM *key; >@@ -523,7 +523,7 @@ ssh_kex(char *host, struct sockaddr *hos > debug("Received server public key (%d bits) and host key (%d bits).", > BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n)); > >- if (verify_host_key(host, hostaddr, host_key) == -1) >+ if (verify_host_key(host, port, hostaddr, host_key) == -1) > fatal("Host key verification failed."); > > client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; >Index: sshconnect2.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshconnect2.c,v >retrieving revision 1.127 >diff -u -p -r1.127 sshconnect2.c >--- sshconnect2.c 15 Jun 2004 00:30:09 -0000 1.127 >+++ sshconnect2.c 14 May 2005 08:41:51 -0000 >@@ -67,6 +67,7 @@ u_char *session_id2 = NULL; > u_int session_id2_len = 0; > > char *xxx_host; >+u_short xxx_port; > struct sockaddr *xxx_hostaddr; > > Kex *xxx_kex = NULL; >@@ -74,17 +75,18 @@ Kex *xxx_kex = NULL; > static int > verify_host_key_callback(Key *hostkey) > { >- if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1) >+ if (verify_host_key(xxx_host, xxx_port, xxx_hostaddr, hostkey) == -1) > fatal("Host key verification failed."); > return 0; > } > > void >-ssh_kex2(char *host, struct sockaddr *hostaddr) >+ssh_kex2(char *host, u_short port, struct sockaddr *hostaddr) > { > Kex *kex; > > xxx_host = host; >+ xxx_port = port; > xxx_hostaddr = hostaddr; > > if (options.ciphers == (char *)-1) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=913">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 910
:
716
|
717
|
719
|
912
|
913
|
914
|
920
|
946
|
954
|
980
|
1051
|
1052
|
1073
|
1131
|
1132