Bugzilla – Attachment 920 Details for
Bug 910
known_hosts port numbers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
port-aware known hosts, simplified
openssh-knownhosts-port.patch (text/plain), 8.20 KB, created by
Darren Tucker
on 2005-05-21 12:33:56 AEST
(
hide
)
Description:
port-aware known hosts, simplified
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2005-05-21 12:33:56 AEST
Size:
8.20 KB
patch
obsolete
>Index: sshconnect.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshconnect.c,v >retrieving revision 1.129 >diff -u -p -r1.129 sshconnect.c >--- sshconnect.c 14 Mar 2005 12:08:12 -0000 1.129 >+++ sshconnect.c 21 May 2005 02:03:38 -0000 >@@ -550,7 +550,7 @@ check_host_key(char *host, struct sockad > { > Key *file_key; > const char *type = key_type(host_key); >- char *ip = NULL; >+ char *ip = NULL, *hoststr = NULL, *ipstr = NULL; > char hostline[1000], *hostp, *fp; > HostStatus host_status; > HostStatus ip_status; >@@ -614,13 +614,32 @@ check_host_key(char *host, struct sockad > options.check_host_ip = 0; > > /* >- * Allow the user to record the key under a different name. This is >- * useful for ssh tunneling over forwarded connections or if you run >- * multiple sshd's on different ports on the same machine. >+ * Allow the user to record the key under a different name or >+ * differentiate a non-standard port. This is useful for ssh >+ * tunneling over forwarded connections or if you run multiple >+ * sshd's on different ports on the same machine. > */ > if (options.host_key_alias != NULL) { > host = options.host_key_alias; > debug("using hostkeyalias: %s", host); >+ hoststr = xstrdup(host); >+ ipstr = xstrdup(ip); >+ } else if (options.port == 0 || options.port == SSH_DEFAULT_PORT) { >+ /* unspecified or default port */ >+ hoststr = xstrdup(host); >+ ipstr = xstrdup(ip); >+ } else { >+ /* non-standard port, append port identifier */ >+ len = strlen(host) + sizeof(options.port) * 4 + 2; >+ hoststr = xmalloc(len); >+ r = snprintf(hoststr, len, "%s@%hu", host, options.port); >+ if (r == -1 || r >= len) >+ fatal("check_host_key: snprintf failed"); >+ len = strlen(ip) + sizeof(options.port) * 4 + 2; >+ ipstr = xmalloc(len); >+ r = snprintf(ipstr, len, "%s@%hu", ip, options.port); >+ if (r == -1 || r >= len) >+ fatal("check_host_key: snprintf failed"); > } > > /* >@@ -634,13 +653,14 @@ check_host_key(char *host, struct sockad > * hosts or in the systemwide list. > */ > host_file = user_hostfile; >- host_status = check_host_in_hostfile(host_file, host, host_key, >+ host_status = check_host_in_hostfile(host_file, hoststr, host_key, > file_key, &host_line); > if (host_status == HOST_NEW) { > host_file = system_hostfile; >- host_status = check_host_in_hostfile(host_file, host, host_key, >- file_key, &host_line); >+ host_status = check_host_in_hostfile(host_file, hoststr, >+ host_key, file_key, &host_line); > } >+ > /* > * Also perform check for the ip address, skip the check if we are > * localhost or the hostname was an ip address to begin with >@@ -649,11 +669,11 @@ check_host_key(char *host, struct sockad > Key *ip_key = key_new(host_key->type); > > ip_file = user_hostfile; >- ip_status = check_host_in_hostfile(ip_file, ip, host_key, >+ ip_status = check_host_in_hostfile(ip_file, ipstr, host_key, > ip_key, &ip_line); > if (ip_status == HOST_NEW) { > ip_file = system_hostfile; >- ip_status = check_host_in_hostfile(ip_file, ip, >+ ip_status = check_host_in_hostfile(ip_file, ipstr, > host_key, ip_key, &ip_line); > } > if (host_status == HOST_CHANGED && >@@ -670,22 +690,23 @@ check_host_key(char *host, struct sockad > case HOST_OK: > /* The host is known and the key matches. */ > debug("Host '%.200s' is known and matches the %s host key.", >- host, type); >+ hoststr, type); > debug("Found key in %s:%d", host_file, host_line); > if (options.check_host_ip && ip_status == HOST_NEW) { > if (readonly) > logit("%s host key for IP address " > "'%.128s' not in list of known hosts.", >- type, ip); >+ type, ipstr); > else if (!add_host_to_hostfile(user_hostfile, ip, > host_key, options.hash_known_hosts)) > logit("Failed to add the %s host key for IP " > "address '%.128s' to the list of known " >- "hosts (%.30s).", type, ip, user_hostfile); >+ "hosts (%.30s).", type, ipstr, >+ user_hostfile); > else > logit("Warning: Permanently added the %s host " > "key for IP address '%.128s' to the list " >- "of known hosts.", type, ip); >+ "of known hosts.", type, ipstr); > } > break; > case HOST_NEW: >@@ -699,12 +720,12 @@ check_host_key(char *host, struct sockad > * alternative left is to abort. > */ > error("No %s host key is known for %.200s and you " >- "have requested strict checking.", type, host); >+ "have requested strict checking.", type, hoststr); > goto fail; > } else if (options.strict_host_key_checking == 2) { > char msg1[1024], msg2[1024]; > >- if (show_other_keys(host, host_key)) >+ if (show_other_keys(hoststr, host_key)) > snprintf(msg1, sizeof(msg1), > "\nbut keys of different type are already" > " known for this host."); >@@ -729,7 +750,7 @@ check_host_key(char *host, struct sockad > "%s key fingerprint is %s.\n%s" > "Are you sure you want to continue connecting " > "(yes/no)? ", >- host, ip, msg1, type, fp, msg2); >+ hoststr, ipstr, msg1, type, fp, msg2); > xfree(fp); > if (!confirm(msg)) > goto fail; >@@ -740,13 +761,13 @@ check_host_key(char *host, struct sockad > */ > if (options.check_host_ip && ip_status == HOST_NEW) { > snprintf(hostline, sizeof(hostline), "%s,%s", >- host, ip); >+ hoststr, ipstr); > hostp = hostline; > if (options.hash_known_hosts) { > /* Add hash of host and IP separately */ >- r = add_host_to_hostfile(user_hostfile, host, >+ r = add_host_to_hostfile(user_hostfile, hoststr, > host_key, options.hash_known_hosts) && >- add_host_to_hostfile(user_hostfile, ip, >+ add_host_to_hostfile(user_hostfile, ipstr, > host_key, options.hash_known_hosts); > } else { > /* Add unhashed "host,ip" */ >@@ -757,7 +778,7 @@ check_host_key(char *host, struct sockad > } else { > r = add_host_to_hostfile(user_hostfile, host, host_key, > options.hash_known_hosts); >- hostp = host; >+ hostp = hoststr; > } > > if (!r) >@@ -779,8 +800,8 @@ check_host_key(char *host, struct sockad > error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); > error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); > error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); >- error("The %s host key for %s has changed,", type, host); >- error("and the key for the according IP address %s", ip); >+ error("The %s host key for %s has changed,", type, hoststr); >+ error("and the key for the according IP address %s", ipstr); > error("%s. This could either mean that", key_msg); > error("DNS SPOOFING is happening or the IP address for the host"); > error("and its host key have changed at the same time."); >@@ -799,7 +820,7 @@ check_host_key(char *host, struct sockad > */ > if (options.strict_host_key_checking) { > error("%s host key for %.200s has changed and you have " >- "requested strict checking.", type, host); >+ "requested strict checking.", type, hoststr); > goto fail; > } > >@@ -860,7 +881,7 @@ check_host_key(char *host, struct sockad > "Warning: the %s host key for '%.200s' " > "differs from the key for the IP address '%.128s'" > "\nOffending key for IP in %s:%d", >- type, host, ip, ip_file, ip_line); >+ type, hoststr, ipstr, ip_file, ip_line); > if (host_status == HOST_OK) { > len = strlen(msg); > snprintf(msg + len, sizeof(msg) - len, >@@ -882,10 +903,14 @@ check_host_key(char *host, struct sockad > } > > xfree(ip); >+ xfree(hoststr); >+ xfree(ipstr); > return 0; > > fail: > xfree(ip); >+ xfree(hoststr); >+ xfree(ipstr); > return -1; > } > >Index: sshd.8 >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.8,v >retrieving revision 1.164 >diff -u -p -r1.164 sshd.8 >--- sshd.8 2 Mar 2005 01:03:23 -0000 1.164 >+++ sshd.8 21 May 2005 01:34:38 -0000 >@@ -552,6 +552,9 @@ A pattern may also be preceded by > to indicate negation: if the host name matches a negated > pattern, it is not accepted (by that line) even if it matched another > pattern on the line. >+A hostname may optionally be followed by a >+.Ql @ >+and then a non-standard port number. > .Pp > Alternately, hostnames may be stored in a hashed form which hides host names > and addresses should the file's contents be disclosed.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=920">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 910
:
716
|
717
|
719
|
912
|
913
|
914
|
920
|
946
|
954
|
980
|
1051
|
1052
|
1073
|
1131
|
1132