diff options
author | Damien Miller <djm@mindrot.org> | 2000-03-26 13:04:51 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-03-26 13:04:51 +1000 |
commit | 450a7a1ff40fe7c2d84c93b83cf2df53445d807d (patch) | |
tree | db6d08bdea65edd34ba2e323a31e2b1ca5e5fbd4 /sshconnect.c | |
parent | 2c9279fa667827384fceb243f890cba1dbe480de (diff) | |
download | openssh-git-450a7a1ff40fe7c2d84c93b83cf2df53445d807d.tar.gz |
- OpenBSD CVS update
- [auth-krb4.c]
-Wall
- [auth-rh-rsa.c auth-rsa.c hostfile.c hostfile.h key.c key.h match.c]
[match.h ssh.c ssh.h sshconnect.c sshd.c]
initial support for DSA keys. ok deraadt@, niels@
- [cipher.c cipher.h]
remove unused cipher_attack_detected code
- [scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8]
Fix some formatting problems I missed before.
- [ssh.1 sshd.8]
fix spelling errors, From: FreeBSD
- [ssh.c]
switch to raw mode only if he _get_ a pty (not if we _want_ a pty).
Diffstat (limited to 'sshconnect.c')
-rw-r--r-- | sshconnect.c | 72 |
1 files changed, 35 insertions, 37 deletions
diff --git a/sshconnect.c b/sshconnect.c index 910548fa..d64c0e2c 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -8,15 +8,19 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.57 2000/03/16 20:56:14 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.58 2000/03/23 22:15:33 markus Exp $"); #ifdef HAVE_OPENSSL -#include <openssl/bn.h> +#include <openssl/rsa.h> +#include <openssl/dsa.h> #include <openssl/md5.h> +#include <openssl/bn.h> #endif #ifdef HAVE_SSL -#include <ssl/bn.h> +#include <ssl/rsa.h> +#include <ssl/dsa.h> #include <ssl/md5.h> +#include <ssl/bn.h> #endif #include "xmalloc.h" @@ -29,7 +33,8 @@ RCSID("$OpenBSD: sshconnect.c,v 1.57 2000/03/16 20:56:14 markus Exp $"); #include "uidswap.h" #include "compat.h" #include "readconf.h" -#include "fingerprint.h" +#include "key.h" +#include "hostfile.h" /* Session id for the current session. */ unsigned char session_id[16]; @@ -1073,9 +1078,9 @@ read_yes_or_no(const char *prompt, int defval) */ void -check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) +check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { - RSA *file_key; + Key *file_key; char *ip = NULL; char hostline[1000], *hostp; HostStatus host_status; @@ -1129,47 +1134,34 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) * Store the host key from the known host file in here so that we can * compare it with the key for the IP address. */ - file_key = RSA_new(); - file_key->n = BN_new(); - file_key->e = BN_new(); + file_key = key_new(host_key->type); /* * Check if the host key is present in the user\'s list of known * hosts or in the systemwide list. */ - host_status = check_host_in_hostfile(options.user_hostfile, host, - host_key->e, host_key->n, - file_key->e, file_key->n); + host_status = check_host_in_hostfile(options.user_hostfile, host, host_key, file_key); if (host_status == HOST_NEW) - host_status = check_host_in_hostfile(options.system_hostfile, host, - host_key->e, host_key->n, - file_key->e, file_key->n); + host_status = check_host_in_hostfile(options.system_hostfile, host, host_key, file_key); /* * Also perform check for the ip address, skip the check if we are * localhost or the hostname was an ip address to begin with */ if (options.check_host_ip && !local && strcmp(host, ip)) { - RSA *ip_key = RSA_new(); - ip_key->n = BN_new(); - ip_key->e = BN_new(); - ip_status = check_host_in_hostfile(options.user_hostfile, ip, - host_key->e, host_key->n, - ip_key->e, ip_key->n); + Key *ip_key = key_new(host_key->type); + ip_status = check_host_in_hostfile(options.user_hostfile, ip, host_key, ip_key); if (ip_status == HOST_NEW) - ip_status = check_host_in_hostfile(options.system_hostfile, ip, - host_key->e, host_key->n, - ip_key->e, ip_key->n); + ip_status = check_host_in_hostfile(options.system_hostfile, ip, host_key, ip_key); if (host_status == HOST_CHANGED && - (ip_status != HOST_CHANGED || - (BN_cmp(ip_key->e, file_key->e) || BN_cmp(ip_key->n, file_key->n)))) + (ip_status != HOST_CHANGED || !key_equal(ip_key, file_key))) host_ip_differ = 1; - RSA_free(ip_key); + key_free(ip_key); } else ip_status = host_status; - RSA_free(file_key); + key_free(file_key); switch (host_status) { case HOST_OK: @@ -1177,8 +1169,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) debug("Host '%.200s' is known and matches the host key.", host); if (options.check_host_ip) { if (ip_status == HOST_NEW) { - if (!add_host_to_hostfile(options.user_hostfile, ip, - host_key->e, host_key->n)) + if (!add_host_to_hostfile(options.user_hostfile, ip, host_key)) log("Failed to add the host key for IP address '%.30s' to the list of known hosts (%.30s).", ip, options.user_hostfile); else @@ -1198,12 +1189,12 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) } else if (options.strict_host_key_checking == 2) { /* The default */ char prompt[1024]; - char *fp = fingerprint(host_key->e, host_key->n); + char *fp = key_fingerprint(host_key); snprintf(prompt, sizeof(prompt), "The authenticity of host '%.200s' can't be established.\n" - "Key fingerprint is %d %s.\n" + "Key fingerprint is %s.\n" "Are you sure you want to continue connecting (yes/no)? ", - host, BN_num_bits(host_key->n), fp); + host, fp); if (!read_yes_or_no(prompt, -1)) fatal("Aborted by user!\n"); } @@ -1214,8 +1205,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) hostp = host; /* If not in strict mode, add the key automatically to the local known_hosts file. */ - if (!add_host_to_hostfile(options.user_hostfile, hostp, - host_key->e, host_key->n)) + if (!add_host_to_hostfile(options.user_hostfile, hostp, host_key)) log("Failed to add the host to the list of known hosts (%.500s).", options.user_hostfile); else @@ -1283,6 +1273,14 @@ check_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) if (options.check_host_ip) xfree(ip); } +void +check_rsa_host_key(char *host, struct sockaddr *hostaddr, RSA *host_key) +{ + Key k; + k.type = KEY_RSA; + k.rsa = host_key; + check_host_key(host, hostaddr, &k); +} /* * SSH1 key exchange @@ -1358,7 +1356,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr) 8 + 4 + sum_len + 0 + 4 + 0 + 0 + 4 + 4 + 4, SSH_SMSG_PUBLIC_KEY); - check_host_key(host, hostaddr, host_key); + check_rsa_host_key(host, hostaddr, host_key); client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN; @@ -1617,7 +1615,6 @@ ssh_userauth(int host_key_valid, RSA *own_host_key, fatal("Permission denied."); /* NOTREACHED */ } - /* * Starts a dialog with the server, and authenticates the current user on the * server. This does not need any extra privileges. The basic connection @@ -1648,6 +1645,7 @@ ssh_login(int host_key_valid, RSA *own_host_key, const char *orighost, ssh_kex(host, hostaddr); if (supported_authentications == 0) fatal("supported_authentications == 0."); + /* authenticate user */ ssh_userauth(host_key_valid, own_host_key, original_real_uid, host); } |