diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2008-07-02 14:33:55 +0200 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2008-07-02 14:33:55 +0200 |
| commit | 068e01f53f80e94491fd525f689c33b21948f8dd (patch) | |
| tree | ed3f3f7cdaad4042868c5278fcf77f1908f03765 /sshconnect.c | |
| parent | - djm@cvs.openbsd.org 2008/06/30 12:18:34 (diff) | |
| download | openssh-068e01f53f80e94491fd525f689c33b21948f8dd.tar.xz openssh-068e01f53f80e94491fd525f689c33b21948f8dd.zip | |
- dtucker@cvs.openbsd.org 2008/07/01 07:20:52
[sshconnect.c]
Check ExitOnForwardFailure if forwardings are disabled due to a failed
host key check. ok djm@
Diffstat (limited to 'sshconnect.c')
| -rw-r--r-- | sshconnect.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/sshconnect.c b/sshconnect.c index 9c1550a96..8c5f66dd5 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.209 2008/06/26 11:46:31 grunk Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.210 2008/07/01 07:20:52 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -596,7 +596,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, int salen; char ntop[NI_MAXHOST]; char msg[1024]; - int len, host_line, ip_line; + int len, host_line, ip_line, cancelled_forwarding = 0; const char *host_file = NULL, *ip_file = NULL; /* @@ -878,27 +878,32 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, error("Password authentication is disabled to avoid " "man-in-the-middle attacks."); options.password_authentication = 0; + cancelled_forwarding = 1; } if (options.kbd_interactive_authentication) { error("Keyboard-interactive authentication is disabled" " to avoid man-in-the-middle attacks."); options.kbd_interactive_authentication = 0; options.challenge_response_authentication = 0; + cancelled_forwarding = 1; } if (options.challenge_response_authentication) { error("Challenge/response authentication is disabled" " to avoid man-in-the-middle attacks."); options.challenge_response_authentication = 0; + cancelled_forwarding = 1; } if (options.forward_agent) { error("Agent forwarding is disabled to avoid " "man-in-the-middle attacks."); options.forward_agent = 0; + cancelled_forwarding = 1; } if (options.forward_x11) { error("X11 forwarding is disabled to avoid " "man-in-the-middle attacks."); options.forward_x11 = 0; + cancelled_forwarding = 1; } if (options.num_local_forwards > 0 || options.num_remote_forwards > 0) { @@ -906,12 +911,18 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, "man-in-the-middle attacks."); options.num_local_forwards = options.num_remote_forwards = 0; + cancelled_forwarding = 1; } if (options.tun_open != SSH_TUNMODE_NO) { error("Tunnel forwarding is disabled to avoid " "man-in-the-middle attacks."); options.tun_open = SSH_TUNMODE_NO; + cancelled_forwarding = 1; } + if (options.exit_on_forward_failure && cancelled_forwarding) + fatal("Error: forwarding disabled due to host key " + "check failure"); + /* * XXX Should permit the user to change to use the new id. * This could be done by converting the host key to an |