diff options
| author | Darren Tucker <dtucker@cvs.openbsd.org> | 2008-07-01 07:20:53 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2008-07-01 07:20:53 +0000 |
| commit | 5b74867e447901921923ac70f2345b9198223ded (patch) | |
| tree | b4818abb9d6cfc9c57ef148fa9fef1c52e2b2fd9 | |
| parent | be59c4c32d0adbf82627428b3bed705ca27c0407 (diff) | |
Check ExitOnForwardFailure if forwardings are disabled due to a failed
host key check. ok djm@
| -rw-r--r-- | usr.bin/ssh/sshconnect.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 9a070f349f1..496de216327 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.209 2008/06/26 11:46:31 grunk Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.210 2008/07/01 07:20:52 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -582,7 +582,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, int r, local = 0, host_ip_differ = 0; char ntop[NI_MAXHOST]; char msg[1024]; - int len, host_line, ip_line; + int len, host_line, ip_line, cancelled_forwarding = 0; const char *host_file = NULL, *ip_file = NULL; /* @@ -861,27 +861,32 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, error("Password authentication is disabled to avoid " "man-in-the-middle attacks."); options.password_authentication = 0; + cancelled_forwarding = 1; } if (options.kbd_interactive_authentication) { error("Keyboard-interactive authentication is disabled" " to avoid man-in-the-middle attacks."); options.kbd_interactive_authentication = 0; options.challenge_response_authentication = 0; + cancelled_forwarding = 1; } if (options.challenge_response_authentication) { error("Challenge/response authentication is disabled" " to avoid man-in-the-middle attacks."); options.challenge_response_authentication = 0; + cancelled_forwarding = 1; } if (options.forward_agent) { error("Agent forwarding is disabled to avoid " "man-in-the-middle attacks."); options.forward_agent = 0; + cancelled_forwarding = 1; } if (options.forward_x11) { error("X11 forwarding is disabled to avoid " "man-in-the-middle attacks."); options.forward_x11 = 0; + cancelled_forwarding = 1; } if (options.num_local_forwards > 0 || options.num_remote_forwards > 0) { @@ -889,12 +894,18 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, "man-in-the-middle attacks."); options.num_local_forwards = options.num_remote_forwards = 0; + cancelled_forwarding = 1; } if (options.tun_open != SSH_TUNMODE_NO) { error("Tunnel forwarding is disabled to avoid " "man-in-the-middle attacks."); options.tun_open = SSH_TUNMODE_NO; + cancelled_forwarding = 1; } + if (options.exit_on_forward_failure && cancelled_forwarding) + fatal("Error: forwarding disabled due to host key " + "check failure"); + /* * XXX Should permit the user to change to use the new id. * This could be done by converting the host key to an |