diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2003-06-04 08:25:19 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2003-06-04 08:25:19 +0000 |
| commit | 5de10d4061c2fe6e94da02af1a4f508423b6eb84 (patch) | |
| tree | 2a1593654622f068eee4d15391053da386d6c50c | |
| parent | 282dfe43a41ac37fedf4ccabc9e36974c4ba4fa8 (diff) | |
disable challenge/response and keyboard-interactive auth methods upon hostkey
mismatch. based on patch from fcusack AT fcusack.com. bz #580; ok markus@
| -rw-r--r-- | usr.bin/ssh/sshconnect.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 6cd12c43d28..a9013e95af2 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.143 2003/05/26 12:54:40 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $"); #include <openssl/bn.h> @@ -788,7 +788,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, /* * If strict host key checking has not been requested, allow - * the connection but without password authentication or + * the connection but without MITM-able authentication or * agent forwarding. */ if (options.password_authentication) { @@ -796,6 +796,17 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, "man-in-the-middle attacks."); options.password_authentication = 0; } + if (options.kbd_interactive_authentication) { + error("Keyboard-interactive authentication is disabled" + " to avoid man-in-the-middle attacks."); + options.kbd_interactive_authentication = 0; + options.challenge_response_authentication = 0; + } + if (options.challenge_response_authentication) { + error("Challenge/response authentication is disabled" + " to avoid man-in-the-middle attacks."); + options.challenge_response_authentication = 0; + } if (options.forward_agent) { error("Agent forwarding is disabled to avoid " "man-in-the-middle attacks."); |