diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 1999-10-03 21:50:05 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 1999-10-03 21:50:05 +0000 |
| commit | dce30fe4c3eed210d1830b1bb7d5434ad4f15607 (patch) | |
| tree | 2d57dbe7a3d712ad0e757a1b39965798ed6c67ba /usr.bin/ssh/readconf.c | |
| parent | 99b7880be93ded91810507804eb4226b2ee29edd (diff) | |
add code to detect DNS spoofing:
the main idea is to not only store the host key for the hostname but
also for the according IP address. When we check the host key in the
known_hosts file, we also check the key against the according IP address.
When the server key changes, host_status = HOST_CHANGED. If
check_host_in_hostfile() returns differing status for the IP address
that means that either DNS was spoofed or that the IP address
for the host and the host key changed at the same time.
Diffstat (limited to 'usr.bin/ssh/readconf.c')
| -rw-r--r-- | usr.bin/ssh/readconf.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index 91cd876705f..3b98588c87f 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -14,7 +14,7 @@ Functions for reading the configuration files. */ #include "includes.h" -RCSID("$Id: readconf.c,v 1.7 1999/09/30 08:03:39 deraadt Exp $"); +RCSID("$Id: readconf.c,v 1.8 1999/10/03 21:50:03 provos Exp $"); #include "ssh.h" #include "cipher.h" @@ -99,8 +99,8 @@ typedef enum oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, - oBatchMode, oStrictHostKeyChecking, oCompression, oCompressionLevel, - oKeepAlives, oTISAuthentication + oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, + oCompressionLevel, oKeepAlives, oTISAuthentication } OpCodes; /* Textual representations of the tokens. */ @@ -141,6 +141,7 @@ static struct { "userknownhostsfile", oUserKnownHostsFile }, { "connectionattempts", oConnectionAttempts }, { "batchmode", oBatchMode }, + { "checkhostip", oCheckHostIP }, { "stricthostkeychecking", oStrictHostKeyChecking }, { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, @@ -572,6 +573,7 @@ void initialize_options(Options *options) options->fallback_to_rsh = -1; options->use_rsh = -1; options->batch_mode = -1; + options->check_host_ip = -1; options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; @@ -625,6 +627,8 @@ void fill_default_options(Options *options) options->use_rsh = 0; if (options->batch_mode == -1) options->batch_mode = 0; + if (options->check_host_ip == -1) + options->check_host_ip = 1; if (options->strict_host_key_checking == -1) options->strict_host_key_checking = 2; /* 2 is default */ if (options->compression == -1) |