diff options
| author | Kevin Steves <stevesk@cvs.openbsd.org> | 2006-07-24 13:58:23 +0000 |
|---|---|---|
| committer | Kevin Steves <stevesk@cvs.openbsd.org> | 2006-07-24 13:58:23 +0000 |
| commit | 50fbe7d8d0522167bb8c2a2b8623eadf51443d68 (patch) | |
| tree | 12dda44846b2788847593a6829e60dca35f6c477 /usr.bin/ssh | |
| parent | 4ecfd7b0cfb81bfa6a3c6eca068e810c9c226e9c (diff) | |
disable tunnel forwarding when no strict host key checking
and key changed; ok djm@ markus@ dtucker@
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/sshconnect.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index ef0ae6b4bc0..6bcf513c050 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.193 2006/07/22 20:48:23 stevesk Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.194 2006/07/24 13:58:22 stevesk Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -772,7 +772,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, /* * If strict host key checking has not been requested, allow * the connection but without MITM-able authentication or - * agent forwarding. + * forwarding. */ if (options.password_authentication) { error("Password authentication is disabled to avoid " @@ -807,6 +807,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, Key *host_key, options.num_local_forwards = options.num_remote_forwards = 0; } + if (options.tun_open != SSH_TUNMODE_NO) { + error("Tunnel forwarding is disabled to avoid " + "man-in-the-middle attacks."); + options.tun_open = SSH_TUNMODE_NO; + } /* * XXX Should permit the user to change to use the new id. * This could be done by converting the host key to an |