Mercurial > dropbear
comparison cli-kex.c @ 847:f4bb964c8678 keyondemand
Add '-R' for delayed hostkey option
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 07 Nov 2013 23:49:37 +0800 |
| parents | 7dcb46da72d9 |
| children | 754d7bee1068 |
comparison
equal
deleted
inserted
replaced
| 846:b298bb438625 | 847:f4bb964c8678 |
|---|---|
| 145 ses.requirenext[0] = SSH_MSG_NEWKEYS; | 145 ses.requirenext[0] = SSH_MSG_NEWKEYS; |
| 146 ses.requirenext[1] = 0; | 146 ses.requirenext[1] = 0; |
| 147 TRACE(("leave recv_msg_kexdh_init")) | 147 TRACE(("leave recv_msg_kexdh_init")) |
| 148 } | 148 } |
| 149 | 149 |
| 150 static void ask_to_confirm(unsigned char* keyblob, unsigned int keybloblen) { | 150 static void ask_to_confirm(unsigned char* keyblob, unsigned int keybloblen, |
| 151 const char* algoname) { | |
| 151 | 152 |
| 152 char* fp = NULL; | 153 char* fp = NULL; |
| 153 FILE *tty = NULL; | 154 FILE *tty = NULL; |
| 154 char response = 'z'; | 155 char response = 'z'; |
| 155 | 156 |
| 156 fp = sign_key_fingerprint(keyblob, keybloblen); | 157 fp = sign_key_fingerprint(keyblob, keybloblen); |
| 157 if (cli_opts.always_accept_key) { | 158 if (cli_opts.always_accept_key) { |
| 158 fprintf(stderr, "\nHost '%s' key accepted unconditionally.\n(fingerprint %s)\n", | 159 fprintf(stderr, "\nHost '%s' key accepted unconditionally.\n(%s fingerprint %s)\n", |
| 159 cli_opts.remotehost, | 160 cli_opts.remotehost, |
| 161 algoname, | |
| 160 fp); | 162 fp); |
| 161 m_free(fp); | 163 m_free(fp); |
| 162 return; | 164 return; |
| 163 } | 165 } |
| 164 fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n) ", | 166 fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(%s fingerprint %s)\nDo you want to continue connecting? (y/n) ", |
| 165 cli_opts.remotehost, | 167 cli_opts.remotehost, |
| 168 algoname, | |
| 166 fp); | 169 fp); |
| 167 m_free(fp); | 170 m_free(fp); |
| 168 | 171 |
| 169 tty = fopen(_PATH_TTY, "r"); | 172 tty = fopen(_PATH_TTY, "r"); |
| 170 if (tty) { | 173 if (tty) { |
| 255 if (cli_opts.no_hostkey_check) { | 258 if (cli_opts.no_hostkey_check) { |
| 256 fprintf(stderr, "Caution, skipping hostkey check for %s\n", cli_opts.remotehost); | 259 fprintf(stderr, "Caution, skipping hostkey check for %s\n", cli_opts.remotehost); |
| 257 return; | 260 return; |
| 258 } | 261 } |
| 259 | 262 |
| 263 algoname = signkey_name_from_type(ses.newkeys->algo_hostkey, &algolen); | |
| 264 | |
| 260 hostsfile = open_known_hosts_file(&readonly); | 265 hostsfile = open_known_hosts_file(&readonly); |
| 261 if (!hostsfile) { | 266 if (!hostsfile) { |
| 262 ask_to_confirm(keyblob, keybloblen); | 267 ask_to_confirm(keyblob, keybloblen, algoname); |
| 263 /* ask_to_confirm will exit upon failure */ | 268 /* ask_to_confirm will exit upon failure */ |
| 264 return; | 269 return; |
| 265 } | 270 } |
| 266 | 271 |
| 267 line = buf_new(MAX_KNOWNHOSTS_LINE); | 272 line = buf_new(MAX_KNOWNHOSTS_LINE); |
| 268 hostlen = strlen(cli_opts.remotehost); | 273 hostlen = strlen(cli_opts.remotehost); |
| 269 algoname = signkey_name_from_type(ses.newkeys->algo_hostkey, &algolen); | |
| 270 | 274 |
| 271 do { | 275 do { |
| 272 if (buf_getline(line, hostsfile) == DROPBEAR_FAILURE) { | 276 if (buf_getline(line, hostsfile) == DROPBEAR_FAILURE) { |
| 273 TRACE(("failed reading line: prob EOF")) | 277 TRACE(("failed reading line: prob EOF")) |
| 274 break; | 278 break; |
| 317 goto out; | 321 goto out; |
| 318 } | 322 } |
| 319 | 323 |
| 320 /* The keys didn't match. eep. Note that we're "leaking" | 324 /* The keys didn't match. eep. Note that we're "leaking" |
| 321 the fingerprint strings here, but we're exiting anyway */ | 325 the fingerprint strings here, but we're exiting anyway */ |
| 322 dropbear_exit("\n\nHost key mismatch for %s !\n" | 326 dropbear_exit("\n\n%s host key mismatch for %s !\n" |
| 323 "Fingerprint is %s\n" | 327 "Fingerprint is %s\n" |
| 324 "Expected %s\n" | 328 "Expected %s\n" |
| 325 "If you know that the host key is correct you can\nremove the bad entry from ~/.ssh/known_hosts", | 329 "If you know that the host key is correct you can\nremove the bad entry from ~/.ssh/known_hosts", |
| 330 algoname, | |
| 326 cli_opts.remotehost, | 331 cli_opts.remotehost, |
| 327 sign_key_fingerprint(keyblob, keybloblen), | 332 sign_key_fingerprint(keyblob, keybloblen), |
| 328 fingerprint ? fingerprint : "UNKNOWN"); | 333 fingerprint ? fingerprint : "UNKNOWN"); |
| 329 } while (1); /* keep going 'til something happens */ | 334 } while (1); /* keep going 'til something happens */ |
| 330 | 335 |
| 331 /* Key doesn't exist yet */ | 336 /* Key doesn't exist yet */ |
| 332 ask_to_confirm(keyblob, keybloblen); | 337 ask_to_confirm(keyblob, keybloblen, algoname); |
| 333 | 338 |
| 334 /* If we get here, they said yes */ | 339 /* If we get here, they said yes */ |
| 335 | 340 |
| 336 if (readonly) { | 341 if (readonly) { |
| 337 TRACE(("readonly")) | 342 TRACE(("readonly")) |