Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 941ac459ce52af15caddcfafce3cf611138600ce^! / .
commit941ac459ce52af15caddcfafce3cf611138600ce[log] [tgz]
authorDamien Miller <djm@mindrot.org>Wed Jun 04 20:31:53 2003 +1000
committerDamien Miller <djm@mindrot.org>Wed Jun 04 20:31:53 2003 +1000
treec3c8f939d0c21c7cc3c032d9bd4dddc220d65a4f
parent2527f5755a76a51093ce212c98003f379a9479aa [diff]
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2003/06/04 08:25:18
     [sshconnect.c]
     disable challenge/response and keyboard-interactive auth methods
     upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
     bz #580; ok markus@

diff --git a/ChangeLog b/ChangeLog
index ee5624f..70e2bb7 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -5,6 +5,12 @@
    Patch from larsch@trustcenter.de; ok markus@
  - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from 
    larsch@trustcenter.de; ok markus@
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2003/06/04 08:25:18
+     [sshconnect.c]
+     disable challenge/response and keyboard-interactive auth methods 
+     upon hostkey mismatch. based on patch from fcusack AT fcusack.com. 
+     bz #580; ok markus@
 
 20030603
  - (djm) Replace setproctitle replacement with code derived from 
@@ -433,4 +439,4 @@
  - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
    Report from murple@murple.net, diagnosis from dtucker@zip.com.au
 
-$Id: ChangeLog,v 1.2773 2003/06/04 09:22:06 djm Exp $
+$Id: ChangeLog,v 1.2774 2003/06/04 10:31:53 djm Exp $

diff --git a/sshconnect.c b/sshconnect.c
index 0ff4b2b..b8a77a2 100644
--- a/sshconnect.c
+++ b/sshconnect.c

@@ -13,7 +13,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.143 2003/05/26 12:54:40 djm Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.144 2003/06/04 08:25:18 djm Exp $");
 
 #include <openssl/bn.h>
 
@@ -796,7 +796,7 @@
 
 		/*
 		 * If strict host key checking has not been requested, allow
-		 * the connection but without password authentication or
+		 * the connection but without MITM-able authentication or
 		 * agent forwarding.
 		 */
 		if (options.password_authentication) {
@@ -804,6 +804,17 @@
 			    "man-in-the-middle attacks.");
 			options.password_authentication = 0;
 		}
+		if (options.kbd_interactive_authentication) {
+			error("Keyboard-interactive authentication is disabled"
+			    " to avoid man-in-the-middle attacks.");
+			options.kbd_interactive_authentication = 0;
+			options.challenge_response_authentication = 0;
+		}
+		if (options.challenge_response_authentication) {
+			error("Challenge/response authentication is disabled"
+			    " to avoid man-in-the-middle attacks.");
+			options.challenge_response_authentication = 0;
+		}
 		if (options.forward_agent) {
 			error("Agent forwarding is disabled to avoid "
 			    "man-in-the-middle attacks.");