Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / d925dcd8a5d1a3070061006788352bed93260582^! / . / auth.c
commitd925dcd8a5d1a3070061006788352bed93260582[log] [tgz]
authorDamien Miller <djm@mindrot.org>Wed Dec 01 12:21:51 2010 +1100
committerDamien Miller <djm@mindrot.org>Wed Dec 01 12:21:51 2010 +1100
tree12f78195086ff506d0f4e4c39098d675cdae0ee9
parent03c0e533de56a1fc55ec1885d35c3197fdefbf94 [diff] [blame]
   - djm@cvs.openbsd.org 2010/11/29 23:45:51
     [auth.c hostfile.c hostfile.h ssh.c ssh_config.5 sshconnect.c]
     [sshconnect.h sshconnect2.c]
     automatically order the hostkeys requested by the client based on
     which hostkeys are already recorded in known_hosts. This avoids
     hostkey warnings when connecting to servers with new ECDSA keys
     that are preferred by default; with markus@

diff --git a/auth.c b/auth.c
index 6fe1b21..33680b9 100644
--- a/auth.c
+++ b/auth.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.90 2010/11/23 02:35:50 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.91 2010/11/29 23:45:51 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -379,16 +379,15 @@
 check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
     const char *sysfile, const char *userfile)
 {
-	Key *found;
 	char *user_hostfile;
 	struct stat st;
 	HostStatus host_status;
+	struct hostkeys *hostkeys;
+	const struct hostkey_entry *found;
 
-	/* Check if we know the host and its host key. */
-	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
-	host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
-
-	if (host_status != HOST_OK && userfile != NULL) {
+	hostkeys = init_hostkeys();
+	load_hostkeys(hostkeys, host, sysfile);
+	if (userfile != NULL) {
 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
 		if (options.strict_modes &&
 		    (stat(user_hostfile, &st) == 0) &&
@@ -401,16 +400,23 @@
 			    user_hostfile);
 		} else {
 			temporarily_use_uid(pw);
-			host_status = check_host_in_hostfile(user_hostfile,
-			    host, key, found, NULL);
+			load_hostkeys(hostkeys, host, user_hostfile);
 			restore_uid();
 		}
 		xfree(user_hostfile);
 	}
-	key_free(found);
+	host_status = check_key_in_hostkeys(hostkeys, key, &found);
+	if (host_status == HOST_REVOKED)
+		error("WARNING: revoked key for %s attempted authentication",
+		    found->host);
+	else if (host_status == HOST_OK)
+		debug("%s: key for %s found at %s:%ld", __func__,
+		    found->host, found->file, found->line);
+	else
+		debug("%s: key for host %s not found", __func__, host);
 
-	debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ?
-	    "ok" : "not found", host);
+	free_hostkeys(hostkeys);
+
 	return host_status;
 }