Lines Matching +full:host +full:- +full:port
6 * Code to connect to a remote host, and to perform the client side of the
90 const char *host, const char *host_arg, int port) in expand_proxy_command() argument
96 snprintf(strport, sizeof strport, "%d", port); in expand_proxy_command()
99 "h", host, in expand_proxy_command()
114 ssh_proxy_fdpass_connect(struct ssh *ssh, const char *host, in ssh_proxy_fdpass_connect() argument
115 const char *host_arg, u_short port, const char *proxy_command) in ssh_proxy_fdpass_connect() argument
125 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) == -1) in ssh_proxy_fdpass_connect()
130 host, host_arg, port); in ssh_proxy_fdpass_connect()
140 if (dup2(sp[0], 0) == -1) in ssh_proxy_fdpass_connect()
144 if (dup2(sp[0], 1) == -1) in ssh_proxy_fdpass_connect()
151 * Stderr is left for non-ControlPersist connections is so in ssh_proxy_fdpass_connect()
155 options.control_persist && stdfd_devnull(0, 0, 1) == -1) in ssh_proxy_fdpass_connect()
159 argv[1] = "-c"; in ssh_proxy_fdpass_connect()
172 if (pid == -1) in ssh_proxy_fdpass_connect()
177 if ((sock = mm_receive_fd(sp[1])) == -1) in ssh_proxy_fdpass_connect()
181 while (waitpid(pid, NULL, 0) == -1) in ssh_proxy_fdpass_connect()
187 return -1; /* ssh_packet_set_connection logs error */ in ssh_proxy_fdpass_connect()
196 ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, in ssh_proxy_connect() argument
197 u_short port, const char *proxy_command) in ssh_proxy_connect() argument
208 if (pipe(pin) == -1 || pipe(pout) == -1) in ssh_proxy_connect()
213 host, host_arg, port); in ssh_proxy_connect()
223 if (dup2(pin[0], 0) == -1) in ssh_proxy_connect()
228 if (dup2(pout[1], 1) == -1) in ssh_proxy_connect()
234 * Stderr is left for non-ControlPersist connections is so in ssh_proxy_connect()
238 options.control_persist && stdfd_devnull(0, 0, 1) == -1) in ssh_proxy_connect()
242 argv[1] = "-c"; in ssh_proxy_connect()
256 if (pid == -1) in ssh_proxy_connect()
270 return -1; /* ssh_packet_set_connection logs error */ in ssh_proxy_connect()
290 * Returns 0 and fills in *resultp and *rlenp on success. Returns -1 on failure.
307 for (ifa = ifaddrs; ifa != NULL; ifa = ifa->ifa_next) { in check_ifaddrs()
308 if (ifa->ifa_addr == NULL || ifa->ifa_name == NULL || in check_ifaddrs()
309 (ifa->ifa_flags & IFF_UP) == 0 || in check_ifaddrs()
310 ifa->ifa_addr->sa_family != af || in check_ifaddrs()
311 strcmp(ifa->ifa_name, options.bind_interface) != 0) in check_ifaddrs()
313 switch (ifa->ifa_addr->sa_family) { in check_ifaddrs()
315 sa = (struct sockaddr_in *)ifa->ifa_addr; in check_ifaddrs()
316 if (!allow_local && sa->sin_addr.s_addr == in check_ifaddrs()
321 return -1; in check_ifaddrs()
327 sa6 = (struct sockaddr_in6 *)ifa->ifa_addr; in check_ifaddrs()
328 v6addr = &sa6->sin6_addr; in check_ifaddrs()
335 return -1; in check_ifaddrs()
343 return -1; in check_ifaddrs()
362 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); in ssh_create_socket()
363 if (sock == -1) { in ssh_create_socket()
365 return -1; in ssh_create_socket()
379 hints.ai_family = ai->ai_family; in ssh_create_socket()
380 hints.ai_socktype = ai->ai_socktype; in ssh_create_socket()
381 hints.ai_protocol = ai->ai_protocol; in ssh_create_socket()
393 memcpy(&bindaddr, res->ai_addr, res->ai_addrlen); in ssh_create_socket()
394 bindaddrlen = res->ai_addrlen; in ssh_create_socket()
403 if (check_ifaddrs(options.bind_interface, ai->ai_family, in ssh_create_socket()
427 sock = -1; in ssh_create_socket()
439 * Opens a TCP/IP connection to the remote server on the given host.
440 * The address of the remote host will be returned in hostaddr.
441 * If port is 0, the default port will be used.
443 * second). If proxy_command is non-NULL, it specifies the command (with %h
444 * and %p substituted for host and port, respectively) to use to contact
448 ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop, in ssh_connect_direct() argument
449 struct sockaddr_storage *hostaddr, u_short port, int connection_attempts, in ssh_connect_direct() argument
453 int oerrno, sock = -1, attempt; in ssh_connect_direct()
468 * Loop through addresses for this host, and try each one in in ssh_connect_direct()
471 for (ai = aitop; ai; ai = ai->ai_next) { in ssh_connect_direct()
472 if (ai->ai_family != AF_INET && in ssh_connect_direct()
473 ai->ai_family != AF_INET6) { in ssh_connect_direct()
477 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, in ssh_connect_direct()
486 ai->ai_family != options.address_family) { in ssh_connect_direct()
493 debug("Connecting to %.200s [%.100s] port %s.", in ssh_connect_direct()
494 host, ntop, strport); in ssh_connect_direct()
505 if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, in ssh_connect_direct()
508 memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); in ssh_connect_direct()
512 debug("connect to address %s port %s: %s", in ssh_connect_direct()
515 sock = -1; in ssh_connect_direct()
519 if (sock != -1) in ssh_connect_direct()
524 if (sock == -1) { in ssh_connect_direct()
525 error("ssh: connect to host %s port %s: %s", in ssh_connect_direct()
526 host, strport, errno == 0 ? "failure" : strerror(errno)); in ssh_connect_direct()
527 return -1; in ssh_connect_direct()
535 sizeof(on)) == -1) in ssh_connect_direct()
540 return -1; /* ssh_packet_set_connection logs error */ in ssh_connect_direct()
546 ssh_connect(struct ssh *ssh, const char *host, const char *host_arg, in ssh_connect() argument
547 struct addrinfo *addrs, struct sockaddr_storage *hostaddr, u_short port, in ssh_connect() argument
553 return ssh_connect_direct(ssh, host, addrs, hostaddr, port, in ssh_connect()
555 } else if (strcmp(options.proxy_command, "-") == 0) { in ssh_connect()
556 if ((in = dup(STDIN_FILENO)) == -1 || in ssh_connect()
557 (out = dup(STDOUT_FILENO)) == -1) { in ssh_connect()
561 return -1; /* ssh_packet_set_connection logs error */ in ssh_connect()
564 return -1; /* ssh_packet_set_connection logs error */ in ssh_connect()
567 return ssh_proxy_fdpass_connect(ssh, host, host_arg, port, in ssh_connect()
570 return ssh_proxy_connect(ssh, host, host_arg, port, in ssh_connect()
581 int ret = -1; in confirm()
597 if (ret != -1) in confirm()
605 switch (hostaddr->sa_family) { in sockaddr_is_local()
607 return (ntohl(((struct sockaddr_in *)hostaddr)-> in sockaddr_is_local()
611 &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); in sockaddr_is_local()
619 * host keys in known_hosts files. These may have a port number appended.
623 u_short port, char **hostfile_hostname, char **hostfile_ipaddr) in get_hostfile_hostname_ipaddr() argument
628 switch (hostaddr == NULL ? -1 : hostaddr->sa_family) { in get_hostfile_hostname_ipaddr()
629 case -1: in get_hostfile_hostname_ipaddr()
644 * We don't have the remote ip-address for connections in get_hostfile_hostname_ipaddr()
652 *hostfile_ipaddr = put_host_port(ntop, port); in get_hostfile_hostname_ipaddr()
661 * differentiate a non-standard port. This is useful for ssh in get_hostfile_hostname_ipaddr()
670 *hostfile_hostname = put_host_port(hostname, port); in get_hostfile_hostname_ipaddr()
675 /* returns non-zero if path appears in hostfiles, or 0 if not. */
689 const char *host, *ip; member
713 if (home[l - 1] != '/' && path[l] != '/') in try_tilde_unexpand()
722 * Returns non-zero if the key is accepted by HostkeyAlgorithms.
731 if (key->type == KEY_UNSPEC) in hostkey_accepted_by_hostkeyalgs()
733 if (key->type == KEY_RSA && in hostkey_accepted_by_hostkeyalgs()
734 (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 || in hostkey_accepted_by_hostkeyalgs()
735 match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1)) in hostkey_accepted_by_hostkeyalgs()
737 if (key->type == KEY_RSA_CERT && in hostkey_accepted_by_hostkeyalgs()
738 (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", hostkeyalgs, 0) == 1 || in hostkey_accepted_by_hostkeyalgs()
739 match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", hostkeyalgs, 0) == 1)) in hostkey_accepted_by_hostkeyalgs()
751 if ((l->match & HKF_MATCH_HOST) != 0) in hostkeys_find_by_key_cb()
754 if (l->marker != MRK_NONE) in hostkeys_find_by_key_cb()
757 if (l->key == NULL || !sshkey_equal(ctx->key, l->key)) in hostkeys_find_by_key_cb()
759 path = try_tilde_unexpand(l->path); in hostkeys_find_by_key_cb()
760 debug_f("found matching key in %s:%lu", path, l->linenum); in hostkeys_find_by_key_cb()
761 ctx->names = xrecallocarray(ctx->names, in hostkeys_find_by_key_cb()
762 ctx->nnames, ctx->nnames + 1, sizeof(*ctx->names)); in hostkeys_find_by_key_cb()
763 xasprintf(&ctx->names[ctx->nnames], "%s:%lu: %s", path, l->linenum, in hostkeys_find_by_key_cb()
764 strncmp(l->hosts, HASH_MAGIC, strlen(HASH_MAGIC)) == 0 ? in hostkeys_find_by_key_cb()
765 "[hashed name]" : l->hosts); in hostkeys_find_by_key_cb()
766 ctx->nnames++; in hostkeys_find_by_key_cb()
779 ctx->host, ctx->ip, HKF_WANT_PARSE_KEY, 0)) != 0) { in hostkeys_find_by_key_hostfile()
791 * Find 'key' in known hosts file(s) that do not match host/ip.
792 * Used to display also-known-as information for previously-unseen hostkeys.
795 hostkeys_find_by_key(const char *host, const char *ip, const struct sshkey *key, in hostkeys_find_by_key() argument
809 ctx.host = host; in hostkeys_find_by_key()
837 other_hostkeys_message(const char *host, const char *ip, in other_hostkeys_message() argument
845 hostkeys_find_by_key(host, ip, key, in other_hostkeys_message()
852 xasprintf(&ret, "This host key is known by the following other " in other_hostkeys_message()
863 num_othernames - n); in other_hostkeys_message()
883 xasprintf(&tag, "KnownHostsCommand-%s", invocation); in load_hostkeys_command()
950 * check whether the supplied host key is valid, return -1 if the key
958 struct sockaddr *hostaddr, u_short port, in check_host_key() argument
964 HostStatus host_status = -1, ip_status = -1; in check_host_key()
966 char *ip = NULL, *host = NULL; in check_host_key() local
979 * Force accepting of the host key for loopback/localhost. The in check_host_key()
980 * problem is that if the home directory is NFS-mounted to multiple in check_host_key()
983 * essentially disables host authentication for localhost; however, in check_host_key()
988 debug("Forcing accepting of host key for " in check_host_key()
1007 * In some cases, these will have a port number appended. in check_host_key()
1010 clobber_port ? 0 : port, &host, &ip); in check_host_key()
1022 load_hostkeys(host_hostkeys, host, user_hostfiles[i], 0); in check_host_key()
1024 load_hostkeys(host_hostkeys, host, system_hostfiles[i], 0); in check_host_key()
1027 "HOSTNAME", cinfo, host_key, host); in check_host_key()
1045 error("host key %s not permitted by HostkeyAlgorithms", in check_host_key()
1050 /* Reload these as they may have changed on cert->key downgrade */ in check_host_key()
1055 * Check if the host key is present in the user's list of known in check_host_key()
1066 (host_found != NULL && host_found->note != 0))) in check_host_key()
1080 !sshkey_equal(ip_found->key, host_found->key)))) in check_host_key()
1087 /* The host is known and the key matches. */ in check_host_key()
1088 debug("Host '%.200s' is known and matches the %s host %s.", in check_host_key()
1089 host, type, want_cert ? "certificate" : "key"); in check_host_key()
1091 host_found->file, host_found->line); in check_host_key()
1106 debug3_f("certificate host key in use; " in check_host_key()
1112 (path_in_hostfiles(host_found->file, in check_host_key()
1115 path_in_hostfiles(ip_found->file, in check_host_key()
1118 debug3_f("host key found in GlobalKnownHostsFile; " in check_host_key()
1121 if (options.update_hostkeys != 0 && host_found->note) { in check_host_key()
1123 debug3_f("host key found via KnownHostsCommand; " in check_host_key()
1128 logit("%s host key for IP address " in check_host_key()
1133 logit("Failed to add the %s host key for IP " in check_host_key()
1138 logit("Warning: Permanently added the %s host " in check_host_key()
1148 logit("Host key fingerprint is %s\n%s", fp, ra); in check_host_key()
1155 if (options.host_key_alias == NULL && port != 0 && in check_host_key()
1156 port != SSH_DEFAULT_PORT && !clobber_port) { in check_host_key()
1157 debug("checking without port identifier"); in check_host_key()
1163 debug("found matching key w/out port"); in check_host_key()
1169 /* The host is new. */ in check_host_key()
1173 * User has requested strict host key checking. We in check_host_key()
1174 * will not add the host key automatically. The only in check_host_key()
1177 error("No %s host key is known for %.200s and you " in check_host_key()
1178 "have requested strict checking.", type, host); in check_host_key()
1184 xasprintf(&msg1, "The authenticity of host " in check_host_key()
1185 "'%.200s (%s)' can't be established", host, ip); in check_host_key()
1189 "type are already known for this host."); in check_host_key()
1205 "%s host key fingerprint found in DNS.", in check_host_key()
1210 if ((msg2 = other_hostkeys_message(host, ip, host_key, in check_host_key()
1233 snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); in check_host_key()
1236 /* Add hash of host and IP separately */ in check_host_key()
1238 host, host_key, options.hash_known_hosts) && in check_host_key()
1242 /* Add unhashed "host,ip" */ in check_host_key()
1248 r = add_host_to_hostfile(user_hostfiles[0], host, in check_host_key()
1250 hostp = host; in check_host_key()
1254 logit("Failed to add the host to the list of known " in check_host_key()
1262 error("@ WARNING: REVOKED HOST KEY DETECTED! @"); in check_host_key()
1264 error("The %s host key for %s is marked as revoked.", type, host); in check_host_key()
1266 error("impersonate this host."); in check_host_key()
1269 * If strict host key checking is in use, the user will have in check_host_key()
1274 error("%s host key for %.200s was revoked and you have " in check_host_key()
1275 "requested strict checking.", type, host); in check_host_key()
1287 debug("Host certificate authority does not " in check_host_key()
1289 host_found->file, host_found->line); in check_host_key()
1305 error("The %s host key for %s has changed,", type, host); in check_host_key()
1308 error("DNS SPOOFING is happening or the IP address for the host"); in check_host_key()
1309 error("and its host key have changed at the same time."); in check_host_key()
1312 ip_found->file, ip_found->line); in check_host_key()
1314 /* The host key has changed. */ in check_host_key()
1317 error("Add correct host key in %.100s to get rid " in check_host_key()
1322 sshkey_type(host_found->key), in check_host_key()
1323 host_found->file, host_found->line); in check_host_key()
1326 * If strict host key checking is in use, the user will have in check_host_key()
1331 error("Host key for %.200s has changed and you have " in check_host_key()
1332 "requested strict checking.", host); in check_host_key()
1338 * If strict host key checking has not been requested, allow in check_host_key()
1339 * the connection but without MITM-able authentication or in check_host_key()
1344 "man-in-the-middle attacks."); in check_host_key()
1349 error("Keyboard-interactive authentication is disabled" in check_host_key()
1350 " to avoid man-in-the-middle attacks."); in check_host_key()
1356 "man-in-the-middle attacks."); in check_host_key()
1362 "man-in-the-middle attacks."); in check_host_key()
1368 error("Port forwarding is disabled to avoid " in check_host_key()
1369 "man-in-the-middle attacks."); in check_host_key()
1376 "man-in-the-middle attacks."); in check_host_key()
1381 error("UpdateHostkeys is disabled because the host " in check_host_key()
1386 fatal("Error: forwarding disabled due to host key " in check_host_key()
1391 * This could be done by converting the host key to an in check_host_key()
1392 * identifying sentence, tell that the host identifies itself in check_host_key()
1405 "Warning: the %s host key for '%.200s' " in check_host_key()
1408 type, host, ip, ip_found->file, ip_found->line); in check_host_key()
1411 snprintf(msg + len, sizeof(msg) - len, in check_host_key()
1412 "\nMatching host key in %s:%lu", in check_host_key()
1413 host_found->file, host_found->line); in check_host_key()
1438 free(host); in check_host_key()
1461 free(host); in check_host_key()
1466 return -1; in check_host_key()
1469 /* returns 0 if key verifies or -1 if key does NOT verify */
1471 verify_host_key(char *host, struct sockaddr *hostaddr, struct sshkey *host_key, in verify_host_key() argument
1475 int r = -1, flags = 0; in verify_host_key()
1481 error_fr(r, "fingerprint host key"); in verify_host_key()
1482 r = -1; in verify_host_key()
1487 if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, in verify_host_key()
1490 r = -1; in verify_host_key()
1493 sshkey_format_cert_validity(host_key->cert, in verify_host_key()
1495 debug("Server host certificate: %s %s, serial %llu " in verify_host_key()
1498 (unsigned long long)host_key->cert->serial, in verify_host_key()
1499 host_key->cert->key_id, in verify_host_key()
1500 sshkey_ssh_name(host_key->cert->signature_key), cafp, in verify_host_key()
1502 for (i = 0; i < host_key->cert->nprincipals; i++) { in verify_host_key()
1503 debug2("Server host certificate hostname: %s", in verify_host_key()
1504 host_key->cert->principals[i]); in verify_host_key()
1507 debug("Server host key: %s %s", sshkey_ssh_name(host_key), fp); in verify_host_key()
1511 debug2_f("server host key %s %s matches cached key", in verify_host_key()
1524 error("Host key %s %s revoked by file %s", in verify_host_key()
1527 r = -1; in verify_host_key()
1530 error_r(r, "Error checking host key %s %s in " in verify_host_key()
1533 r = -1; in verify_host_key()
1547 if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { in verify_host_key()
1560 "with the new host key to get rid " in verify_host_key()
1566 r = check_host_key(host, cinfo, hostaddr, options.port, host_key, in verify_host_key()
1588 * This function does not require super-user privileges.
1592 struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms, in ssh_login() argument
1595 char *host; in ssh_login() local
1599 local_user = xstrdup(pw->pw_name); in ssh_login()
1602 /* Convert the user-supplied hostname into all lowercase. */ in ssh_login()
1603 host = xstrdup(orighost); in ssh_login()
1604 lowercase(host); in ssh_login()
1610 /* Put the connection into non-blocking mode. */ in ssh_login()
1615 debug("Authenticating to %s:%d as '%s'", host, port, server_user); in ssh_login()
1616 ssh_kex2(ssh, host, hostaddr, port, cinfo); in ssh_login()
1617 ssh_userauth2(ssh, local_user, server_user, host, sensitive); in ssh_login()
1619 free(host); in ssh_login()
1622 /* print all known host keys for a given host, but skip keys of given type */
1634 -1 in show_other_keys()
1640 for (i = 0; type[i] != -1; i++) { in show_other_keys()
1641 if (type[i] == key->type) in show_other_keys()
1644 -1, &found)) in show_other_keys()
1646 fp = sshkey_fingerprint(found->key, in show_other_keys()
1648 ra = sshkey_fingerprint(found->key, in show_other_keys()
1652 logit("WARNING: %s key found for host %s\n" in show_other_keys()
1655 sshkey_type(found->key), in show_other_keys()
1656 found->host, found->file, found->line, in show_other_keys()
1657 sshkey_type(found->key), fp); in show_other_keys()
1678 error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); in warn_changed_key()
1681 error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); in warn_changed_key()
1682 error("It is also possible that a host key has just been changed."); in warn_changed_key()
1683 error("The fingerprint for the %s key sent by the remote host is\n%s.", in warn_changed_key()
1712 debug3("Executing %s -c \"%s\"", shell, args); in ssh_local_cmd()
1713 execl(shell, shell, "-c", args, (char *)NULL); in ssh_local_cmd()
1714 error("Couldn't execute %s -c \"%s\": %s", in ssh_local_cmd()
1717 } else if (pid == -1) in ssh_local_cmd()
1719 while (waitpid(pid, &status, 0) == -1) in ssh_local_cmd()
1734 int auth_sock = -1, r; in maybe_add_key_to_agent()