Lines Matching +full:touch +full:- +full:key +full:- +full:connected
111 * a connected fd back to us.
125 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) == -1) in ssh_proxy_fdpass_connect()
140 if (dup2(sp[0], 0) == -1) in ssh_proxy_fdpass_connect()
144 if (dup2(sp[0], 1) == -1) in ssh_proxy_fdpass_connect()
151 * Stderr is left for non-ControlPersist connections is so in ssh_proxy_fdpass_connect()
155 options.control_persist && stdfd_devnull(0, 0, 1) == -1) in ssh_proxy_fdpass_connect()
159 argv[1] = "-c"; in ssh_proxy_fdpass_connect()
172 if (pid == -1) in ssh_proxy_fdpass_connect()
177 if ((sock = mm_receive_fd(sp[1])) == -1) in ssh_proxy_fdpass_connect()
181 while (waitpid(pid, NULL, 0) == -1) in ssh_proxy_fdpass_connect()
187 return -1; /* ssh_packet_set_connection logs error */ in ssh_proxy_fdpass_connect()
208 if (pipe(pin) == -1 || pipe(pout) == -1) in ssh_proxy_connect()
223 if (dup2(pin[0], 0) == -1) in ssh_proxy_connect()
228 if (dup2(pout[1], 1) == -1) in ssh_proxy_connect()
234 * Stderr is left for non-ControlPersist connections is so in ssh_proxy_connect()
238 options.control_persist && stdfd_devnull(0, 0, 1) == -1) in ssh_proxy_connect()
242 argv[1] = "-c"; in ssh_proxy_connect()
256 if (pid == -1) in ssh_proxy_connect()
270 return -1; /* ssh_packet_set_connection logs error */ in ssh_proxy_connect()
290 * Returns 0 and fills in *resultp and *rlenp on success. Returns -1 on failure.
307 for (ifa = ifaddrs; ifa != NULL; ifa = ifa->ifa_next) { in check_ifaddrs()
308 if (ifa->ifa_addr == NULL || ifa->ifa_name == NULL || in check_ifaddrs()
309 (ifa->ifa_flags & IFF_UP) == 0 || in check_ifaddrs()
310 ifa->ifa_addr->sa_family != af || in check_ifaddrs()
311 strcmp(ifa->ifa_name, options.bind_interface) != 0) in check_ifaddrs()
313 switch (ifa->ifa_addr->sa_family) { in check_ifaddrs()
315 sa = (struct sockaddr_in *)ifa->ifa_addr; in check_ifaddrs()
316 if (!allow_local && sa->sin_addr.s_addr == in check_ifaddrs()
321 return -1; in check_ifaddrs()
327 sa6 = (struct sockaddr_in6 *)ifa->ifa_addr; in check_ifaddrs()
328 v6addr = &sa6->sin6_addr; in check_ifaddrs()
335 return -1; in check_ifaddrs()
343 return -1; in check_ifaddrs()
362 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); in ssh_create_socket()
363 if (sock == -1) { in ssh_create_socket()
365 return -1; in ssh_create_socket()
379 hints.ai_family = ai->ai_family; in ssh_create_socket()
380 hints.ai_socktype = ai->ai_socktype; in ssh_create_socket()
381 hints.ai_protocol = ai->ai_protocol; in ssh_create_socket()
393 memcpy(&bindaddr, res->ai_addr, res->ai_addrlen); in ssh_create_socket()
394 bindaddrlen = res->ai_addrlen; in ssh_create_socket()
403 if (check_ifaddrs(options.bind_interface, ai->ai_family, in ssh_create_socket()
427 sock = -1; in ssh_create_socket()
443 * second). If proxy_command is non-NULL, it specifies the command (with %h
453 int oerrno, sock = -1, attempt; in ssh_connect_direct()
471 for (ai = aitop; ai; ai = ai->ai_next) { in ssh_connect_direct()
472 if (ai->ai_family != AF_INET && in ssh_connect_direct()
473 ai->ai_family != AF_INET6) { in ssh_connect_direct()
477 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, in ssh_connect_direct()
486 ai->ai_family != options.address_family) { in ssh_connect_direct()
505 if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, in ssh_connect_direct()
508 memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); in ssh_connect_direct()
515 sock = -1; in ssh_connect_direct()
519 if (sock != -1) in ssh_connect_direct()
524 if (sock == -1) { in ssh_connect_direct()
527 return -1; in ssh_connect_direct()
535 sizeof(on)) == -1) in ssh_connect_direct()
540 return -1; /* ssh_packet_set_connection logs error */ in ssh_connect_direct()
555 } else if (strcmp(options.proxy_command, "-") == 0) { in ssh_connect()
556 if ((in = dup(STDIN_FILENO)) == -1 || in ssh_connect()
557 (out = dup(STDOUT_FILENO)) == -1) { in ssh_connect()
561 return -1; /* ssh_packet_set_connection logs error */ in ssh_connect()
564 return -1; /* ssh_packet_set_connection logs error */ in ssh_connect()
581 int ret = -1; in confirm()
597 if (ret != -1) in confirm()
605 switch (hostaddr->sa_family) { in sockaddr_is_local()
607 return (ntohl(((struct sockaddr_in *)hostaddr)-> in sockaddr_is_local()
611 &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); in sockaddr_is_local()
628 switch (hostaddr == NULL ? -1 : hostaddr->sa_family) { in get_hostfile_hostname_ipaddr()
629 case -1: in get_hostfile_hostname_ipaddr()
644 * We don't have the remote ip-address for connections in get_hostfile_hostname_ipaddr()
660 * Allow the user to record the key under a different name or in get_hostfile_hostname_ipaddr()
661 * differentiate a non-standard port. This is useful for ssh in get_hostfile_hostname_ipaddr()
675 /* returns non-zero if path appears in hostfiles, or 0 if not. */
690 const struct sshkey *key; member
713 if (home[l - 1] != '/' && path[l] != '/') in try_tilde_unexpand()
722 * Returns non-zero if the key is accepted by HostkeyAlgorithms.
726 hostkey_accepted_by_hostkeyalgs(const struct sshkey *key) in hostkey_accepted_by_hostkeyalgs() argument
728 const char *ktype = sshkey_ssh_name(key); in hostkey_accepted_by_hostkeyalgs()
731 if (key->type == KEY_UNSPEC) in hostkey_accepted_by_hostkeyalgs()
733 if (key->type == KEY_RSA && in hostkey_accepted_by_hostkeyalgs()
734 (match_pattern_list("rsa-sha2-256", hostkeyalgs, 0) == 1 || in hostkey_accepted_by_hostkeyalgs()
735 match_pattern_list("rsa-sha2-512", hostkeyalgs, 0) == 1)) in hostkey_accepted_by_hostkeyalgs()
737 if (key->type == KEY_RSA_CERT && in hostkey_accepted_by_hostkeyalgs()
738 (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", hostkeyalgs, 0) == 1 || in hostkey_accepted_by_hostkeyalgs()
739 match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", hostkeyalgs, 0) == 1)) in hostkey_accepted_by_hostkeyalgs()
751 if ((l->match & HKF_MATCH_HOST) != 0) in hostkeys_find_by_key_cb()
754 if (l->marker != MRK_NONE) in hostkeys_find_by_key_cb()
756 /* we are only interested in exact key matches */ in hostkeys_find_by_key_cb()
757 if (l->key == NULL || !sshkey_equal(ctx->key, l->key)) in hostkeys_find_by_key_cb()
759 path = try_tilde_unexpand(l->path); in hostkeys_find_by_key_cb()
760 debug_f("found matching key in %s:%lu", path, l->linenum); in hostkeys_find_by_key_cb()
761 ctx->names = xrecallocarray(ctx->names, in hostkeys_find_by_key_cb()
762 ctx->nnames, ctx->nnames + 1, sizeof(*ctx->names)); in hostkeys_find_by_key_cb()
763 xasprintf(&ctx->names[ctx->nnames], "%s:%lu: %s", path, l->linenum, in hostkeys_find_by_key_cb()
764 strncmp(l->hosts, HASH_MAGIC, strlen(HASH_MAGIC)) == 0 ? in hostkeys_find_by_key_cb()
765 "[hashed name]" : l->hosts); in hostkeys_find_by_key_cb()
766 ctx->nnames++; in hostkeys_find_by_key_cb()
779 ctx->host, ctx->ip, HKF_WANT_PARSE_KEY, 0)) != 0) { in hostkeys_find_by_key_hostfile()
791 * Find 'key' in known hosts file(s) that do not match host/ip.
792 * Used to display also-known-as information for previously-unseen hostkeys.
795 hostkeys_find_by_key(const char *host, const char *ip, const struct sshkey *key, in hostkeys_find_by_key() argument
806 if (key == NULL || sshkey_is_cert(key)) in hostkeys_find_by_key()
811 ctx.key = key; in hostkeys_find_by_key()
838 const struct sshkey *key, in other_hostkeys_message() argument
845 hostkeys_find_by_key(host, ip, key, in other_hostkeys_message()
850 return xstrdup("This key is not known by any other names."); in other_hostkeys_message()
852 xasprintf(&ret, "This host key is known by the following other " in other_hostkeys_message()
863 num_othernames - n); in other_hostkeys_message()
883 xasprintf(&tag, "KnownHostsCommand-%s", invocation); in load_hostkeys_command()
950 * check whether the supplied host key is valid, return -1 if the key
964 HostStatus host_status = -1, ip_status = -1; in check_host_key()
979 * Force accepting of the host key for loopback/localhost. The in check_host_key()
980 * problem is that if the home directory is NFS-mounted to multiple in check_host_key()
988 debug("Forcing accepting of host key for " in check_host_key()
1045 error("host key %s not permitted by HostkeyAlgorithms", in check_host_key()
1050 /* Reload these as they may have changed on cert->key downgrade */ in check_host_key()
1055 * Check if the host key is present in the user's list of known in check_host_key()
1063 * KnownHostsCommand, then don't try to touch the disk. in check_host_key()
1066 (host_found != NULL && host_found->note != 0))) in check_host_key()
1080 !sshkey_equal(ip_found->key, host_found->key)))) in check_host_key()
1087 /* The host is known and the key matches. */ in check_host_key()
1089 host, type, want_cert ? "certificate" : "key"); in check_host_key()
1090 debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", in check_host_key()
1091 host_found->file, host_found->line); in check_host_key()
1106 debug3_f("certificate host key in use; " in check_host_key()
1110 /* Turn off UpdateHostkeys if key was in system known_hosts */ in check_host_key()
1112 (path_in_hostfiles(host_found->file, in check_host_key()
1115 path_in_hostfiles(ip_found->file, in check_host_key()
1118 debug3_f("host key found in GlobalKnownHostsFile; " in check_host_key()
1121 if (options.update_hostkeys != 0 && host_found->note) { in check_host_key()
1123 debug3_f("host key found via KnownHostsCommand; " in check_host_key()
1128 logit("%s host key for IP address " in check_host_key()
1133 logit("Failed to add the %s host key for IP " in check_host_key()
1139 "key for IP address '%.128s' to the list " in check_host_key()
1148 logit("Host key fingerprint is %s\n%s", fp, ra); in check_host_key()
1163 debug("found matching key w/out port"); in check_host_key()
1173 * User has requested strict host key checking. We in check_host_key()
1174 * will not add the host key automatically. The only in check_host_key()
1177 error("No %s host key is known for %.200s and you " in check_host_key()
1199 xextendf(&msg1, "\n", "%s key fingerprint is %s.", in check_host_key()
1205 "%s host key fingerprint found in DNS.", in check_host_key()
1209 /* msg2 informs for other names matching this key */ in check_host_key()
1229 * If in "new" or "off" strict mode, add the key automatically in check_host_key()
1262 error("@ WARNING: REVOKED HOST KEY DETECTED! @"); in check_host_key()
1264 error("The %s host key for %s is marked as revoked.", type, host); in check_host_key()
1265 error("This could mean that a stolen key is being used to"); in check_host_key()
1269 * If strict host key checking is in use, the user will have in check_host_key()
1270 * to edit the key manually and we can only abort. in check_host_key()
1274 error("%s host key for %.200s was revoked and you have " in check_host_key()
1289 host_found->file, host_found->line); in check_host_key()
1305 error("The %s host key for %s has changed,", type, host); in check_host_key()
1306 error("and the key for the corresponding IP address %s", ip); in check_host_key()
1309 error("and its host key have changed at the same time."); in check_host_key()
1311 error("Offending key for IP in %s:%lu", in check_host_key()
1312 ip_found->file, ip_found->line); in check_host_key()
1314 /* The host key has changed. */ in check_host_key()
1317 error("Add correct host key in %.100s to get rid " in check_host_key()
1321 error("Offending %s key in %s:%lu", in check_host_key()
1322 sshkey_type(host_found->key), in check_host_key()
1323 host_found->file, host_found->line); in check_host_key()
1326 * If strict host key checking is in use, the user will have in check_host_key()
1327 * to edit the key manually and we can only abort. in check_host_key()
1331 error("Host key for %.200s has changed and you have " in check_host_key()
1338 * If strict host key checking has not been requested, allow in check_host_key()
1339 * the connection but without MITM-able authentication or in check_host_key()
1344 "man-in-the-middle attacks."); in check_host_key()
1349 error("Keyboard-interactive authentication is disabled" in check_host_key()
1350 " to avoid man-in-the-middle attacks."); in check_host_key()
1356 "man-in-the-middle attacks."); in check_host_key()
1362 "man-in-the-middle attacks."); in check_host_key()
1369 "man-in-the-middle attacks."); in check_host_key()
1376 "man-in-the-middle attacks."); in check_host_key()
1382 "key is not trusted."); in check_host_key()
1386 fatal("Error: forwarding disabled due to host key " in check_host_key()
1391 * This could be done by converting the host key to an in check_host_key()
1405 "Warning: the %s host key for '%.200s' " in check_host_key()
1406 "differs from the key for the IP address '%.128s'" in check_host_key()
1407 "\nOffending key for IP in %s:%lu", in check_host_key()
1408 type, host, ip, ip_found->file, ip_found->line); in check_host_key()
1411 snprintf(msg + len, sizeof(msg) - len, in check_host_key()
1412 "\nMatching host key in %s:%lu", in check_host_key()
1413 host_found->file, host_found->line); in check_host_key()
1448 * No matching certificate. Downgrade cert to raw key and in check_host_key()
1451 debug("No matching CA found. Retry with plain key"); in check_host_key()
1453 fatal_fr(r, "decode key"); in check_host_key()
1466 return -1; in check_host_key()
1469 /* returns 0 if key verifies or -1 if key does NOT verify */
1475 int r = -1, flags = 0; in verify_host_key()
1481 error_fr(r, "fingerprint host key"); in verify_host_key()
1482 r = -1; in verify_host_key()
1487 if ((cafp = sshkey_fingerprint(host_key->cert->signature_key, in verify_host_key()
1489 error_fr(r, "fingerprint CA key"); in verify_host_key()
1490 r = -1; in verify_host_key()
1493 sshkey_format_cert_validity(host_key->cert, in verify_host_key()
1498 (unsigned long long)host_key->cert->serial, in verify_host_key()
1499 host_key->cert->key_id, in verify_host_key()
1500 sshkey_ssh_name(host_key->cert->signature_key), cafp, in verify_host_key()
1502 for (i = 0; i < host_key->cert->nprincipals; i++) { in verify_host_key()
1504 host_key->cert->principals[i]); in verify_host_key()
1507 debug("Server host key: %s %s", sshkey_ssh_name(host_key), fp); in verify_host_key()
1511 debug2_f("server host key %s %s matches cached key", in verify_host_key()
1524 error("Host key %s %s revoked by file %s", in verify_host_key()
1527 r = -1; in verify_host_key()
1530 error_r(r, "Error checking host key %s %s in " in verify_host_key()
1533 r = -1; in verify_host_key()
1541 * them and try the plain key. in verify_host_key()
1560 "with the new host key to get rid " in verify_host_key()
1588 * This function does not require super-user privileges.
1599 local_user = xstrdup(pw->pw_name); in ssh_login()
1602 /* Convert the user-supplied hostname into all lowercase. */ in ssh_login()
1611 /* Put the connection into non-blocking mode. */ in ssh_login()
1614 /* key exchange */ in ssh_login()
1625 show_other_keys(struct hostkeys *hostkeys, struct sshkey *key) in show_other_keys() argument
1635 -1 in show_other_keys()
1641 for (i = 0; type[i] != -1; i++) { in show_other_keys()
1642 if (type[i] == key->type) in show_other_keys()
1645 -1, &found)) in show_other_keys()
1647 fp = sshkey_fingerprint(found->key, in show_other_keys()
1649 ra = sshkey_fingerprint(found->key, in show_other_keys()
1653 logit("WARNING: %s key found for host %s\n" in show_other_keys()
1655 "%s key fingerprint %s.", in show_other_keys()
1656 sshkey_type(found->key), in show_other_keys()
1657 found->host, found->file, found->line, in show_other_keys()
1658 sshkey_type(found->key), fp); in show_other_keys()
1682 error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); in warn_changed_key()
1683 error("It is also possible that a host key has just been changed."); in warn_changed_key()
1684 error("The fingerprint for the %s key sent by the remote host is\n%s.", in warn_changed_key()
1713 debug3("Executing %s -c \"%s\"", shell, args); in ssh_local_cmd()
1714 execl(shell, shell, "-c", args, (char *)NULL); in ssh_local_cmd()
1715 error("Couldn't execute %s -c \"%s\": %s", in ssh_local_cmd()
1718 } else if (pid == -1) in ssh_local_cmd()
1720 while (waitpid(pid, &status, 0) == -1) in ssh_local_cmd()
1735 int auth_sock = -1, r; in maybe_add_key_to_agent()
1742 debug3("no authentication agent, not adding key"); in maybe_add_key_to_agent()
1747 !ask_permission("Add key %s (%s) to agent?", authfile, comment)) { in maybe_add_key_to_agent()
1748 debug3("user denied adding this key"); in maybe_add_key_to_agent()