search for: ip_status

...+++ openssh-4.3p1-patch/sshconnect.c 2006-02-04 16:42:04.000000000 +0100 @@ -51,6 +51,9 @@ static int show_other_keys(const char *, Key *); static void warn_changed_key(Key *); +static int ask_connect_with_new_key(const char *host, Key *host_key, + const char* ip, const char* type, HostStatus ip_status, + const char *user_hostfile); /* * Connect to the given ssh server using a proxy command. @@ -524,10 +527,9 @@ Key *file_key; const char *type = key_type(host_key); char *ip = NULL; - char hostline[1000], *hostp, *fp; HostStatus host_status; HostStatus ip_status; - int r, local = 0...

...sh/sshconnect.c 2010-12-09 10:22:02.139864915 -0500 @@ -908,14 +908,17 @@ error("%s. This could either mean that", key_msg); error("DNS SPOOFING is happening or the IP address for the host"); error("and its host key have changed at the same time."); - if (ip_status != HOST_NEW) + if (ip_status != HOST_NEW) { error("Offending key for IP in %s:%d", ip_file, ip_line); + error(" remove with: ssh-keygen -f \"%s\" -R %d", ip_file, ip_line); + } } /* The host key has changed. */ warn_changed_key(host_key); error...

...0)) success = 1; else error_fr(r, "sshkey_write"); diff --git a/sshconnect.c b/sshconnect.c index 7cf6b6386..72bdc7d1f 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -964,7 +964,7 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, HostStatus host_status = -1, ip_status = -1; struct sshkey *raw_key = NULL; char *ip = NULL, *host = NULL; - char hostline[1000], *hostp, *fp, *ra; + char hostline[1000], *hostp, *fp, *cafp, *ra; char msg[1024]; const char *type, *fail_reason = NULL; const struct hostkey_entry *host_found = NULL, *ip_found = NULL; @@ -973,6 +9...

...n" "Are you sure you want to continue connecting " "(yes/no)? ", host, ip, type, fp); - xfree(fp); - if (!confirm(prompt)) { + if (!confirm(prompt, fp)) { + xfree(fp); goto fail; } + xfree(fp); } if (options.check_host_ip && ip_status == HOST_NEW) { snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); @@ -815,7 +818,7 @@ goto fail; } else if (options.strict_host_key_checking == 2) { if (!confirm("Are you sure you want " - "to continue connecting (yes/no)? ")) { + &quo...

Howdy -- I have a number of servers with host keys validated by certificates. These systems are behind a load-balanced frontend, and the certificates are signed as valid for the DNS name used by that common frontend address. This works well for the primary use case of the systems; however, when wishing to address only a single unit within the pool, the certificate cannot be used to validate that

...STS + } /* end if options.hash_known_hosts */ +#endif /* * Also perform check for the ip address, skip the check if we are * localhost or the hostname was an ip address to begin with @@ -662,6 +696,10 @@ check_host_key(char *host, struct sockad if (options.check_host_ip && ip_status == HOST_NEW) { snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); hostp = hostline; +#ifdef HASH_KNOWN_HOSTS + } else if (options.hash_known_hosts) { + hostp = uu; +#endif } else hostp = host;