[PATCH] wildcard host keys

[Jamie Lokier]

I'm using dropbear on an embedded device that has to connect to a
server at an IP address that isn't known in advance, but is verifiable
with a host key.

So I added the ability to use "*" in the known_hosts file to match any
hostname/IP.  This is better than disabling host key checking
altogether, as I can still verify it's connecting to an authorized
server.

Someone else may find the patch useful.

-- Jamie


This allows the known_hosts file to use wildcard "*" to match any host.
This is used to prevent the interactive "y/n" question as long as the
host key is in the recognised list - essential for non-interactive setup
of tunnels, to IPs that aren't known when the /root directory is created.

--- dropbear-0.46/cli-kex.c.orig	2006-08-30 03:49:40.000000000 +0100
+++ dropbear-0.46/cli-kex.c	2006-08-30 03:58:54.000000000 +0100
@@ -202,6 +202,14 @@
 			break;
 		}
 
+		/* Match "*" wildcard hostname. */
+		if (line->len >= 2
+		    && strncmp("* ", buf_getptr(line, 2), 2) == 0) {
+			buf_incrpos(line, 2);
+			TRACE(("matched wildcard host"))
+			goto check_algo;
+		}
+
 		/* The line is too short to be sensible */
 		/* "30" is 'enough to hold ssh-dss plus the spaces, ie so we don't
 		 * buf_getfoo() past the end and die horribly - the base64 parsing
@@ -225,6 +233,7 @@
 			continue;
 		}
 
+	check_algo:
 		if ( strncmp(buf_getptr(line, algolen), algoname, algolen) != 0) {
 			TRACE(("algo doesn't match"))
 			continue;