Patch for stricthostkey and a multihop fix

Hans Harder hans at atbas.org
Sun Apr 7 22:03:37 WST 2013 

Underneath some modifications against a stock 2013.56 version

- Added -Y option to completely ignore check for hostkeys
  Needed this for connections to logical hosts, same as openssh -o
StrictHostKeychecking=no

- Added -y and -Y in function multihop_passthrough_args

- fix: in function multihop_passthrough_args there was no space kept
between the -W and -i args
  so added always a space after each added arg
  after last addition the last space is removed.

I am new to the dropbear sources, so perhaps I didn't see it
correctly....if so please correct me...
Overall nice sourcecode, very clean.

Hans
---
Quote:  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol


diff -ruBpN dropbear-2013.56/cli-kex.c work/cli-kex.c
--- dropbear-2013.56/cli-kex.c  2013-03-21 08:29:34.000000000 -0700
+++ work/cli-kex.c      2013-04-07 03:01:31.000000000 -0600
@@ -217,6 +217,11 @@ static void checkhostkey(unsigned char*
        buffer * line = NULL;
        int ret;

+       if (!cli_opts.strict_hostkey) {
+               TRACE(("strict_hostkey disabled, ignoring hostkey check"));
+               return;
+        }
+
        hostsfile = open_known_hosts_file(&readonly);
        if (!hostsfile) {
                ask_to_confirm(keyblob, keybloblen);
diff -ruBpN dropbear-2013.56/cli-runopts.c work/cli-runopts.c
--- dropbear-2013.56/cli-runopts.c      2013-03-21 08:29:34.000000000 -0700
+++ work/cli-runopts.c  2013-04-07 03:08:59.000000000 -0600
@@ -62,6 +62,7 @@ static void printhelp() {
                                        "-N    Don't run a remote command\n"
                                        "-f    Run in background after auth\n"
                                        "-y    Always accept remote
host key if unknown\n"
+                                       "-Y    Always ignore the
remote host key\n"
                                        "-s    Request a subsystem
(use by external sftp)\n"
 #ifdef ENABLE_CLI_PUBKEY_AUTH
                                        "-i <identityfile>   (multiple
allowed)\n"
@@ -130,6 +131,7 @@ void cli_getopts(int argc, char ** argv)
        cli_opts.backgrounded = 0;
        cli_opts.wantpty = 9; /* 9 means "it hasn't been touched",
gets set later */
        cli_opts.always_accept_key = 0;
+       cli_opts.strict_hostkey = 1;
        cli_opts.is_subsystem = 0;
 #ifdef ENABLE_CLI_PUBKEY_AUTH
        cli_opts.privkeys = list_new();
@@ -215,6 +217,9 @@ void cli_getopts(int argc, char ** argv)
                                case 'y': /* always accept the remote hostkey */
                                        cli_opts.always_accept_key = 1;
                                        break;
+                               case 'Y': /* always ignore the remote hostkey */
+                                       cli_opts.strict_hostkey = 0;
+                                       break;
                                case 'p': /* remoteport */
                                        next = &cli_opts.remoteport;
                                        break;
@@ -461,20 +466,32 @@ multihop_passthrough_args() {
        int total;
        unsigned int len = 0;
        m_list_elem *iter;
-       /* Fill out -i and -W options that make sense for all
+       /* Fill out -i , -W, -y and -Y options that make sense for all
         * the intermediate processes */
        for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
        {
                sign_key * key = (sign_key*)iter->item;
                len += 3 + strlen(key->filename);
        }
-       len += 20; // space for -W <size>, terminator.
+       len += 30; // space for -W <size>, terminator.
        ret = m_malloc(len);
        total = 0;

+       if (cli_opts.always_accept_key)
+       {
+               int written = snprintf(ret+total, len-total, "-y ");
+               total += written;
+       }
+
+       if (cli_opts.strict_hostkey == 0)
+       {
+               int written = snprintf(ret+total, len-total, "-Y ");
+               total += written;
+       }
+
        if (opts.recv_window != DEFAULT_RECV_WINDOW)
        {
-               int written = snprintf(ret+total, len-total, "-W %d",
opts.recv_window);
+               int written = snprintf(ret+total, len-total, "-W %d ",
opts.recv_window);
                total += written;
        }

@@ -482,11 +499,17 @@ multihop_passthrough_args() {
        {
                sign_key * key = (sign_key*)iter->item;
                const size_t size = len - total;
-               int written = snprintf(ret+total, size, "-i %s", key->filename);
+               int written = snprintf(ret+total, size, "-i %s ",
key->filename);
                dropbear_assert((unsigned int)written < size);
                total += written;
        }
-
+
+       /* if args where passed, total will be not zero, and it will
have a space at the end, so remove that */
+       if (total) total--;
+
+       /* make sure arg string is ended, especially if no args were passed. */
+       ret[total]='\0';
+
        return ret;
 }

diff -ruBpN dropbear-2013.56/runopts.h work/runopts.h
--- dropbear-2013.56/runopts.h  2013-03-21 08:29:35.000000000 -0700
+++ work/runopts.h      2013-04-07 01:55:25.000000000 -0700
@@ -121,6 +121,7 @@ typedef struct cli_runopts {
        char *cmd;
        int wantpty;
        int always_accept_key;
+       int strict_hostkey;
        int no_cmd;
        int backgrounded;
        int is_subsystem;

More information about the Dropbear mailing list