Patch for stricthostkey and a multihop fix
Matt Johnston
matt at ucc.asn.au
Thu Apr 11 08:16:01 WST 2013
Hi,
Thanks for the patch. I think I'll change it slightly to use
"-y -y" rather than "-Y" - saves using another letter.
Cheers,
Matt
On Sun, Apr 07, 2013 at 04:03:37PM +0200, Hans Harder wrote:
> Underneath some modifications against a stock 2013.56 version
>
> - Added -Y option to completely ignore check for hostkeys
> Needed this for connections to logical hosts, same as openssh -o
> StrictHostKeychecking=no
>
> - Added -y and -Y in function multihop_passthrough_args
>
> - fix: in function multihop_passthrough_args there was no space kept
> between the -W and -i args
> so added always a space after each added arg
> after last addition the last space is removed.
>
> I am new to the dropbear sources, so perhaps I didn't see it
> correctly....if so please correct me...
> Overall nice sourcecode, very clean.
>
> Hans
> ---
> Quote: ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
>
>
> diff -ruBpN dropbear-2013.56/cli-kex.c work/cli-kex.c
> --- dropbear-2013.56/cli-kex.c 2013-03-21 08:29:34.000000000 -0700
> +++ work/cli-kex.c 2013-04-07 03:01:31.000000000 -0600
> @@ -217,6 +217,11 @@ static void checkhostkey(unsigned char*
> buffer * line = NULL;
> int ret;
>
> + if (!cli_opts.strict_hostkey) {
> + TRACE(("strict_hostkey disabled, ignoring hostkey check"));
> + return;
> + }
> +
> hostsfile = open_known_hosts_file(&readonly);
> if (!hostsfile) {
> ask_to_confirm(keyblob, keybloblen);
> diff -ruBpN dropbear-2013.56/cli-runopts.c work/cli-runopts.c
> --- dropbear-2013.56/cli-runopts.c 2013-03-21 08:29:34.000000000 -0700
> +++ work/cli-runopts.c 2013-04-07 03:08:59.000000000 -0600
> @@ -62,6 +62,7 @@ static void printhelp() {
> "-N Don't run a remote command\n"
> "-f Run in background after auth\n"
> "-y Always accept remote
> host key if unknown\n"
> + "-Y Always ignore the
> remote host key\n"
> "-s Request a subsystem
> (use by external sftp)\n"
> #ifdef ENABLE_CLI_PUBKEY_AUTH
> "-i <identityfile> (multiple
> allowed)\n"
> @@ -130,6 +131,7 @@ void cli_getopts(int argc, char ** argv)
> cli_opts.backgrounded = 0;
> cli_opts.wantpty = 9; /* 9 means "it hasn't been touched",
> gets set later */
> cli_opts.always_accept_key = 0;
> + cli_opts.strict_hostkey = 1;
> cli_opts.is_subsystem = 0;
> #ifdef ENABLE_CLI_PUBKEY_AUTH
> cli_opts.privkeys = list_new();
> @@ -215,6 +217,9 @@ void cli_getopts(int argc, char ** argv)
> case 'y': /* always accept the remote hostkey */
> cli_opts.always_accept_key = 1;
> break;
> + case 'Y': /* always ignore the remote hostkey */
> + cli_opts.strict_hostkey = 0;
> + break;
> case 'p': /* remoteport */
> next = &cli_opts.remoteport;
> break;
> @@ -461,20 +466,32 @@ multihop_passthrough_args() {
> int total;
> unsigned int len = 0;
> m_list_elem *iter;
> - /* Fill out -i and -W options that make sense for all
> + /* Fill out -i , -W, -y and -Y options that make sense for all
> * the intermediate processes */
> for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
> {
> sign_key * key = (sign_key*)iter->item;
> len += 3 + strlen(key->filename);
> }
> - len += 20; // space for -W <size>, terminator.
> + len += 30; // space for -W <size>, terminator.
> ret = m_malloc(len);
> total = 0;
>
> + if (cli_opts.always_accept_key)
> + {
> + int written = snprintf(ret+total, len-total, "-y ");
> + total += written;
> + }
> +
> + if (cli_opts.strict_hostkey == 0)
> + {
> + int written = snprintf(ret+total, len-total, "-Y ");
> + total += written;
> + }
> +
> if (opts.recv_window != DEFAULT_RECV_WINDOW)
> {
> - int written = snprintf(ret+total, len-total, "-W %d",
> opts.recv_window);
> + int written = snprintf(ret+total, len-total, "-W %d ",
> opts.recv_window);
> total += written;
> }
>
> @@ -482,11 +499,17 @@ multihop_passthrough_args() {
> {
> sign_key * key = (sign_key*)iter->item;
> const size_t size = len - total;
> - int written = snprintf(ret+total, size, "-i %s", key->filename);
> + int written = snprintf(ret+total, size, "-i %s ",
> key->filename);
> dropbear_assert((unsigned int)written < size);
> total += written;
> }
> -
> +
> + /* if args where passed, total will be not zero, and it will
> have a space at the end, so remove that */
> + if (total) total--;
> +
> + /* make sure arg string is ended, especially if no args were passed. */
> + ret[total]='\0';
> +
> return ret;
> }
>
> diff -ruBpN dropbear-2013.56/runopts.h work/runopts.h
> --- dropbear-2013.56/runopts.h 2013-03-21 08:29:35.000000000 -0700
> +++ work/runopts.h 2013-04-07 01:55:25.000000000 -0700
> @@ -121,6 +121,7 @@ typedef struct cli_runopts {
> char *cmd;
> int wantpty;
> int always_accept_key;
> + int strict_hostkey;
> int no_cmd;
> int backgrounded;
> int is_subsystem;
More information about the Dropbear
mailing list