Patch for stricthostkey and a multihop fix

Matt Johnston matt at ucc.asn.au
Thu Apr 11 08:16:01 WST 2013 

Hi,

Thanks for the patch. I think I'll change it slightly to use
"-y -y" rather than "-Y" - saves using another letter.

Cheers,
Matt

On Sun, Apr 07, 2013 at 04:03:37PM +0200, Hans Harder wrote:
> Underneath some modifications against a stock 2013.56 version
> 
> - Added -Y option to completely ignore check for hostkeys
>   Needed this for connections to logical hosts, same as openssh -o
> StrictHostKeychecking=no
> 
> - Added -y and -Y in function multihop_passthrough_args
> 
> - fix: in function multihop_passthrough_args there was no space kept
> between the -W and -i args
>   so added always a space after each added arg
>   after last addition the last space is removed.
> 
> I am new to the dropbear sources, so perhaps I didn't see it
> correctly....if so please correct me...
> Overall nice sourcecode, very clean.
> 
> Hans
> ---
> Quote:  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
> 
> 
> diff -ruBpN dropbear-2013.56/cli-kex.c work/cli-kex.c
> --- dropbear-2013.56/cli-kex.c  2013-03-21 08:29:34.000000000 -0700
> +++ work/cli-kex.c      2013-04-07 03:01:31.000000000 -0600
> @@ -217,6 +217,11 @@ static void checkhostkey(unsigned char*
>         buffer * line = NULL;
>         int ret;
> 
> +       if (!cli_opts.strict_hostkey) {
> +               TRACE(("strict_hostkey disabled, ignoring hostkey check"));
> +               return;
> +        }
> +
>         hostsfile = open_known_hosts_file(&readonly);
>         if (!hostsfile) {
>                 ask_to_confirm(keyblob, keybloblen);
> diff -ruBpN dropbear-2013.56/cli-runopts.c work/cli-runopts.c
> --- dropbear-2013.56/cli-runopts.c      2013-03-21 08:29:34.000000000 -0700
> +++ work/cli-runopts.c  2013-04-07 03:08:59.000000000 -0600
> @@ -62,6 +62,7 @@ static void printhelp() {
>                                         "-N    Don't run a remote command\n"
>                                         "-f    Run in background after auth\n"
>                                         "-y    Always accept remote
> host key if unknown\n"
> +                                       "-Y    Always ignore the
> remote host key\n"
>                                         "-s    Request a subsystem
> (use by external sftp)\n"
>  #ifdef ENABLE_CLI_PUBKEY_AUTH
>                                         "-i <identityfile>   (multiple
> allowed)\n"
> @@ -130,6 +131,7 @@ void cli_getopts(int argc, char ** argv)
>         cli_opts.backgrounded = 0;
>         cli_opts.wantpty = 9; /* 9 means "it hasn't been touched",
> gets set later */
>         cli_opts.always_accept_key = 0;
> +       cli_opts.strict_hostkey = 1;
>         cli_opts.is_subsystem = 0;
>  #ifdef ENABLE_CLI_PUBKEY_AUTH
>         cli_opts.privkeys = list_new();
> @@ -215,6 +217,9 @@ void cli_getopts(int argc, char ** argv)
>                                 case 'y': /* always accept the remote hostkey */
>                                         cli_opts.always_accept_key = 1;
>                                         break;
> +                               case 'Y': /* always ignore the remote hostkey */
> +                                       cli_opts.strict_hostkey = 0;
> +                                       break;
>                                 case 'p': /* remoteport */
>                                         next = &cli_opts.remoteport;
>                                         break;
> @@ -461,20 +466,32 @@ multihop_passthrough_args() {
>         int total;
>         unsigned int len = 0;
>         m_list_elem *iter;
> -       /* Fill out -i and -W options that make sense for all
> +       /* Fill out -i , -W, -y and -Y options that make sense for all
>          * the intermediate processes */
>         for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
>         {
>                 sign_key * key = (sign_key*)iter->item;
>                 len += 3 + strlen(key->filename);
>         }
> -       len += 20; // space for -W <size>, terminator.
> +       len += 30; // space for -W <size>, terminator.
>         ret = m_malloc(len);
>         total = 0;
> 
> +       if (cli_opts.always_accept_key)
> +       {
> +               int written = snprintf(ret+total, len-total, "-y ");
> +               total += written;
> +       }
> +
> +       if (cli_opts.strict_hostkey == 0)
> +       {
> +               int written = snprintf(ret+total, len-total, "-Y ");
> +               total += written;
> +       }
> +
>         if (opts.recv_window != DEFAULT_RECV_WINDOW)
>         {
> -               int written = snprintf(ret+total, len-total, "-W %d",
> opts.recv_window);
> +               int written = snprintf(ret+total, len-total, "-W %d ",
> opts.recv_window);
>                 total += written;
>         }
> 
> @@ -482,11 +499,17 @@ multihop_passthrough_args() {
>         {
>                 sign_key * key = (sign_key*)iter->item;
>                 const size_t size = len - total;
> -               int written = snprintf(ret+total, size, "-i %s", key->filename);
> +               int written = snprintf(ret+total, size, "-i %s ",
> key->filename);
>                 dropbear_assert((unsigned int)written < size);
>                 total += written;
>         }
> -
> +
> +       /* if args where passed, total will be not zero, and it will
> have a space at the end, so remove that */
> +       if (total) total--;
> +
> +       /* make sure arg string is ended, especially if no args were passed. */
> +       ret[total]='\0';
> +
>         return ret;
>  }
> 
> diff -ruBpN dropbear-2013.56/runopts.h work/runopts.h
> --- dropbear-2013.56/runopts.h  2013-03-21 08:29:35.000000000 -0700
> +++ work/runopts.h      2013-04-07 01:55:25.000000000 -0700
> @@ -121,6 +121,7 @@ typedef struct cli_runopts {
>         char *cmd;
>         int wantpty;
>         int always_accept_key;
> +       int strict_hostkey;
>         int no_cmd;
>         int backgrounded;
>         int is_subsystem;

More information about the Dropbear mailing list