Found 3528 results in 62 files, showing top 50 files (show more).
android.googlesource.com/platform/external/openssh:hostfile.h: [ master, ]
26: 	char *host;
18: 	HOST_OK, HOST_NEW, HOST_CHANGED, HOST_REVOKED, HOST_FOUND
51: #define HASH_MAGIC	"|1|"
52: #define HASH_DELIM	'|'
72: #define HKF_MATCH_HOST		(1)	/* hostname matched */
15: #define HOSTFILE_H
19: }       HostStatus;
23: }	HostkeyMarker;
25: struct hostkey_entry {
83: struct hostkey_foreach_line {
90: 	const char *hosts; /* Raw hosts text, may be hashed or list multiple */
74: #define HKF_MATCH_HOST_HASHED	(1<<2)	/* hostname was hashed */
75: #define HKF_MATCH_IP_HASHED	(1<<3)	/* address was hashed */
44: int	 add_host_to_hostfile(const char *, const char *,
48:     const char *host, const char *ip, struct sshkey **keys, size_t nkeys,
49:     int store_hash, int quiet, int hash_alg);
57: char	*host_hash(const char *, const char *, u_int);
67: #define HKF_STATUS_OK		0	/* Line parsed, didn't match host */
93: 	struct sshkey *key; /* Key, if parsed ok and HKF_WANT_MATCH_HOST set */
106:     const char *host, const char *ip, u_int options);
1: /* $OpenBSD: hostfile.h,v 1.24 2015/02/16 22:08:57 djm Exp $ */
14: #ifndef HOSTFILE_H
30: 	HostkeyMarker marker;
32: struct hostkeys;
34: struct hostkeys *init_hostkeys(void);
35: void	 load_hostkeys(struct hostkeys *, const char *, const char *);
36: void	 free_hostkeys(struct hostkeys *);
38: HostStatus check_key_in_hostkeys(struct hostkeys *, struct sshkey *,
39:     const struct hostkey_entry **);
40: int	 lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
41:     const struct hostkey_entry **);
43: int	 hostfile_read_key(char **, u_int *, struct sshkey *);
47: int	 hostfile_replace_entries(const char *filename,
60:  * Iterate through a hostkeys file, optionally parsing keys and matching
61:  * hostnames. Allows access to the raw keyfile lines to allow
64: #define HKF_WANT_MATCH		(1)	/* return only matching hosts/addrs */
70: #define HKF_STATUS_MATCHED	3	/* hostname or IP matched */
80:  * hostkey line. The callback may "steal" the 'key' field by setting it to NULL.
81:  * If a parse error occurred, then "hosts" and subsequent options may be NULL.
102: typedef int hostkeys_foreach_fn(struct hostkey_foreach_line *l, void *ctx);
104: /* Iterate over a hostkeys file */
105: int hostkeys_foreach(const char *path, hostkeys_foreach_fn *callback, void *ctx,
android.googlesource.com/platform/external/openssh:hostfile.c: [ master, ]
232: 	const char *host;
467: 	const char *host;
120: host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
464: struct host_delete_ctx {
475: host_delete(struct hostkey_foreach_line *l, void *_ctx)
65: struct hostkeys {
164: hostfile_read_key(char **cpp, u_int *bitsp, struct sshkey *ret)
234: 	struct hostkeys *hostkeys;
531: hostfile_replace_entries(const char *filename, const char *host, const char *ip,
669: hostkeys_foreach(const char *path, hostkeys_foreach_fn *callback, void *ctx,
418: write_host_entry(FILE *f, const char *host, const char *ip,
448: add_host_to_hostfile(const char *filename, const char *host,
223: init_hostkeys(void)
238: record_hostkey(struct hostkey_foreach_line *l, void *_ctx)
271: load_hostkeys(struct hostkeys *hostkeys, const char *host, const char *path)
292: free_hostkeys(struct hostkeys *hostkeys)
342: check_hostkeys_by_key_or_type(struct hostkeys *hostkeys,
401: check_key_in_hostkeys(struct hostkeys *hostkeys, struct sshkey *key,
410: lookup_key_in_hostkeys_by_type(struct hostkeys *hostkeys, int keytype,
651: match_maybe_hashed(const char *host, const char *names, int *was_hashed)
79: 	if (l < sizeof(HASH_MAGIC) - 1) {
83: 	if (strncmp(s, HASH_MAGIC, sizeof(HASH_MAGIC) - 1) != 0) {
87: 	s += sizeof(HASH_MAGIC) - 1;
88: 	l -= sizeof(HASH_MAGIC) - 1;
89: 	if ((p = memchr(s, HASH_DELIM, l)) == NULL) {
135: 		/* Extract salt from known host entry */
143: 	    ssh_hmac_update(ctx, host, strlen(host)) < 0 ||
152: 	snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt,
153: 	    HASH_DELIM, uu_result);
258: 	hostkeys->entries[hostkeys->num_entries].host = xstrdup(ctx->host);
276: 	ctx.host = host;
280: 	if ((r = hostkeys_foreach(path, record_hostkey, &ctx, host, NULL,
288: 		    ctx.num_loaded, host);
297: 		free(hostkeys->entries[i].host);
330:  * HOST_FOUND, otherwise HOST_NEW.
333:  *  1. If the key is a cert and a matching CA is found, return HOST_OK
334:  *  2. If the key is not a cert and a matching key is found, return HOST_OK
336:  *     return HOST_CHANGED
337:  *  4. If no matching keys are found, then return HOST_NEW.
346: 	HostStatus end_return = HOST_NEW;
364: 			end_return = HOST_FOUND;
374: 				end_return = HOST_OK;
381: 				end_return = HOST_OK;
387: 			end_return = HOST_CHANGED;
393: 		end_return = HOST_REVOKED;
414: 	    found) == HOST_FOUND);
419:     const struct sshkey *key, int store_hash)
422: 	char *hashed_host = NULL;
424: 	if (store_hash) {
425: 		if ((hashed_host = host_hash(host, NULL, 0)) == NULL) {
426: 			error("%s: host_hash failed", __func__);
429: 		fprintf(f, "%s ", hashed_host);
431: 		fprintf(f, "%s,%s ", host, ip);
433: 		fprintf(f, "%s ", host);
444:  * Appends an entry to the host file.  Returns false if the entry could not
449:     const struct sshkey *key, int store_hash)
459: 	success = write_host_entry(f, host, NULL, key, store_hash);
468: 	int *skip_keys; /* XXX split for host/ip? might want to ensure both */
477: 	struct host_delete_ctx *ctx = (struct host_delete_ctx *)_ctx;
514: 		do_log2(loglevel, "%s%s%s:%ld: Removed %s key for host %s",
516: 		    l->path, l->linenum, sshkey_type(l->key), ctx->host);
532:     struct sshkey **keys, size_t nkeys, int store_hash, int quiet, int hash_alg)
536: 	struct host_delete_ctx ctx;
544: 	ctx.host = host;
575: 	/* Remove all entries for the specified host from the file */
576: 	if ((r = hostkeys_foreach(filename, host_delete, &ctx, host, ip,
586: 		if ((fp = sshkey_fingerprint(keys[i], hash_alg,
592: 		    quiet ? __func__ : "", quiet ? ": " : "", host, filename,
595: 		if (!write_host_entry(ctx.out, host, ip, keys[i], store_hash)) {
653: 	int hashed = *names == HASH_DELIM;
654: 	const char *hashed_host;
660: 		if ((hashed_host = host_hash(host, names, nlen)) == NULL)
662: 		return nlen == strlen(hashed_host) &&
663: 		    strncmp(hashed_host, names, nlen) == 0;
665: 	return match_hostname(host, names, nlen) == 1;
670:     const char *host, const char *ip, u_int options)
683: 	if (host == NULL && (options & HKF_WANT_MATCH) != 0)
722: 		/* Find the end of the host name portion. */
728: 		/* Check if the host name matches. */
729: 		if (host != NULL) {
730: 			if ((s = match_maybe_hashed(host, lineinfo.hosts,
732: 				debug2("%s: %s:%ld: bad host hash \"%.32s\"",
738: 				lineinfo.match |= HKF_MATCH_HOST |
739: 				    (hashed ? HKF_MATCH_HOST_HASHED : 0);
745: 					debug2("%s: %s:%ld: bad ip hash "
757: 			 * Skip this line if host matching requested and
758: 			 * neither host nor address matched.
765: 		/* Got a match.  Skip host name and any following whitespace */
1: /* $OpenBSD: hostfile.c,v 1.64 2015/02/16 22:08:57 djm Exp $ */
6:  * Functions for manipulating the known hosts files.
58: #include "hostfile.h"
66: 	struct hostkey_entry *entries;
130: 	if (name_from_hostfile == NULL) {
136: 		if (extract_salt(name_from_hostfile, src_len, salt,
187: static HostkeyMarker
222: struct hostkeys *
225: 	struct hostkeys *ret = xcalloc(1, sizeof(*ret));
241: 	struct hostkeys *hostkeys = ctx->hostkeys;
242: 	struct hostkey_entry *tmp;
245: 		error("%s:%ld: parse error in hostkeys file",
254: 	if ((tmp = reallocarray(hostkeys->entries,
255: 	    hostkeys->num_entries + 1, sizeof(*hostkeys->entries))) == NULL)
257: 	hostkeys->entries = tmp;
259: 	hostkeys->entries[hostkeys->num_entries].file = xstrdup(l->path);
260: 	hostkeys->entries[hostkeys->num_entries].line = l->linenum;
261: 	hostkeys->entries[hostkeys->num_entries].key = l->key;
263: 	hostkeys->entries[hostkeys->num_entries].marker = l->marker;
264: 	hostkeys->num_entries++;
278: 	ctx.hostkeys = hostkeys;
283: 			debug("%s: hostkeys_foreach failed for %s: %s",
296: 	for (i = 0; i < hostkeys->num_entries; i++) {
298: 		free(hostkeys->entries[i].file);
299: 		sshkey_free(hostkeys->entries[i].key);
300: 		explicit_bzero(hostkeys->entries + i, sizeof(*hostkeys->entries));
302: 	free(hostkeys->entries);
303: 	explicit_bzero(hostkeys, sizeof(*hostkeys));
304: 	free(hostkeys);
308: check_key_not_revoked(struct hostkeys *hostkeys, struct sshkey *k)
313: 	for (i = 0; i < hostkeys->num_entries; i++) {
314: 		if (hostkeys->entries[i].marker != MRK_REVOKE)
316: 		if (sshkey_equal_public(k, hostkeys->entries[i].key))
320: 		    hostkeys->entries[i].key))
341: static HostStatus
343:     struct sshkey *k, int keytype, const struct hostkey_entry **found)
348: 	HostkeyMarker want_marker = want_cert ? MRK_CA : MRK_NONE;
354: 	for (i = 0; i < hostkeys->num_entries; i++) {
355: 		if (proto == 1 && hostkeys->entries[i].key->type != KEY_RSA1)
357: 		if (proto == 2 && hostkeys->entries[i].key->type == KEY_RSA1)
359: 		if (hostkeys->entries[i].marker != want_marker)
362: 			if (hostkeys->entries[i].key->type != keytype)
366: 				*found = hostkeys->entries + i;
367: 			k = hostkeys->entries[i].key;
372: 			    hostkeys->entries[i].key)) {
376: 					*found = hostkeys->entries + i;
380: 			if (sshkey_equal(k, hostkeys->entries[i].key)) {
383: 					*found = hostkeys->entries + i;
389: 				*found = hostkeys->entries + i;
392: 	if (check_key_not_revoked(hostkeys, k) != 0) {
400: HostStatus
402:     const struct hostkey_entry **found)
406: 	return check_hostkeys_by_key_or_type(hostkeys, key, 0, found);
411:     const struct hostkey_entry **found)
413: 	return (check_hostkeys_by_key_or_type(hostkeys, NULL, keytype,
511: 		 * Hostname matches and has no CA/revoke marker, delete it
520: 	/* Retain non-matching hosts and invalid lines when deleting */
522: 		do_log2(loglevel, "%s%s%s:%ld: invalid known_hosts entry",
578: 		error("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
657: 	if (was_hashed != NULL)
658: 		*was_hashed = hashed;
659: 	if (hashed) {
677: 	int hashed;
679: 	struct hostkey_foreach_line lineinfo;
725: 		lineinfo.hosts = cp;
731: 			    &hashed)) == -1) {
733: 				    __func__, path, linenum, lineinfo.hosts);
743: 				if ((s = match_maybe_hashed(ip, lineinfo.hosts,
744: 				    &hashed)) == -1) {
747: 					    linenum, lineinfo.hosts);
753: 					    (hashed ? HKF_MATCH_IP_HASHED : 0);
786: 			if (!hostfile_read_key(&cp, &kbits, lineinfo.key)) {
795: 				if (!hostfile_read_key(&cp, &kbits,
android.googlesource.com/platform/external/openssh:servconf.h: [ master, ]
197: 	const char *host;	/* possibly resolved hostname */
64: 	char   *host_key_files[MAX_HOSTKEYS];	/* Files containing host keys. */
66: 	char   *host_cert_files[MAX_HOSTCERTS];	/* Files containing host certs. */
68: 	char   *host_key_agent;		 /* ssh-agent socket for host keys. */
191: 	int	fingerprint_hash;
83: 	int     x11_use_localhost;	/* If true, use localhost for fake X11 server. */
100: 	int     hostbased_authentication;	/* If true, permit ssh2 hostbased auth */
101: 	int     hostbased_uses_name_from_packet_only; /* experimental */
102: 	char   *hostbased_key_types;	/* Key types allowed for hostbased */
65: 	int     num_host_key_files;     /* Number of files for host keys. */
67: 	int     num_host_cert_files;     /* Number of files for host certs. */
26: #define MAX_HOSTKEYS		256	/* Max # hostkeys. */
27: #define MAX_HOSTCERTS		256	/* Max # host certificates. */
76: 	int     ignore_user_known_hosts;	/* Ignore ~/.ssh/known_hosts
75: 	int     ignore_rhosts;	/* Ignore .rhosts and .shosts. */
98: 	int     rhosts_rsa_authentication;	/* If true, permit rhosts RSA
220: 		M_CP_STROPT(hostbased_key_types); \
77: 						 * for RhostsRsaAuth */
android.googlesource.com/platform/external/openssh:ssh-keygen.c: [ master, ]
1042: 	const char *host;	/* Hostname searched for in find/delete case */
84: int hash_hosts = 0;
86: int find_host = 0;
88: int delete_host = 0;
98: int fingerprint_hash = SSH_FP_HASH_DEFAULT;
1050: known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
175: char hostname[NI_MAXHOST];
944: do_gen_all_hostkeys(struct passwd *pw)
1041: struct known_hosts_ctx {
1100: known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)
1148: do_known_hosts(struct passwd *pw, const char *name)
1044: 	int has_unhashed;	/* When hashing, original had unhashed hosts */
6:  * Identity and host key generation and maintenance.
83: /* Flag indicating that we want to hash a known_hosts file */
85: /* Flag indicating that we want lookup a host in known_hosts file */
87: /* Flag indicating that we want to delete a host from a known_hosts file */
97: /* Hash algorithm to use for fingerprints. */
792: 	fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
802: 			ra = sshkey_fingerprint(keys[i], fingerprint_hash,
837: 	fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
850: 		ra = sshkey_fingerprint(public, fingerprint_hash,
921: 		ra = sshkey_fingerprint(public, fingerprint_hash,
951: 		{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },
952: 		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
953: 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
955: 		{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
957: 		{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
980: 			printf("%s: generating new host keys: ", __progname);
1045: 	int found_key;		/* For find/delete, host was found */
1060: 		 * Don't hash hosts already already hashed, with wildcard
1063: 		if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||
1066: 			if (has_wild && !find_host) {
1067: 				fprintf(stderr, "%s:%ld: ignoring host name "
1074: 		 * Split any comma-separated hostnames from the host list,
1075: 		 * hash and store separately.
1079: 			if ((hashed = host_hash(cp, NULL, 0)) == NULL)
1080: 				fatal("hash_host failed");
1105: 		if (delete_host) {
1117: 					printf("# Host %s found: line %ld\n",
1118: 					    ctx->host, l->linenum);
1121: 		} else if (find_host) {
1124: 				printf("# Host %s found: line %ld %s\n",
1125: 				    ctx->host,
1129: 			if (hash_hosts)
1130: 				known_hosts_hash(l, ctx);
1135: 	} else if (delete_host) {
1165: 	ctx.host = name;
1168: 	 * Find hosts goes to stdout, hash and deletions happen in-place
1171: 	if (!find_host && (hash_hosts || delete_host)) {
1190: 	    hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx,
1191: 	    name, NULL, find_host ? HKF_WANT_MATCH : 0)) != 0)
1206: 	} else if (delete_host && !ctx.found_key) {
1207: 		fprintf(stderr, "Host %s not found in %s\n",
1236: 	exit (find_host && !ctx.found_key);
1917: 	key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
1919: 	    fingerprint_hash, SSH_FP_DEFAULT);
2208: 	    "       ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n"
2294: 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
2295: 			if (fingerprint_hash == -1)
2296: 				fatal("Invalid hash algorithm \"%s\"", optarg);
2299: 			find_host = 1;
2303: 			hash_hosts = 1;
2315: 			delete_host = 1;
2390: 			cert_key_type = SSH2_CERT_TYPE_HOST;
2505: 	if (print_fingerprint && (delete_host || hash_hosts)) {
2524: 	if (delete_host || hash_hosts || find_host)
2556: 			    _PATH_HOST_RSA_KEY_FILE, rr_hostname);
2558: 			    _PATH_HOST_DSA_KEY_FILE, rr_hostname);
2560: 			    _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
2562: 			    _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
2733: 		fp = sshkey_fingerprint(public, fingerprint_hash,
2735: 		ra = sshkey_fingerprint(public, fingerprint_hash,
51: #include "hostfile.h"
323: 	    pw->pw_name, hostname);
997: 		    hostname);
1043: 	FILE *out;		/* Output file, stdout for find_hosts case */
1052: 	struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
1053: 	char *hashed, *cp, *hosts, *ohosts;
1054: 	int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
1069: 				    l->linenum, l->hosts);
1077: 		ohosts = hosts = xstrdup(l->hosts);
1078: 		while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {
1081: 			fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);
1102: 	struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
1111: 				 * Hostname matches and has no CA/revoke
1136: 		/* Retain non-matching hosts when deleting */
1152: 	struct known_hosts_ctx ctx;
1155: 		cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
1158: 			fatal("Specified known hosts path too long");
1176: 			fatal("known_hosts path too long");
1189: 	if ((r = hostkeys_foreach(identity_file,
1192: 		fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
1198: 		fprintf(stderr, "%s is not a valid known_hosts file.\n",
1201: 			fprintf(stderr, "Not replacing existing known_hosts "
1232: 			    "of hostnames\n");
1773: 		 * Backdate certificate one minute to avoid problems on hosts
2215: 	    "       ssh-keygen -F hostname [-f known_hosts_file] [-l]\n"
2216: 	    "       ssh-keygen -H [-f known_hosts_file]\n"
2217: 	    "       ssh-keygen -R hostname [-f known_hosts_file]\n"
2218: 	    "       ssh-keygen -r hostname [-f input_keyfile] [-g]\n"
2240: 	char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra;
2247: 	int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
2274: 	if (gethostname(hostname, sizeof(hostname)) < 0) {
2285: 			gen_all_hostkeys = 1;
2300: 			rr_hostname = optarg;
2316: 			rr_hostname = optarg;
2426: 			rr_hostname = optarg;
2525: 		do_known_hosts(pw, rr_hostname);
2542: 	if (rr_hostname != NULL) {
2547: 			    identity_file, rr_hostname);
2609: 	if (gen_all_hostkeys) {
2610: 		do_gen_all_hostkeys(pw);
2694: 		snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
1082: 			ctx->has_unhashed = 1;
1084: 		free(ohosts);
1228: 		if (ctx.has_unhashed) {
1229: 			fprintf(stderr, "WARNING: %s contains unhashed "
2275: 		perror("gethostname");
android.googlesource.com/platform/external/openssh:umac.c: [ master, ]
778:     nh_ctx hash;                          /* Hash context for L1 NH hash  */
1185:     uhash_ctx hash;          /* Hash function for message compression    */
320: #define HASH_BUF_BYTES       64     /* nh_aux_hb buffer multiple          */
834: static void poly_hash(uhash_ctx_t hc, UINT32 data_in[])
326:     int bytes_hashed;        /* Bytes (out of L1_KEY_LEN) incorperated.   */
777: typedef struct uhash_ctx {
785: } uhash_ctx;
786: typedef struct uhash_ctx *uhash_ctx_t;
936: static int uhash_reset(uhash_ctx_t pc)
960: static void uhash_init(uhash_ctx_t ahc, aes_int_key prf_key)
1047: static int uhash_update(uhash_ctx_t ctx, const u_char *input, long len)
1103: static int uhash_final(uhash_ctx_t ctx, u_char *res)
110: /* be set true if the host computer is little-endian.                     */
285: /* ----- Begin NH Hash Section ------------------------------------------ */
289: /* The NH-based hash functions used in UMAC are described in the UMAC paper
293:  * in a single buffer and returns the hash result immediately. The second
297:  * hash, the client calls nh_final() which calculates the hash output.    
298:  * Before beginning another hash calculation the nh_reset() routine       
303:  * responsability to pass no more than L1_KEY_LEN bytes per hash result.            
315: #define STREAMS (UMAC_OUTPUT_LEN / 4) /* Number of times hash is applied  */
324:     UINT8  data   [HASH_BUF_BYTES];    /* Incoming data buffer           */
334: /* NH hashing primitive. Previous (partial) hash result is loaded and     
370:  * reading and writing 16 bytes of hash-state per call.
417:  * reading and writing 24 bytes of hash-state per call.
472:  * reading and writing 24 bytes of hash-state per call.
540: /* This function is a wrapper for the primitive NH hash functions. It takes
541:  * as argument "hc" the current hash context and a buffer which must be a
616: /* even multiple of HASH_BUF_BYTES.                                       */
621:     if ((j + nbytes) >= HASH_BUF_BYTES) {
623:             i = HASH_BUF_BYTES - j;
625:             nh_transform(hc,hc->data,HASH_BUF_BYTES);
628:             hc->bytes_hashed += HASH_BUF_BYTES;
630:         if (nbytes >= HASH_BUF_BYTES) {
631:             i = nbytes & ~(HASH_BUF_BYTES - 1);
671:  * into an NH context, nh_final is called to produce a hash result. If any
718:     /* Initialize the hash state */
742:  * hashed by NH. The NH output is then hashed by a polynomial-hash layer
744:  * layer, an inner-product hash is used to produce the final UHASH output.
766: /* ----- Poly hash and Inner-Product hash Constants --------------------- */
780:     UINT64 poly_accum[STREAMS];           /* poly hash result             */
795:  * be within Z_p32 and Z_p64, but the Inner-Product hash implementation
828: /* Although UMAC is specified to use a ramped polynomial hash scheme, this
831:  * 2^14 poly_hash() invocations per stream (for a total capacity of 2^24
856: /* The final step in UHASH is an inner-product hash. The poly hash
858:  * product hash breaks the polyhash output into 16-bit chunks and
935: /* Reset uhash context for next hash session */
938:     nh_reset(&pc->hash);
968:     /* Initialize the L1 hash */
969:     nh_init(&ahc->hash, prf_key);
971:     /* Setup L2 hash variables */
985:     /* Setup L3-1 hash variables */
995:     /* Setup L3-2 hash variables    */
1049:  * hash each one with NH, calling the polyhash on each NH output.
1057:         nh_update(&ctx->hash, (const UINT8 *)input, len);
1067:              /* If some bytes have been passed to the hash function      */
1072:                  nh_update(&ctx->hash, (const UINT8 *)input, bytes_remaining);
1073:                  nh_final(&ctx->hash, nh_result);
1075:                  poly_hash(ctx,(UINT32 *)nh_result);
1080:              /* Hash directly from input stream if enough bytes */
1082:                  nh(&ctx->hash, (const UINT8 *)input, L1_KEY_LEN,
1087:                  poly_hash(ctx,(UINT32 *)nh_result);
1093:              nh_update(&ctx->hash, (const UINT8 *)input, len);
1111:             nh_final(&ctx->hash, nh_result);
1112:             poly_hash(ctx,(UINT32 *)nh_result);
1116:         nh_final(&ctx->hash, nh_result);
1134:     /* If the message to be hashed is no longer than L1_HASH_LEN, we skip
1144:         nh(&ahc->hash, (UINT8 *)msg, nh_len, len, nh_result);
1147:         /* Otherwise, we hash each L1_KEY_LEN chunk with NH, passing the NH
1148:          * output to poly_hash().
1151:             nh(&ahc->hash, (UINT8 *)msg, L1_KEY_LEN, L1_KEY_LEN, nh_result);
1152:             poly_hash(ahc,(UINT32 *)nh_result);
1160:             nh(&ahc->hash, (UINT8 *)msg, nh_len, len, nh_result);
1161:             poly_hash(ahc,(UINT32 *)nh_result);
1194: /* Reset the hash function to begin a new authentication.        */
1196:     uhash_reset(&ctx->hash);
1235:         uhash_init(&ctx->hash, prf_key);
1246:     uhash_final(&ctx->hash, (u_char *)tag);
1256: /* hash each one, calling the PDF on the hashed output whenever the hash- */
1259:     uhash_update(&ctx->hash, input, len);
1271:     uhash(&ctx->hash, input, len, (u_char *)tag);
214: /* The final UHASH result is XOR'd with the output of a pseudorandom
292:  * versions, one expects the entire message being hashed to be passed
309:  /* The "nh_aux" routines do the actual NH hashing work. They
543:  * appropriately according to how much message has been hashed already.
548:     key = hc->nh_key + hc->bytes_hashed;
557: /* compensate for the lack of big-endian memory reads during hashing.     */
585: /* Reset nh_ctx to ready for hashing of new data */
587:     hc->bytes_hashed = 0;
605: /* Generate nh_key, endian convert and reset to be ready for hashing.   */
635:             hc->bytes_hashed += i;
674:  * of bits hashed. The resulting numbers are written to the buffer "result".
686:         hc->bytes_hashed += hc->next_data_empty;
687:     } else if (hc->bytes_hashed == 0) {
693:     nbits = (hc->bytes_hashed << 3);
737: /* ----- Begin UHASH Section -------------------------------------------- */
741: /* UHASH is a multi-layered algorithm. Data presented to UHASH is first
743:  * unless the initial data to be hashed is short. After the polynomial-
746:  * UHASH provides two interfaces, one all-at-once and another where data
748:  * UHASH client calls the routine uhash_update() as many times as necessary.
749:  * When there is no more data to be fed to UHASH, the client calls
750:  * uhash_final() which          
751:  * calculates the UHASH output. Before beginning another UHASH calculation    
752:  * the uhash_reset() routine must be called. The all-at-once UHASH routine,   
753:  * uhash(), is equivalent to the sequence of calls uhash_update() and         
754:  * uhash_final(); however it is optimized and should be                     
757:  * The routine uhash_init() initializes the uhash_ctx data structure and    
758:  * must be called once, before any other UHASH routine.
762: /* ----- Constants and uhash_ctx ---------------------------------------- */
784:                                           /* to uhash */
791: /* The polynomial hashes use Horner's rule to evaluate a polynomial one
886: /* If the data being hashed by UHASH is no longer than L1_KEY_LEN, then
887:  * the polyhash stage is skipped and ip_short is applied directly to the
890: static void ip_short(uhash_ctx_t ahc, UINT8 *nh_res, u_char *res)
911: /* If the data being hashed by UHASH is longer than L1_KEY_LEN, then
912:  * the polyhash stage is not skipped and ip_long is applied to the
913:  * polyhash output.
915: static void ip_long(uhash_ctx_t ahc, u_char *res)
921:         /* fix polyhash output not in Z_p64 */
955: /* Given a pointer to the internal key needed by kdf() and a uhash context,
957:  * product hashing. All keys are endian adjusted in memory so that native
965:     /* Zero the entire uhash context */
966:     memset(ahc, 0, sizeof(uhash_ctx));
982:         ahc->poly_accum[i] = 1;  /* Our polyhash prepends a non-zero word */
1005: static uhash_ctx_t uhash_alloc(u_char key[])
1008:     uhash_ctx_t ctx;
1012:     ctx = (uhash_ctx_t)malloc(sizeof(uhash_ctx)+ALLOC_BOUNDARY);
1017:             ctx = (uhash_ctx_t)((u_char *)ctx + bytes_to_add);
1021:         uhash_init(ctx, prf_key);
1030: static int uhash_free(uhash_ctx_t ctx)
1032: /* Free memory allocated by uhash_alloc */
1038:             ctx = (uhash_ctx_t)((u_char *)ctx - bytes_to_sub);
1052:     UWORD bytes_hashed, bytes_remaining;
1061:          bytes_hashed = ctx->msg_len % L1_KEY_LEN;
1063:              bytes_hashed = L1_KEY_LEN;
1065:          if (bytes_hashed + len >= L1_KEY_LEN) {
1068:              /* then we want to pass at most (L1_KEY_LEN - bytes_hashed) */
1070:              if (bytes_hashed) {
1071:                  bytes_remaining = (L1_KEY_LEN - bytes_hashed);
1119:     uhash_reset(ctx);
1126: static int uhash(uhash_ctx_t ahc, u_char *msg, long len, u_char *res)
1135:      * the polyhash.
1167:     uhash_reset(ahc);
1186:     pdf_ctx pdf;             /* PDF for hashed output                    */
android.googlesource.com/platform/external/openssh:sshconnect2.c: [ master, ]
267: 	const char *host;
91: char *xxx_host;
95: verify_host_key_callback(Key *hostkey, struct ssh *ssh)
92: struct sockaddr *xxx_hostaddr;
103: order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
1575: userauth_hostbased(Authctxt *authctxt)
97: 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
98: 		fatal("Host key verification failed.");
112: 	get_hostfile_hostname_ipaddr(host, hostaddr, port, &hostname, NULL);
157: ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
163: 	xxx_host = host;
190: 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
194: 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
196: 		    order_hostkeyalgs(host, hostaddr, port));
223: 	kex->verify_host_key=&verify_host_key_callback;
313: int	input_gssapi_hash(int type, u_int32_t, void *);
366: ssh_userauth2(const char *local_user, const char *server_user, char *host,
401: 	authctxt.host = host;
599: 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
649: 		    &gss_supported->elements[mech], authctxt->host)) {
880: 	const char *host = options.host_key_alias ?  options.host_key_alias :
881: 	    authctxt->host;
890: 	    authctxt->server_user, host);
919: 	const char *host = options.host_key_alias ? options.host_key_alias :
920: 	    authctxt->host;
941: 	    authctxt->server_user, host);
950: 		    authctxt->server_user, host);
958: 		    authctxt->server_user, host);
1019: 	if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
1635: 	if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
1643: 	/* figure out a name for the client host */
68: #include "canohost.h"
72: #include "hostfile.h"
105: 	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
107: 	struct hostkeys *hostkeys;
111: 	/* Find all hostkeys for this hostname */
113: 	hostkeys = init_hostkeys();
114: 	for (i = 0; i < options.num_user_hostfiles; i++)
115: 		load_hostkeys(hostkeys, hostname, options.user_hostfiles[i]);
116: 	for (i = 0; i < options.num_system_hostfiles; i++)
117: 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
135: 		if (lookup_key_in_hostkeys_by_type(hostkeys,
145: 		debug3("%s: prefer hostkeyalgs: %s", __func__, first);
149: 	free(hostname);
151: 	free_hostkeys(hostkeys);
164: 	xxx_hostaddr = hostaddr;
189: 	if (options.hostkeyalgorithms != NULL)
191: 		    compat_pkalg_proposal(options.hostkeyalgorithms);
276: 	/* hostbased */
307: int	userauth_hostbased(Authctxt *);
337: 	{"hostbased",
338: 		userauth_hostbased,
340: 		&options.hostbased_authentication,
1582: 	char *fp = NULL, *chost = NULL, *lname = NULL;
1587: 		authctxt->oktypes = xstrdup(options.hostbased_key_types);
1592: 	 * Work through each listed type pattern in HostbasedKeyTypes,
1593: 	 * trying each hostkey that matches the type in turn.
1631: 		debug("No more client hostkeys for hostbased authentication.");
1640: 	debug("%s: trying hostkey %s %s",
1650: 	xasprintf(&chost, "%s.", lname);
1651: 	debug2("%s: chost %s", __func__, chost);
1672: 	    (r = sshbuf_put_cstring(b, chost)) != 0 ||
1688: 		error("sign using hostkey %s %s failed",
1698: 	    (r = sshpkt_put_cstring(ssh, chost)) != 0 ||
1715: 	free(chost);
android.googlesource.com/platform/external/openssh:ssh.c: [ master, ]
172: char *host;
155: char *stdio_forward_host = NULL;
245: resolve_host(const char *name, int port, int logerr, char *cname, size_t clen)
175: struct sockaddr_storage hostaddr;
154: /* forward stdio to remote host and port */
168:  * Name of the host we are connecting to.  This is the name given on the
174: /* socket address the host resolves to */
177: /* Private host keys. */
206: "           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n"
209: "           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]\n"
239:  * Attempt to resolve a host name / port to a set of addresses and
270: 			error("%s: host \"%s\" cname \"%s\" too long (max %lu)",
280:  * Attempt to resolve a numeric host address / port to a single address.
322: 		error("%s: host \"%s\" addr \"%s\" too long (max %lu)",
375:  * canonicalization rules. Returns the address list for the host or NULL
428: 		if ((addrs = resolve_host(fullhost, port, 0,
445: 		fatal("%s: Could not resolve host \"%s\"", __progname, *hostp);
446: 	debug2("%s: host %s not found in any suffix", __func__, *hostp);
455: process_config_files(const char *host_arg, struct passwd *pw, int post_canon)
462: 		    !read_config_file(config, pw, host, host_arg, &options,
470: 			(void)read_config_file(buf, pw, host, host_arg,
475: 		(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
476: 		    host, host_arg, &options,
508: 	char *p, *cp, *line, *argv0, buf[PATH_MAX], *host_arg, *logfile;
519: 	u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
520: 	char *conn_hash_hex;
593: 	host = NULL;
644: 			if (stdio_forward_host != NULL)
761: 			if (stdio_forward_host != NULL)
766: 				stdio_forward_host = fwd.listen_host;
768: 				free(fwd.connect_host);
892: 			    host ? host : "", host ? host : "", line,
919: 	if (ac > 0 && !host) {
927: 			host = xstrdup(++cp);
929: 			host = xstrdup(*av);
937: 	/* Check that we got a host name. */
938: 	if (!host)
941: 	host_arg = xstrdup(host);
948: 	/* Initialize the command to execute on remote host. */
952: 	 * Save the command to execute on the remote host in a buffer. There
1002: 	process_config_files(host_arg, pw, 0);
1011: 		    "h", host, (char *)NULL);
1012: 		free(host);
1013: 		host = cp;
1015: 		options.hostname = xstrdup(host);
1019: 	lowercase(host);
1021: 		addrs = resolve_canonicalize(&host, options.port);
1039: 		if ((addrs = resolve_host(host, options.port,
1042: 			/* Don't fatal proxied host names not in the DNS */
1044: 				cleanup_exit(255); /* logged in resolve_host */
1046: 			check_follow_cname(&host, cname);
1057: 		options.hostname = xstrdup(host);
1058: 		process_config_files(host_arg, pw, 1);
1076: 	if (options.host_key_alias != NULL)
1077: 		lowercase(options.host_key_alias);
1129: 	    ssh_digest_update(md, host, strlen(host)) < 0 ||
1132: 	    ssh_digest_final(md, conn_hash, sizeof(conn_hash)) < 0)
1135: 	conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
1141: 		    "C", conn_hash_hex,
1144: 		    "h", host,
1146: 		    "n", host_arg,
1160: 		    "C", conn_hash_hex,
1162: 		    "h", host,
1164: 		    "n", host_arg,
1171: 	free(conn_hash_hex);
1174: 		dump_client_config(&options, host);
1188: 		if ((addrs = resolve_host(host, options.port, 1,
1190: 			cleanup_exit(255); /* resolve_host logs the error */
1195: 	/* Open a connection to the remote host. */
1196: 	if (ssh_connect(host, addrs, &hostaddr, options.port,
1212: 	 * If we successfully made the connection, load the host private key
1232: 		    _PATH_HOST_KEY_FILE, "", NULL, NULL);
1235: 		    _PATH_HOST_ECDSA_KEY_FILE, "", NULL);
1238: 		    _PATH_HOST_ED25519_KEY_FILE, "", NULL);
1240: 		    _PATH_HOST_RSA_KEY_FILE, "", NULL);
1242: 		    _PATH_HOST_DSA_KEY_FILE, "", NULL);
1245: 		    _PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL);
1248: 		    _PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
1250: 		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
1252: 		    _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
1263: 			    _PATH_HOST_ECDSA_KEY_FILE);
1266: 			    _PATH_HOST_ED25519_KEY_FILE);
1268: 			    _PATH_HOST_RSA_KEY_FILE);
1270: 			    _PATH_HOST_DSA_KEY_FILE);
1273: 			    _PATH_HOST_ECDSA_KEY_FILE, NULL);
1276: 			    _PATH_HOST_ED25519_KEY_FILE, NULL);
1278: 			    _PATH_HOST_RSA_KEY_FILE, NULL);
1280: 			    _PATH_HOST_DSA_KEY_FILE, NULL);
1318: 	/* Expand ~ in known host file names. */
1327: 	ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr,
1331: 		verbose("Authenticated to %s ([%s]:%d).", host,
1334: 		verbose("Authenticated to %s (via proxy).", host);
1337: 	/* We no longer need the private host keys.  Clear them now. */
1437: 	    rfwd->listen_host ? rfwd->listen_host : "",
1438: 	    (rfwd->listen_path || rfwd->listen_host) ? ":" : "",
1440: 	    rfwd->connect_host, rfwd->connect_port);
1446: 			    rfwd->connect_host, rfwd->connect_port);
1498: 	if (stdio_forward_host == NULL)
1503: 	debug3("%s: %s:%d", __func__, stdio_forward_host, stdio_forward_port);
1508: 	if ((c = channel_connect_stdio_fwd(stdio_forward_host,
1527: 		    (options.local_forwards[i].listen_host == NULL) ?
1529: 		    options.local_forwards[i].listen_host,
1533: 		    options.local_forwards[i].connect_host,
1549: 		    (options.remote_forwards[i].listen_host == NULL) ?
1550: 		    "LOCALHOST" : options.remote_forwards[i].listen_host,
1554: 		    options.remote_forwards[i].connect_host,
1628: 			logit("Warning: Remote host refused compression.");
1668: 			logit("Warning: Remote host failed or refused to "
1693: 			logit("Warning: Remote host denied X11 forwarding.");
1714: 			logit("Warning: Remote host denied authentication agent forwarding.");
1991: 		    "u", pwname, "l", thishost, "h", host,
85: #include "canohost.h"
169:  * command line, or the HostName specified for the user-supplied name in a
210: "           [-w local_tun[:remote_tun]] [user@]hostname [command]\n"
264: 		do_log2(loglevel, "%s: Could not resolve hostname %.100s: %s",
288: 	char addr[NI_MAXHOST], strport[NI_MAXSERV];
299: 	hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
316: 	    addr, sizeof(addr), NULL, 0, NI_NUMERICHOST)) != 0) {
334:  * Check whether the cname is a permitted replacement for the hostname
347: 	if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
354: 	    options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS)
364: 		verbose("Canonicalized DNS aliased hostname "
374:  * Attempt to resolve the supplied hostname after applying the user's
380: resolve_canonicalize(char **hostp, int port)
383: 	char *cp, *fullhost, newname[NI_MAXHOST];
386: 	if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
394: 	    options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS)
397: 	/* Try numeric hostnames first */
398: 	if ((addrs = resolve_addr(*hostp, port,
400: 		debug2("%s: hostname %.100s is address", __func__, *hostp);
401: 		if (strcasecmp(*hostp, newname) != 0) {
403: 			    __func__, *hostp, newname);
404: 			free(*hostp);
405: 			*hostp = xstrdup(newname);
410: 	/* Don't apply canonicalization to sufficiently-qualified hostnames */
412: 	for (cp = *hostp; *cp != '\0'; cp++) {
417: 		debug3("%s: not canonicalizing hostname \"%s\" (max dots %d)",
418: 		    __func__, *hostp, options.canonicalize_max_dots);
424: 		xasprintf(&fullhost, "%s.%s.", *hostp,
427: 		    *hostp, fullhost);
430: 			free(fullhost);
434: 		fullhost[strlen(fullhost) - 1] = '\0';
436: 		if (!check_follow_cname(&fullhost, newname)) {
437: 			debug("Canonicalized hostname \"%s\" => \"%s\"",
438: 			    *hostp, fullhost);
440: 		free(*hostp);
441: 		*hostp = fullhost;
509: 	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
510: 	char cname[NI_MAXHOST];
1004: 	/* Hostname canonicalisation needs a few options filled. */
1007: 	/* If the user has replaced the hostname then take it into use now */
1008: 	if (options.hostname != NULL) {
1010: 		cp = percent_expand(options.hostname,
1014: 		free(options.hostname);
1020: 	if (options.canonicalize_hostname != SSH_CANONICALISE_NO)
1026: 	 * or by failing with fallback) then the hostname may still be changed
1029: 	 * Try to resolve the bare hostname name using the system resolver's
1038:             options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
1053: 	if (options.canonicalize_hostname != 0) {
1054: 		debug("Re-reading configuration after hostname "
1056: 		free(options.hostname);
1083: 	    options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) {
1086: 		options.update_hostkeys = 0;
1121: 	if (gethostname(thishost, sizeof(thishost)) == -1)
1123: 	strlcpy(shorthost, thishost, sizeof(shorthost));
1124: 	shorthost[strcspn(thishost, ".")] = '\0';
1128: 	    ssh_digest_update(md, thishost, strlen(thishost)) < 0 ||
1142: 		    "L", shorthost,
1145: 		    "l", thishost,
1161: 		    "L", shorthost,
1163: 		    "l", thishost,
1184: 	 * If hostname canonicalisation was not enabled, then we may not
1185: 	 * have yet resolved the hostname. Do so now.
1223: 	    options.hostbased_authentication) {
1255: 		if (options.hostbased_authentication == 1 &&
1319: 	tilde_expand_paths(options.system_hostfiles,
1320: 	    options.num_system_hostfiles);
1321: 	tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
1342: 				debug3("clear hostkey %d", i);
1528: 		    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
1939: 	char *filename, *cp, thishost[NI_MAXHOST];
1979: 	if (gethostname(thishost, sizeof(thishost)) == -1)
1034: 	 * CanonicalizeHostname=always
1084: 		debug("UpdateHostKeys=ask is incompatible with ControlPersist; "
1122: 		fatal("gethostname: %s", strerror(errno));
1213: 	 * in case we will need it later for combined rsa-rhosts
1222: 	if (options.rhosts_rsa_authentication ||
1980: 		fatal("load_public_identity_files: gethostname: %s",
android.googlesource.com/platform/external/openssh:Makefile.in: [ master, ]
360: host-key: ssh-keygen$(EXEEXT)
391: host-key-force: ssh-keygen$(EXEEXT)
522: UNITTESTS_TEST_HOSTKEYS_OBJS=\
526: regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
91: 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
128: 	-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
129: 	-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
130: 	-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
131: 	-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
132: 	-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
289: install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
362: 		if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
363: 			echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
365: 			./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
367: 		if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
368: 			echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
370: 			./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
372: 		if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
373: 			echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
375: 			./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
377: 		if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
378: 			echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
380: 			./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
383: 		    if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
384: 			echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
386: 			./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
392: 	./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
393: 	./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
394: 	./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
395: 	./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
396: 	test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
80: 	canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
82: 	compat.o crc32.o deattack.o fatal.o hostfile.o \
105: 	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
124: 	-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
239: 	rm -f regress/unittests/hostkeys/*.o
240: 	rm -f regress/unittests/hostkeys/test_hostkeys
259: 	rm -f regress/unittests/hostkeys/*.o
260: 	rm -f regress/unittests/hostkeys/test_hostkeys
446: 	[ -d `pwd`/regress/unittests/hostkeys ] || \
447: 		mkdir -p `pwd`/regress/unittests/hostkeys
523: 	regress/unittests/hostkeys/tests.o \
524: 	regress/unittests/hostkeys/test_iterate.o
527:     ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
529: 	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_HOSTKEYS_OBJS) \
540: 	regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
100: SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
127: 	-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
android.googlesource.com/platform/external/openssh:readconf.h: [ master, ]
79: 	char   *host_key_alias;	/* hostname alias for .ssh/known_hosts */
123: 	int	hash_known_hosts;
149: 	int	 fingerprint_hash;
44: 	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
75: 	char   *hostkeyalgorithms;	/* SSH2 server key types in order of preference. */
78: 	char   *hostname;	/* Real host to connect. */
110: 	int	no_host_authentication_for_localhost;
153: 	char	*hostbased_key_types;
54: 	int     check_host_ip;	/* Also keep track of keys for IP address */
55: 	int     strict_host_key_checking;	/* Strict host key checking. */
91: 	int	verify_host_key_dns;	/* Verify host key using DNS */
131: 	int	visual_host_key;
147: 	char	*revoked_host_keys;
22: #define SSH_MAX_HOSTS_FILES	32
84: 	u_int	num_system_hostfiles;	/* Paths for /etc/ssh/ssh_known_hosts */
85: 	char   *system_hostfiles[SSH_MAX_HOSTS_FILES];
86: 	u_int	num_user_hostfiles;	/* Path for $HOME/.ssh/known_hosts */
87: 	char   *user_hostfiles[SSH_MAX_HOSTS_FILES];
141: 	int	canonicalize_hostname;
151: 	int	 update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
177: #define SSH_UPDATE_HOSTKEYS_NO	0
178: #define SSH_UPDATE_HOSTKEYS_YES	1
179: #define SSH_UPDATE_HOSTKEYS_ASK	2
40: 	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
80: 	char   *proxy_command;	/* Proxy command for connecting the host. */
191: void	 dump_client_config(Options *o, const char *host);
175: #define SSHCONF_POSTCANON	4  /* After hostname canonicalisation */
android.googlesource.com/platform/external/openssh:clientloop.c: [ master, ]
2094: 	char *host_str, *ip_str;
2092: struct hostkeys_update_ctx {
2118: hostkeys_update_ctx_free(struct hostkeys_update_ctx *ctx)
2137: hostkeys_find(struct hostkey_foreach_line *l, void *_ctx)
2171: update_known_hosts(struct hostkeys_update_ctx *ctx)
2240: client_global_hostkeys_private_confirm(int type, u_int32_t seq, void *_ctx)
2313: client_input_hostkeys(void)
130:  * Name of the host we are connecting to.  This is the name given on the
134: extern char *host;
564: 		logit("Timeout, server %s not responding.", host);
736: 			 * Received EOF.  The remote host has closed the
740: 			    "Connection to %.300s closed by remote host.\r\n",
741: 			    host);
760: 			    "Read from remote host %.300s: %.100s\r\n",
761: 			    host, strerror(errno));
895: 		logit("      -L[bind_address:]port:host:hostport    "
897: 		logit("      -R[bind_address:]port:host:hostport    "
988: 	free(fwd.listen_host);
990: 	free(fwd.connect_host);
1463:  * remote host.  If escape_char != SSH_ESCAPECHAR_NONE, it is the character
1701: 		    "Connection to %.64s closed.\r\n", host);
1822: 		/* Send a confirmation to the remote host. */
2131: 	free(ctx->host_str);
2147: 	/* Mark off keys we've already seen for this host */
2183: 		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
2191: 		    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
2232: 	    ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
2233: 	    options.hash_known_hosts, 0,
2234: 	    options.fingerprint_hash)) != 0)
2254: 		    "private host keys");
2347: 		fp = sshkey_fingerprint(key, options.fingerprint_hash,
2370: 				error("%s: received duplicated %s host key",
2394: 	get_hostfile_hostname_ipaddr(host,
2395: 	    options.check_host_ip ? (struct sockaddr *)&hostaddr : NULL,
2396: 	    options.port, &ctx->host_str,
2397: 	    options.check_host_ip ? &ctx->ip_str : NULL);
2401: 	    ctx, ctx->host_str, ctx->ip_str,
115: #include "hostfile.h"
131:  * command line, or the HostName specified for the user-supplied name in a
335: 		 * XXX: "localhost" match to determine FamilyLocal
338: 		if (strncmp(display, "localhost:", 10) == 0) {
2093: 	/* The hostname and (optionally) IP address string for the server */
2098: 	 * whether they already exist in known_hosts.
2099: 	 * keys_seen is filled in by hostkeys_find() and later (for new
2100: 	 * keys) by client_global_hostkeys_private_confirm().
2109: 	 * Keys that are in known_hosts, but were not present in the update
2111: 	 * Filled in by hostkeys_find().
2139: 	struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
2174: 	int loglevel = options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK ?
2185: 		do_log2(loglevel, "Learned new hostkey: %s %s",
2193: 		do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
2197: 	if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) {
2205: 			response = read_passphrase("Accept updated hostkeys? "
2211: 				options.update_hostkeys = 0;
2219: 			options.update_hostkeys = 0;
2227: 	 * them in known_hosts (assuming SSH_UPDATE_HOSTKEYS_ASK didn't
2230: 	if (options.update_hostkeys != 0 &&
2231: 	    (r = hostfile_replace_entries(options.user_hostfiles[0],
2235: 		error("%s: hostfile_replace_entries failed: %s",
2243: 	struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
2255: 		hostkeys_update_ctx_free(ctx);
2274: 		    "hostkeys-prove-00@openssh.com")) != 0 ||
2301: 	/* Make the edits to known_hosts */
2302: 	update_known_hosts(ctx);
2304: 	hostkeys_update_ctx_free(ctx);
2308:  * Handle hostkeys-00@openssh.com global request to inform the client of all
2309:  * the server's hostkeys. The keys are checked against the user's
2310:  * HostkeyAlgorithms preference before they are accepted.
2322: 	static int hostkeys_seen = 0; /* XXX use struct ssh */
2323: 	extern struct sockaddr_storage hostaddr; /* XXX from ssh.c */
2324: 	struct hostkeys_update_ctx *ctx = NULL;
2326: 	if (hostkeys_seen)
2327: 		fatal("%s: server already sent hostkeys", __func__);
2328: 	if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK &&
2331: 	if (!options.update_hostkeys || options.num_user_hostfiles <= 0)
2352: 		/* Check that the key is accepted in HostkeyAlgorithms */
2353: 		if (options.hostkeyalgorithms != NULL &&
2355: 		    options.hostkeyalgorithms,
2356: 		    strlen(options.hostkeyalgorithms), 0) != 1) {
2357: 			debug3("%s: %s key not permitted by HostkeyAlgorithms",
2386: 		debug("%s: server sent no hostkeys", __func__);
2400: 	if ((r = hostkeys_foreach(options.user_hostfiles[0], hostkeys_find,
2403: 		error("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
2419: 		update_known_hosts(ctx);
2429: 		    "hostkeys-prove-00@openssh.com")) != 0 ||
2449: 		    client_global_hostkeys_private_confirm, ctx);
2455: 	hostkeys_update_ctx_free(ctx);
2460: 	 * what the client does with its hosts file.
2476: 	if (strcmp(rtype, "hostkeys-00@openssh.com") == 0)
2477: 		success = client_input_hostkeys();
android.googlesource.com/platform/external/openssh:kex.h: [ master, ]
140: 	int	hash_alg;
147: 	int	(*host_key_index)(struct sshkey *, int, struct ssh *);
132: 	int	hostkey_type;
133: 	int	hostkey_nid;
71: 	PROPOSAL_SERVER_HOST_KEY_ALGS,
144: 	int	(*verify_host_key)(struct sshkey *, struct ssh *);
145: 	struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
146: 	struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
187: int	 kex_dh_hash(const char *, const char *,
191: int	 kexgex_hash(int, const char *, const char *,
198: int kex_ecdh_hash(int, const EC_GROUP *, const char *, const char *,
202: int	 kex_c25519_hash(int, const char *, const char *, const char *, size_t,
android.googlesource.com/platform/external/openssh:sshd.c: [ master, ]
206: 	Key	**host_keys;		/* all private host keys */
207: 	Key	**host_pubkeys;		/* all public host keys */
208: 	Key	**host_certificates;	/* all public host certificates */
205: 	Key	*ssh1_host_key;		/* ssh1 host key */
791: list_hostkey_types(void)
843: get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
873: get_hostkey_public_by_type(int type, int nid, struct ssh *ssh)
879: get_hostkey_private_by_type(int type, int nid, struct ssh *ssh)
885: get_hostkey_by_index(int ind)
893: get_hostkey_public_by_index(int ind, struct ssh *ssh)
901: get_hostkey_index(Key *key, int compare, struct ssh *ssh)
928: notify_hostkeys(struct ssh *ssh)
2508: sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, size_t *slen,
232: u_int utmp_len = HOST_NAME_MAX+1;
556: /* Destroy the host and server keys.  They will no longer be needed. */
566: 	for (i = 0; i < options.num_host_key_files; i++) {
567: 		if (sensitive_data.host_keys[i]) {
568: 			key_free(sensitive_data.host_keys[i]);
569: 			sensitive_data.host_keys[i] = NULL;
571: 		if (sensitive_data.host_certificates[i]) {
572: 			key_free(sensitive_data.host_certificates[i]);
573: 			sensitive_data.host_certificates[i] = NULL;
576: 	sensitive_data.ssh1_host_key = NULL;
593: 	for (i = 0; i < options.num_host_key_files; i++) {
594: 		if (sensitive_data.host_keys[i]) {
595: 			tmp = key_demote(sensitive_data.host_keys[i]);
596: 			key_free(sensitive_data.host_keys[i]);
597: 			sensitive_data.host_keys[i] = tmp;
599: 				sensitive_data.ssh1_host_key = tmp;
604: 	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
800: 	for (i = 0; i < options.num_host_key_files; i++) {
801: 		key = sensitive_data.host_keys[i];
803: 			key = sensitive_data.host_pubkeys[i];
818: 		key = sensitive_data.host_certificates[i];
848: 	for (i = 0; i < options.num_host_key_files; i++) {
856: 			key = sensitive_data.host_certificates[i];
859: 			key = sensitive_data.host_keys[i];
861: 				key = sensitive_data.host_pubkeys[i];
867: 			    sensitive_data.host_keys[i] : key;
887: 	if (ind < 0 || ind >= options.num_host_key_files)
889: 	return (sensitive_data.host_keys[ind]);
895: 	if (ind < 0 || ind >= options.num_host_key_files)
897: 	return (sensitive_data.host_pubkeys[ind]);
905: 	for (i = 0; i < options.num_host_key_files; i++) {
907: 			if (key == sensitive_data.host_certificates[i] ||
908: 			    (compare && sensitive_data.host_certificates[i] &&
910: 			    sensitive_data.host_certificates[i])))
913: 			if (key == sensitive_data.host_keys[i] ||
914: 			    (compare && sensitive_data.host_keys[i] &&
915: 			    sshkey_equal(key, sensitive_data.host_keys[i])))
917: 			if (key == sensitive_data.host_pubkeys[i] ||
918: 			    (compare && sensitive_data.host_pubkeys[i] &&
919: 			    sshkey_equal(key, sensitive_data.host_pubkeys[i])))
937: 	for (i = nkeys = 0; i < options.num_host_key_files; i++) {
942: 		fp = sshkey_fingerprint(key, options.fingerprint_hash,
1006: "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n"
1008: "            [-h host_key_file] [-k key_gen_time] [-o option] [-p port]\n"
1514: 			if (options.num_host_cert_files >= MAX_HOSTCERTS) {
1515: 				fprintf(stderr, "too many host certificates.\n");
1518: 			options.host_cert_files[options.num_host_cert_files++] =
1582: 			if (options.num_host_key_files >= MAX_HOSTKEYS) {
1583: 				fprintf(stderr, "too many host keys.\n");
1586: 			options.host_key_files[options.num_host_key_files++] = 
1601: 			utmp_len = (u_int)strtonum(optarg, 0, HOST_NAME_MAX+1+1, NULL);
1602: 			if (utmp_len > HOST_NAME_MAX+1) {
1639: 	 * Force logging to stderr until we have loaded the private host
1664: 	sensitive_data.ssh1_host_key = NULL;
1674: 		fatal("user, host and addr are all required when testing "
1763: 	/* load host keys */
1764: 	sensitive_data.host_keys = xcalloc(options.num_host_key_files,
1766: 	sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files,
1769: 	if (options.host_key_agent) {
1770: 		if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME))
1772: 			    options.host_key_agent, 1);
1777: 			    options.host_key_agent, ssh_err(r));
1780: 	for (i = 0; i < options.num_host_key_files; i++) {
1781: 		if (options.host_key_files[i] == NULL)
1783: 		key = key_load_private(options.host_key_files[i], "", NULL);
1784: 		pubkey = key_load_public(options.host_key_files[i], NULL);
1787: 		sensitive_data.host_keys[i] = key;
1788: 		sensitive_data.host_pubkeys[i] = pubkey;
1793: 			    options.host_key_files[i]);
1798: 			error("Could not load host key: %s",
1799: 			    options.host_key_files[i]);
1800: 			sensitive_data.host_keys[i] = NULL;
1801: 			sensitive_data.host_pubkeys[i] = NULL;
1807: 			sensitive_data.ssh1_host_key = key;
1818: 		if ((fp = sshkey_fingerprint(pubkey, options.fingerprint_hash,
1821: 		debug("%s host key #%d: %s %s",
1827: 		logit("Disabling protocol version 1. Could not load host key");
1831: 		logit("Disabling protocol version 2. Could not load host key");
1843: 	sensitive_data.host_certificates = xcalloc(options.num_host_key_files,
1845: 	for (i = 0; i < options.num_host_key_files; i++)
1846: 		sensitive_data.host_certificates[i] = NULL;
1848: 	for (i = 0; i < options.num_host_cert_files; i++) {
1849: 		if (options.host_cert_files[i] == NULL)
1851: 		key = key_load_public(options.host_cert_files[i], NULL);
1853: 			error("Could not load host certificate: %s",
1854: 			    options.host_cert_files[i]);
1859: 			    options.host_cert_files[i]);
1864: 		for (j = 0; j < options.num_host_key_files; j++) {
1866: 			    sensitive_data.host_keys[j])) {
1867: 				sensitive_data.host_certificates[j] = key;
1871: 		if (j >= options.num_host_key_files) {
1873: 			    options.host_cert_files[i]);
1877: 		sensitive_data.host_certificates[j] = key;
1878: 		debug("host certificate: #%d type %d %s", j, key->type,
1891: 		 * Check that server and host key lengths differ sufficiently. This
1896: 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
1898: 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1901: 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
1903: 			debug("Forcing server key to %d bits to make it differ from host key.",
2289:  * Decrypt session_key_int using our private server key and private host key
2298: 	    sensitive_data.ssh1_host_key->rsa->n) > 0) {
2301: 		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
2304: 			    "server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
2307: 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
2314: 		    sensitive_data.ssh1_host_key->rsa) != 0)
2317: 		/* Host key has bigger modulus (or they are equal). */
2318: 		if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
2322: 			    "host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
2324: 			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
2329: 		    sensitive_data.ssh1_host_key->rsa) != 0)
2378: 	/* Store our public host RSA key. */
2379: 	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
2380: 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
2381: 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
2384: 	packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
2405: 	debug("Sent %d bit server key and %d bit host key.",
2407: 	    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
2445: 	/* Decrypt real_key_int using host/server keys */
2471: 		    sensitive_data.ssh1_host_key->rsa->n,
2573: 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
2593: 	kex->load_host_public_key=&get_hostkey_public_by_type;
2594: 	kex->load_host_private_key=&get_hostkey_private_by_type;
2595: 	kex->host_key_index=&get_hostkey_index;
109: #include "canohost.h"
110: #include "hostfile.h"
231: /* record remote hostname or ip */
838: 	debug("list_hostkey_types: %s", ret);
875: 	return get_hostkey_by_type(type, nid, 0, ssh);
881: 	return get_hostkey_by_type(type, nid, 1, ssh);
926: /* Inform the client of all hostkeys */
938: 		key = get_hostkey_public_by_index(i, ssh);
949: 			packet_put_cstring("hostkeys-00@openssh.com");
954: 			fatal("%s: couldn't put hostkey %d: %s",
959: 	debug3("%s: sent %d hostkeys", __func__, nkeys);
961: 		fatal("%s: no hostkeys", __func__);
1155: 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1165: 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1792: 			debug("will rely on agent for hostkey %s",
1835: 		logit("sshd: no hostkeys available -- exiting.");
2127: 	 * We use get_canonical_hostname with usedns = 0 instead of
2130: 	(void) get_canonical_hostname(0);
2256: 	/* Try to send all our hostkeys to the client */
2258: 		notify_hostkeys(active_state);
2574: 	    list_hostkey_types());
2596: 	kex->sign = sshd_hostkey_sign;
2359: 	 * cookie.  This only affects rhosts authentication, and this is one
2391: 	if (options.rhosts_rsa_authentication)
2392: 		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
android.googlesource.com/platform/external/openssh:ssh-keyscan.c: [ master, ]
65: int hash_hosts = 0;		/* Hash hostname on output */
608: do_host(char *host)
220: 	    /* host key */
270: 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
290: 	ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper);
301: 	char *host = c->c_output_name ? c->c_output_name : c->c_name;
305: 	if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
306: 		fatal("host_hash failed");
308: 	fprintf(stdout, "%s ", host);
314: tcpconnect(char *host)
324: 	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
325: 		error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
338: 			error("connect (`%s'): %s", host, strerror(errno));
454: 			error("%s: Connection closed by remote host", c->c_name);
610: 	char *name = strnnsep(&host, " \t\n");
619: 			conalloc(name, *host ? host : name, j);
640: 	    "\t\t   [host | addrlist namelist] ...\n",
670: 			hash_hosts = 1;
784: 			do_host(line);
795: 		do_host(argv[optind++]);
47: #include "hostfile.h"
99: 	char *c_name;		/* Hostname of connection for errors */
101: 	char *c_output_name;	/* Hostname of connection for output */
237: key_print_wrapper(struct sshkey *hostkey, struct ssh *ssh)
242: 		keyprint(c, hostkey);
650: 	char *tname, *cp, line[NI_MAXHOST];
android.googlesource.com/platform/external/openssh:kex.c: [ master, ]
75: 	int hash_alg;
543: choose_hostkeyalg(struct kex *k, char *client, char *server)
537: 	k->hash_alg = kexalg->hash_alg;
561: 		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
647: 	    (r = choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
648: 	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS])) != 0)
678: derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
689: 	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
696: 	/* K1 = HASH(K || H || "A" || session_id) */
697: 	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
699: 	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
712: 	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
716: 		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
718: 		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||
743: kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
752: 		if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,
771: kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
780: 		r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
788: derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
796: 	hlen = BN_num_bytes(host_modulus);
801: 	if (BN_bn2bin(host_modulus, hbuf) <= 0 ||
545: 	char *hostkeyalg = match_list(client, server, NULL);
547: 	if (hostkeyalg == NULL)
548: 		return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
549: 	k->hostkey_type = sshkey_type_from_name(hostkeyalg);
550: 	if (k->hostkey_type == KEY_UNSPEC)
552: 	k->hostkey_nid = sshkey_ecdsa_nid_from_name(hostkeyalg);
553: 	free(hostkeyalg);
682: 	struct ssh_digest_ctx *hashctx = NULL;
698: 	    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
700: 	    ssh_digest_update(hashctx, &c, 1) != 0 ||
701: 	    ssh_digest_update(hashctx, kex->session_id,
703: 	    ssh_digest_final(hashctx, digest, mdsz) != 0) {
707: 	ssh_digest_free(hashctx);
708: 	hashctx = NULL;
717: 		    ssh_digest_update_buffer(hashctx, shared_secret) != 0 ||
719: 		    ssh_digest_update(hashctx, digest, have) != 0 ||
720: 		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
724: 		ssh_digest_free(hashctx);
725: 		hashctx = NULL;
737: 	ssh_digest_free(hashctx);
792: 	struct ssh_digest_ctx *hashctx = NULL;
806: 	if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) {
810: 	if (ssh_digest_update(hashctx, hbuf, hlen) != 0 ||
811: 	    ssh_digest_update(hashctx, sbuf, slen) != 0 ||
812: 	    ssh_digest_update(hashctx, cookie, 8) != 0 ||
813: 	    ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) {
820: 	ssh_digest_free(hashctx);
android.googlesource.com/platform/external/openssh:kexc25519.c: [ master, ]
80: kex_c25519_hash(
81:     int hash_alg,
90:     u_char *hash, size_t *hashlen)
95: 	if (*hashlen < ssh_digest_bytes(hash_alg))
118: 	if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
123: 	*hashlen = ssh_digest_bytes(hash_alg);
125: 	dump_digest("hash", hash, *hashlen);
86:     const u_char *serverhostkeyblob, size_t sbloblen,
108: 	    (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) < 0 ||
android.googlesource.com/platform/external/openssh:kexdh.c: [ master, ]
45: kex_dh_hash(
54:     u_char *hash, size_t *hashlen)
82: 	if (ssh_digest_buffer(SSH_DIGEST_SHA1, b, hash, *hashlen) != 0) {
89: 	dump_digest("hash", hash, *hashlen);
59: 	if (*hashlen < ssh_digest_bytes(SSH_DIGEST_SHA1))
87: 	*hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
50:     const u_char *serverhostkeyblob, size_t sbloblen,
72: 	    (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
android.googlesource.com/platform/external/openssh:kexecdh.c: [ master, ]
50: kex_ecdh_hash(
51:     int hash_alg,
61:     u_char *hash, size_t *hashlen)
66: 	if (*hashlen < ssh_digest_bytes(hash_alg))
89: 	if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
94: 	*hashlen = ssh_digest_bytes(hash_alg);
96: 	dump_digest("hash", hash, *hashlen);
57:     const u_char *serverhostkeyblob, size_t sbloblen,
79: 	    (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
android.googlesource.com/platform/external/openssh:kexgex.c: [ master, ]
45: kexgex_hash(
46:     int hash_alg,
58:     u_char *hash, size_t *hashlen)
91: 	if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
96: 	*hashlen = ssh_digest_bytes(hash_alg);
98: 	dump_digest("hash", hash, *hashlen);
63: 	if (*hashlen < ssh_digest_bytes(SSH_DIGEST_SHA1))
51:     const u_char *serverhostkeyblob, size_t sbloblen,
76: 	    (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
android.googlesource.com/platform/external/openssh:auth2-hostbased.c: [ master, ]
161: hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
59: userauth_hostbased(Authctxt *authctxt)
247: Authmethod method_hostbased = {
137: 	    "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
165: 	HostStatus host_status;
186: 			    "user \"%.100s\" host \"%.100s\" (from packet)",
198: 			    "user \"%.100s\" host \"%.100s\" addr \"%.100s\"",
213: 	host_status = check_key_in_hostfiles(pw, key, lookup,
218: 	if (host_status == HOST_NEW) {
219: 		host_status = check_key_in_hostfiles(pw, key, lookup,
225: 	if (host_status == HOST_OK) {
228: 			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
236: 			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
244: 	return (host_status == HOST_OK);
1: /* $OpenBSD: auth2-hostbased.c,v 1.24 2015/01/28 22:36:00 djm Exp $ */
43: #include "hostfile.h"
45: #include "canohost.h"
63: 	char *pkalg, *cuser, *chost, *service;
70: 		debug2("userauth_hostbased: disabled because of invalid user");
75: 	chost = packet_get_string(NULL);
79: 	debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
80: 	    cuser, chost, pkalg, slen);
91: 		logit("userauth_hostbased: unsupported "
97: 		error("userauth_hostbased: cannot decode key: %s", pkalg);
101: 		error("userauth_hostbased: type mismatch for decoded key "
112: 	    options.hostbased_key_types,
113: 	    strlen(options.hostbased_key_types), 0) != 1) {
114: 		logit("%s: key type %s not in HostbasedAcceptedKeyTypes",
127: 	buffer_put_cstring(&b, "hostbased");
130: 	buffer_put_cstring(&b, chost);
141: 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
148: 	debug2("userauth_hostbased: authenticated %d", authenticated);
154: 	free(chost);
159: /* return 1 if given hostkey is allowed */
172: 	resolvedname = get_canonical_hostname(options.use_dns);
175: 	debug2("%s: chost %s resolvedname %s ipaddr %s", __func__,
176: 	    chost, resolvedname, ipaddr);
178: 	if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
179: 		debug2("stripping trailing dot from chost %s", chost);
180: 		chost[len - 1] = '\0';
183: 	if (options.hostbased_uses_name_from_packet_only) {
184: 		if (auth_rhosts2(pw, cuser, chost, chost) == 0) {
187: 			    __func__, cuser, chost);
190: 		lookup = chost;
192: 		if (strcasecmp(resolvedname, chost) != 0)
193: 			logit("userauth_hostbased mismatch: "
195: 			    chost, ipaddr, resolvedname);
214: 	    _PATH_SSH_SYSTEM_HOSTFILE,
215: 	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
220: 		    _PATH_SSH_SYSTEM_HOSTFILE2,
221: 		    options.ignore_user_known_hosts ? NULL :
222: 		    _PATH_SSH_USER_HOSTFILE2);
248: 	"hostbased",
249: 	userauth_hostbased,
250: 	&options.hostbased_authentication
185: 			debug2("%s: auth_rhosts2 refused "
196: 		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) {
197: 			debug2("%s: auth_rhosts2 refused "
204: 	debug2("%s: access allowed by auth_rhosts2", __func__);
android.googlesource.com/platform/external/openssh:pkcs11.h: [ master, ]
665: #define CKM_FASTHASH			(0x1070)
389: #define CKA_HASH_OF_SUBJECT_PUBLIC_KEY	(0x8a)
390: #define CKA_HASH_OF_ISSUER_PUBLIC_KEY	(0x8b)
1099: #define CKR_HOST_MEMORY				(2)
android.googlesource.com/platform/external/openssh:servconf.c: [ master, ]
388: 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
407: 	sAllowStreamLocalForwarding, sFingerprintHash,
379: 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
381: 	sRhostsRSAAuthentication, sRSAAuthentication,
387: 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
392: 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
395: 	sBanner, sUseDNS, sHostbasedAuthentication,
396: 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
401: 	sHostCertificate,
405: 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
87: 	options->num_host_key_files = 0;
88: 	options->num_host_cert_files = 0;
89: 	options->host_key_agent = NULL;
169: 	options->fingerprint_hash = -1;
191: 	if (options->num_host_key_files == 0) {
194: 			options->host_key_files[options->num_host_key_files++] =
195: 			    _PATH_HOST_KEY_FILE;
197: 			options->host_key_files[options->num_host_key_files++] =
198: 			    _PATH_HOST_RSA_KEY_FILE;
199: 			options->host_key_files[options->num_host_key_files++] =
200: 			    _PATH_HOST_DSA_KEY_FILE;
202: 			options->host_key_files[options->num_host_key_files++] =
203: 			    _PATH_HOST_ECDSA_KEY_FILE;
205: 			options->host_key_files[options->num_host_key_files++] =
206: 			    _PATH_HOST_ED25519_KEY_FILE;
338: 	if (options->fingerprint_hash == -1)
339: 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
356: 	for (i = 0; i < options->num_host_key_files; i++)
357: 		CLEAR_ON_NONE(options->host_key_files[i]);
358: 	for (i = 0; i < options->num_host_cert_files; i++)
359: 		CLEAR_ON_NONE(options->host_cert_files[i]);
622: 		fatal("bad addr or host: %s (%s)",
638: 	ci.host = get_canonical_hostname(use_dns);
721: 		debug3("checking match for '%s' user %s host %s addr %s "
723: 		    ci->host ? ci->host : "(null)",
765: 		} else if (strcasecmp(attrib, "host") == 0) {
766: 			if (ci == NULL || ci->host == NULL) {
770: 			if (match_hostname(ci->host, arg, len) != 1)
773: 				debug("connection from %.100s matched 'Host "
774: 				    "%.100s' at line %d", ci->host, arg, line);
1044: 		intptr = &options->num_host_key_files;
1046: 			fatal("%s line %d: too many host keys specified (max %d).",
1048: 		charptr = &options->host_key_files[*intptr];
1063: 		charptr = &options->host_key_agent;
1074: 		intptr = &options->num_host_cert_files;
1076: 			fatal("%s line %d: too many host certificates "
1079: 		charptr = &options->host_cert_files[*intptr];
1606: 				fatal("%s line %d: missing host in PermitOpen",
1744: 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1747: 			options->fingerprint_hash = value;
1837: 		} else if (strncmp(p, "host=", 5) == 0) {
1838: 			ci->host = xstrdup(p + 5);
1865: 	if (ci->user && ci->host && ci->address)
1867: 	if (!ci->user && !ci->host && !ci->address)
2166: 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2183: 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2198: 	dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2199: 	     o->host_key_files);
2200: 	dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
2201: 	     o->host_cert_files);
54: #include "canohost.h"
56: #include "hostfile.h"
96: 	options->ignore_user_known_hosts = -1;
101: 	options->x11_use_localhost = -1;
110: 	options->hostbased_authentication = -1;
111: 	options->hostbased_uses_name_from_packet_only = -1;
112: 	options->hostbased_key_types = NULL;
192: 		/* fill default hostkeys for protocols */
226: 	if (options->ignore_user_known_hosts == -1)
227: 		options->ignore_user_known_hosts = 0;
236: 	if (options->x11_use_localhost == -1)
237: 		options->x11_use_localhost = 1;
254: 	if (options->hostbased_authentication == -1)
255: 		options->hostbased_authentication = 0;
256: 	if (options->hostbased_uses_name_from_packet_only == -1)
257: 		options->hostbased_uses_name_from_packet_only = 0;
258: 	if (options->hostbased_key_types == NULL)
259: 		options->hostbased_key_types = xstrdup("*");
430: 	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
431: 	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
432: 	{ "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
442: 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
443: 	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
444: 	{ "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
486: 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
527: 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
540: 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
1045: 		if (*intptr >= MAX_HOSTKEYS)
1047: 			    filename, linenum, MAX_HOSTKEYS);
1075: 		if (*intptr >= MAX_HOSTKEYS)
1078: 			    MAX_HOSTCERTS);
1112: 		intptr = &options->ignore_user_known_hosts;
1120: 		intptr = &options->hostbased_authentication;
1124: 		intptr = &options->hostbased_uses_name_from_packet_only;
1128: 		charptr = &options->hostbased_key_types;
1205: 	case sX11UseLocalhost:
1206: 		intptr = &options->x11_use_localhost;
1738: 	case sFingerprintHash:
1892: 	M_CP_INTOPT(hostbased_authentication);
1893: 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1905: 	M_CP_INTOPT(x11_use_localhost);
2002: 	case sFingerprintHash:
2085: 	char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2097: 		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2125: 	dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2127: 	dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2129: 	    o->hostbased_uses_name_from_packet_only);
2152: 	dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2186: 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2187: 	    o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
95: 	options->ignore_rhosts = -1;
109: 	options->rhosts_rsa_authentication = -1;
224: 	if (options->ignore_rhosts == -1)
225: 		options->ignore_rhosts = 1;
252: 	if (options->rhosts_rsa_authentication == -1)
253: 		options->rhosts_rsa_authentication = 0;
440: 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
441: 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
482: 	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
483: 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
1008: 		p = cleanhostname(p);
1043: 	case sHostKeyFile:
1062: 	case sHostKeyAgent:
1073: 	case sHostCertificate:
1092: 	case sIgnoreRhosts:
1093: 		intptr = &options->ignore_rhosts;
1111: 	case sIgnoreUserKnownHosts:
1115: 	case sRhostsRSAAuthentication:
1116: 		intptr = &options->rhosts_rsa_authentication;
1119: 	case sHostbasedAuthentication:
1123: 	case sHostbasedUsesNameFromPacketOnly:
1127: 	case sHostbasedAcceptedKeyTypes:
1608: 			p = cleanhostname(p);
2124: 	dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2126: 	dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2128: 	dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
android.googlesource.com/platform/external/openssh:readconf.c: [ master, ]
132: 	oHost, oMatch,
147: 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
159: 	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
137: 	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
138: 	oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
139: 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
140: 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
144: 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
145: 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
146: 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
148: 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
152: 	oHashKnownHosts,
154: 	oVisualHostKey, oUseRoaming,
156: 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
158: 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
730: static const struct multistate multistate_canonicalizehostname[] = {
72:    # Thus, host-specific definitions should be at the beginning of the
75:    # Host-specific declarations.  These may override anything above.  A single
76:    # host may match multiple declarations; these are processed in the order
79:    Host *.ngs.fi ngs.fi
82:    Host fake.com
83:      HostName another.host.name.real.org
89:    Host books.com
93:    Host fascist.blob.com
98:    Host puukko.hut.fi
102:    Host *.fr
105:    Host *.su
109:    Host vpn.fake.com
114:    Host *
215: 	{ "host", oHost },
303: 	fwd->listen_host = newfwd->listen_host;
306: 	fwd->connect_host = newfwd->connect_host;
326: 	fwd->listen_host = newfwd->listen_host;
329: 	fwd->connect_host = newfwd->connect_host;
342: 		free(options->local_forwards[i].listen_host);
344: 		free(options->local_forwards[i].connect_host);
353: 		free(options->remote_forwards[i].listen_host);
355: 		free(options->remote_forwards[i].connect_host);
489:     const char *host_arg, const char *original_host, int post_canon,
492: 	char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
506: 		host = percent_expand(options->hostname,
507: 		    "h", host_arg, (char *)NULL);
509: 		host = xstrdup(host_arg);
511: 	debug2("checking match for '%s' host %s originally %s",
512: 	    cp, host, original_host);
549: 		if (strcasecmp(attrib, "host") == 0) {
550: 			criteria = xstrdup(host);
551: 			r = match_hostname(host, arg, len) == 1;
555: 			criteria = xstrdup(original_host);
556: 			r = match_hostname(original_host, arg, len) == 1;
579: 			    "h", host,
581: 			    "n", original_host,
624: 	free(host);
745: process_config_line(Options *options, struct passwd *pw, const char *host,
746:     const char *original_host, char *line, const char *filename,
904: 		intptr = &options->check_host_ip;
908: 		intptr = &options->verify_host_key_dns;
913: 		intptr = &options->strict_host_key_checking;
926: 		intptr = &options->no_host_authentication_for_localhost;
1024: 		charptr = &options->host_key_alias;
1122: 			fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
1194: 			fatal("Host directive not supported as a command-line "
1202: 			if (match_pattern(host, arg)) {
1204: 					debug("%.200s line %d: Skipping Host "
1224: 			fatal("Host directive not supported as a command-line "
1226: 		value = match_cfg_line(options, &s, pw, host, original_host,
1326: 		intptr = &options->hash_known_hosts;
1356: 		intptr = &options->visual_host_key;
1465: 		charptr = &options->revoked_host_keys;
1469: 		intptr = &options->fingerprint_hash;
1475: 			fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1529: read_config_file(const char *filename, struct passwd *pw, const char *host,
1530:     const char *original_host, Options *options, int flags)
1554: 	 * on/off by Host specifications.
1561: 		if (process_config_line(options, pw, host, original_host,
1611: 	options->check_host_ip = -1;
1612: 	options->strict_host_key_checking = -1;
1629: 	options->host_key_alias = NULL;
1645: 	options->no_host_authentication_for_localhost = - 1;
1649: 	options->verify_host_key_dns = -1;
1657: 	options->hash_known_hosts = -1;
1664: 	options->visual_host_key = -1;
1675: 	options->revoked_host_keys = NULL;
1676: 	options->fingerprint_hash = -1;
1743: 	if (options->check_host_ip == -1)
1744: 		options->check_host_ip = 1;
1745: 	if (options->strict_host_key_checking == -1)
1746: 		options->strict_host_key_checking = 2;	/* 2 is default */
1806: 	if (options->no_host_authentication_for_localhost == - 1)
1807: 		options->no_host_authentication_for_localhost = 0;
1816: 	if (options->verify_host_key_dns == -1)
1817: 		options->verify_host_key_dns = 0;
1828: 	if (options->hash_known_hosts == -1)
1829: 		options->hash_known_hosts = 0;
1839: 	if (options->visual_host_key == -1)
1840: 		options->visual_host_key = 0;
1855: 	if (options->fingerprint_hash == -1)
1856: 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
1872: 	CLEAR_ON_NONE(options->revoked_host_keys);
1875: 	/* options->host_key_alias should not be set by default */
1988: 			fwd->listen_host = NULL;
1991: 		fwd->connect_host = xstrdup("socks");
2001: 			fwd->listen_host = NULL;
2006: 			fwd->listen_host = xstrdup(fwdargs[0].arg);
2008: 			fwd->connect_host = xstrdup("socks");
2016: 			fwd->connect_host = xstrdup(fwdargs[1].arg);
2019: 			fwd->listen_host = xstrdup(fwdargs[0].arg);
2024: 			fwd->listen_host = NULL;
2026: 			fwd->connect_host = xstrdup(fwdargs[1].arg);
2032: 		fwd->listen_host = xstrdup(fwdargs[0].arg);
2034: 		fwd->connect_host = xstrdup(fwdargs[2].arg);
2059: 	if (fwd->connect_host != NULL &&
2060: 	    strlen(fwd->connect_host) >= NI_MAXHOST)
2062: 	/* XXX - if connecting to a remote socket, max sun len may not match this host */
2066: 	if (fwd->listen_host != NULL &&
2067: 	    strlen(fwd->listen_host) >= NI_MAXHOST)
2076: 	free(fwd->connect_host);
2077: 	fwd->connect_host = NULL;
2080: 	free(fwd->listen_host);
2081: 	fwd->listen_host = NULL;
2206: 		    strcmp(fwd->connect_host, "socks") != 0)
2209: 		    strcmp(fwd->connect_host, "socks") == 0)
2214: 		else if (fwd->listen_host == NULL)
2218: 			    fwd->listen_host, fwd->listen_port);
2223: 			else if (fwd->connect_host == NULL)
2227: 				    fwd->connect_host, fwd->connect_port);
2235: dump_client_config(Options *o, const char *host)
2240: 	/* Most interesting options first: user, host, port */
2242: 	dump_cfg_string(oHostName, host);
2251: 	dump_cfg_fmtint(oCheckHostIP, o->check_host_ip);
2256: 	dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
2265: 	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
2269: 	dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost);
2279: 	dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
2283: 	dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns);
2284: 	dump_cfg_fmtint(oVisualHostKey, o->visual_host_key);
2301: 	dump_cfg_string(oHostKeyAlias, o->host_key_alias);
2311: 	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
185: 	{ "hostbasedauthentication", oHostbasedAuthentication },
204: 	{ "hostname", oHostName },
205: 	{ "hostkeyalias", oHostKeyAlias },
234: 	{ "hostkeyalgorithms", oHostKeyAlgorithms },
246: 	{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
256: 	{ "hashknownhosts", oHashKnownHosts },
275: 	{ "fingerprinthash", oFingerprintHash },
277: 	{ "hostbasedkeytypes", oHostbasedKeyTypes },
496: 	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
504: 	if (options->hostname != NULL) {
554: 		} else if (strcasecmp(attrib, "originalhost") == 0) {
570: 			if (gethostname(thishost, sizeof(thishost)) == -1)
572: 			strlcpy(shorthost, thishost, sizeof(shorthost));
573: 			shorthost[strcspn(thishost, ".")] = '\0';
577: 			    "L", shorthost,
580: 			    "l", thishost,
636: 		fatal("%s line %d: empty hostname suffix", filename, linenum);
638: 		fatal("%s line %d: hostname suffix \"%.100s\" "
644: 			fatal("%s line %d: hostname suffix \"%.100s\" contains "
648: 			fatal("%s line %d: hostname suffix \"%.100s\" contains "
884: 		intptr = &options->hostbased_authentication;
925: 	case oNoHostAuthenticationForLocalhost:
998: 		cpptr = (char **)&options->system_hostfiles;
999: 		uintptr = &options->num_system_hostfiles;
1000: 		max_entries = SSH_MAX_HOSTS_FILES;
1014: 		cpptr = (char **)&options->user_hostfiles;
1015: 		uintptr = &options->num_user_hostfiles;
1016: 		max_entries = SSH_MAX_HOSTS_FILES;
1020: 		charptr = &options->hostname;
1124: 		if (*activep && options->hostkeyalgorithms == NULL)
1125: 			options->hostkeyalgorithms = xstrdup(arg);
1192: 	case oHost:
1400: 				fatal("%s line %d: too many hostname suffixes.",
1437: 		intptr = &options->canonicalize_hostname;
1468: 	case oFingerprintHash:
1482: 		intptr = &options->update_hostkeys;
1487: 		charptr = &options->hostbased_key_types;
1609: 	options->hostbased_authentication = -1;
1625: 	options->hostkeyalgorithms = NULL;
1628: 	options->hostname = NULL;
1633: 	options->num_system_hostfiles = 0;
1634: 	options->num_user_hostfiles = 0;
1674: 	options->canonicalize_hostname = -1;
1677: 	options->update_hostkeys = -1;
1678: 	options->hostbased_key_types = NULL;
1683:  * needed for hostname canonicalization to proceed.
1692: 	if (options->canonicalize_hostname == -1)
1693: 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
1739: 	if (options->hostbased_authentication == -1)
1740: 		options->hostbased_authentication = 0;
1767: 	/* options->hostkeyalgorithms, default set in myproposals.h */
1790: 	if (options->num_system_hostfiles == 0) {
1791: 		options->system_hostfiles[options->num_system_hostfiles++] =
1792: 		    xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1793: 		options->system_hostfiles[options->num_system_hostfiles++] =
1794: 		    xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1796: 	if (options->num_user_hostfiles == 0) {
1797: 		options->user_hostfiles[options->num_user_hostfiles++] =
1798: 		    xstrdup(_PATH_SSH_USER_HOSTFILE);
1799: 		options->user_hostfiles[options->num_user_hostfiles++] =
1800: 		    xstrdup(_PATH_SSH_USER_HOSTFILE2);
1853: 	if (options->canonicalize_hostname == -1)
1854: 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
1857: 	if (options->update_hostkeys == -1)
1858: 		options->update_hostkeys = 0;
1859: 	if (options->hostbased_key_types == NULL)
1860: 		options->hostbased_key_types = xstrdup("*");
1874: 	/* options->hostname will be set in the main program if appropriate */
1950:  *	[listenhost:]listenport|listenpath:connecthost:connectport|connectpath
1953:  *	[listenhost:]listenport
2120: 	case oFingerprintHash:
2249: 	dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname);
2266: 	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
2285: 	dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys);
2300: 	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2302: 	dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
2322: 	dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
2323: 	dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
119:      RhostsRSAAuthentication yes
120:      StrictHostKeyChecking yes
177: 	{ "rhostsauthentication", oDeprecated },
184: 	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },
218: 	{ "globalknownhostsfile", oGlobalKnownHostsFile },
219: 	{ "globalknownhostsfile2", oDeprecated },
220: 	{ "userknownhostsfile", oUserKnownHostsFile },
221: 	{ "userknownhostsfile2", oDeprecated },
224: 	{ "checkhostip", oCheckHostIP },
225: 	{ "stricthostkeychecking", oStrictHostKeyChecking },
245: 	{ "verifyhostkeydns", oVerifyHostKeyDNS },
261: 	{ "visualhostkey", oVisualHostKey },
269: 	{ "canonicalizehostname", oCanonicalizeHostname },
274: 	{ "revokedhostkeys", oRevokedHostKeys },
276: 	{ "updatehostkeys", oUpdateHostkeys },
571: 				fatal("gethostname: %s", strerror(errno));
879: 	case oRhostsRSAAuthentication:
880: 		intptr = &options->rhosts_rsa_authentication;
883: 	case oHostbasedAuthentication:
903: 	case oCheckHostIP:
907: 	case oVerifyHostKeyDNS:
912: 	case oStrictHostKeyChecking:
997: 	case oGlobalKnownHostsFile:
1013: 	case oUserKnownHostsFile:
1019: 	case oHostName:
1023: 	case oHostKeyAlias:
1117: 	case oHostKeyAlgorithms:
1325: 	case oHashKnownHosts:
1355: 	case oVisualHostKey:
1436: 	case oCanonicalizeHostname:
1438: 		multistate_ptr = multistate_canonicalizehostname;
1464: 	case oRevokedHostKeys:
1481: 	case oUpdateHostkeys:
1486: 	case oHostbasedKeyTypes:
1608: 	options->rhosts_rsa_authentication = -1;
1737: 	if (options->rhosts_rsa_authentication == -1)
1738: 		options->rhosts_rsa_authentication = 0;
2108: 	case oVerifyHostKeyDNS:
2109: 	case oStrictHostKeyChecking:
2110: 	case oUpdateHostkeys:
2118: 	case oCanonicalizeHostname:
2119: 		return fmt_multistate_int(val, multistate_canonicalizehostname);
2276: 	dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
android.googlesource.com/platform/external/openssh:monitor.c: [ master, ]
179: static char *hostbased_cuser = NULL;
180: static char *hostbased_chost = NULL;
1356: monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
714: 	 * it's not trivial, since what is signed is the hash, rather
1239: 			    "client user \"%.100s\", client host \"%.100s\"",
1395: 	/* verify client host, strip trailing dot if necessary */
1495: 	/* Record that there was a login on that tty from the remote host. */
1868: 		kex->load_host_public_key=&get_hostkey_public_by_type;
1869: 		kex->load_host_private_key=&get_hostkey_private_by_type;
1870: 		kex->host_key_index=&get_hostkey_index;
72: #include "hostfile.h"
90: #include "canohost.h"
641: 	free(hostbased_cuser);
642: 	free(hostbased_chost);
646: 	hostbased_cuser = NULL;
647: 	hostbased_chost = NULL;
698: 	const char proof_req[] = "hostkeys-prove-00@openssh.com";
710: 	 * Otherwise, verify the signature request is for a hostkey
719: 		 * Construct expected hostkey proof and compare it to what
722: 		if (session_id2_len == 0) /* hostkeys is never first */
724: 		if ((key = get_hostkey_public_by_index(keyid, ssh)) == NULL)
725: 			fatal("%s: no hostkey for index %d", __func__, keyid);
736: 			fatal("%s: bad data length: %zu, hostkey proof len %zu",
749: 	if ((key = get_hostkey_by_index(keyid)) != NULL) {
754: 	} else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL &&
762: 		fatal("%s: no hostkey from index %d", __func__, keyid);
765: 	    is_proof ? "KEX" : "hostkey proof", signature, siglen);
1191: 	char *cuser, *chost;
1201: 	chost = buffer_get_string(m, NULL);
1231: 		case MM_HOSTKEY:
1232: 			allowed = options.hostbased_authentication &&
1234: 			    options.hostbased_key_types,
1235: 			    strlen(options.hostbased_key_types), 0) == 1 &&
1236: 			    hostbased_key_allowed(authctxt->pw,
1237: 			    cuser, chost, key);
1240: 			    cuser, chost);
1241: 			auth_method = "hostbased";
1248: 			    cuser, chost, key);
1270: 		hostbased_cuser = cuser;
1271: 		hostbased_chost = chost;
1277: 		free(chost);
1357:     char *chost)
1389: 	if (strcmp(p, "hostbased") != 0)
1399: 	if (strcmp(p, chost) != 0)
1428: 	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
1440: 	case MM_HOSTKEY:
1441: 		valid_data = monitor_valid_hostbasedblob(data, datalen,
1442: 		    hostbased_cuser, hostbased_chost);
1465: 	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
1813: 	case SSH_AUTH_FAIL_HOSTBASED:
1871: 		kex->sign = sshd_hostkey_sign;
1206: 	if ((compat20 && type == MM_RSAHOSTKEY) ||
1207: 	    (!compat20 && type != MM_RSAHOSTKEY))
1244: 		case MM_RSAHOSTKEY:
1246: 			allowed = options.rhosts_rsa_authentication &&
1247: 			    auth_rhosts_rsa_key_allowed(authctxt->pw,
1249: 			if (options.rhosts_rsa_authentication && allowed != 1)
1289: 	if (type == MM_RSAHOSTKEY)
1705: 	if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
1747: 	if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
1760: 	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
android.googlesource.com/platform/external/openssh:sshkey.c: [ master, ]
416: sshkey_ec_nid_to_hash_alg(int nid)
1050:  * "Hash Visualization: a New Technique to improve Real-World Security",
1086: 	char	*retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
1136: 	/* assemble hash ID. */
1137: 	r = snprintf(hash, sizeof(hash), "[%s]", alg);
1138: 	hlen = (r <= 0) ? 0 : strlen(hash);
1165: 	memcpy(p, hash, hlen);
1512: 	case SSH2_CERT_TYPE_HOST:
1513: 		return "host";
1883: 	    key->cert->type != SSH2_CERT_TYPE_HOST) {
2534:     int want_host, int require_principal,
2543: 	if (want_host) {
2544: 		if (k->cert->type != SSH2_CERT_TYPE_HOST) {
2545: 			*reason = "Certificate invalid: not a host certificate";
android.googlesource.com/platform/external/openssh:sshkey.h: [ master, ]
71: #define SSH_FP_HASH_DEFAULT	SSH_DIGEST_SHA256
70: /* Default fingerprint hash */
89: 	u_int		 type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
154: int		 sshkey_ec_nid_to_hash_alg(int nid);
android.googlesource.com/platform/external/openssh:openbsd-compat/sha2.c: [ master, ]
205: const static u_int32_t sha256_initial_hash_value[8] = {
261: const static u_int64_t sha384_initial_hash_value[8] = {
273: const static u_int64_t sha512_initial_hash_value[8] = {
37: /* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */
57:  * loop version for the hash transform rounds (defined using macros
183: /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
184: /* Hash constant words K for SHA-256: */
204: /* Initial hash value H for SHA-256: */
216: /* Hash constant words K for SHA-384 and SHA-512: */
260: /* Initial hash value H for SHA-384 */
272: /* Initial hash value H for SHA-512 */
291: 	memcpy(context->state, sha256_initial_hash_value,
292: 	    sizeof(sha256_initial_hash_value));
364: 	/* Compute the current intermediate hash value */
439: 	/* Compute the current intermediate hash value */
554: 		/* Convert TO host byte order */
571: 	memcpy(context->state, sha512_initial_hash_value,
572: 	    sizeof(sha512_initial_hash_value));
645: 	/* Compute the current intermediate hash value */
720: 	/* Compute the current intermediate hash value */
835: 		/* Convert TO host byte order */
852: 	memcpy(context->state, sha384_initial_hash_value,
853: 	    sizeof(sha384_initial_hash_value));
892: 		/* Convert TO host byte order */
android.googlesource.com/platform/external/openssh:sshconnect.c: [ master, ]
71: Key *previous_host_key = NULL;
73: static int matching_host_key_dns = 0;
708: check_host_cert(const char *host, const Key *host_key)
805: check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
1237: verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
744: get_hostfile_hostname_ipaddr(char *hostname, struct sockaddr *hostaddr,
6:  * Code to connect to a remote host, and to perform the client side of the
89:     const char *host, int port)
95: 	ret = percent_expand(tmp, "h", host, "p", strport,
106: ssh_proxy_fdpass_connect(const char *host, u_short port,
122: 	    host, port);
185: ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
201: 	    host, port);
415:  * Opens a TCP/IP connection to the remote server on the given host.
416:  * The address of the remote host will be returned in hostaddr.
422:  * and %p substituted for host and port, respectively) to use to contact
426: ssh_connect_direct(const char *host, struct addrinfo *aitop,
444: 		 * Loop through addresses for this host, and try each one in
458: 				host, ntop, strport);
484: 		error("ssh: connect to host %s port %s: %s",
485: 		    host, strport, strerror(errno));
504: ssh_connect(const char *host, struct addrinfo *addrs,
509: 		return ssh_connect_direct(host, addrs, hostaddr, port, family,
515: 		return ssh_proxy_fdpass_connect(host, port,
518: 	return ssh_proxy_connect(host, port, options.proxy_command);
596: 				    "Connection closed by remote host");
712: 	if (key_cert_check_authority(host_key, 1, 0, host, &reason) != 0) {
716: 	if (buffer_len(host_key->cert->critical) != 0) {
718: 		    "critical options(s)", host);
741:  * host keys in known_hosts files. These may have a port number appended.
774: 			*hostfile_ipaddr = put_host_port(ntop, port);
788: 		if (options.host_key_alias != NULL) {
789: 			*hostfile_hostname = xstrdup(options.host_key_alias);
792: 			*hostfile_hostname = put_host_port(hostname, port);
798:  * check whether the supplied host key is valid, return -1 if the key
806:     Key *host_key, int readonly,
810: 	HostStatus host_status;
813: 	char *ip = NULL, *host = NULL;
817: 	const struct hostkey_entry *host_found, *ip_found;
820: 	int r, want_cert = key_is_cert(host_key), host_ip_differ = 0;
822: 	struct hostkeys *host_hostkeys, *ip_hostkeys;
826: 	 * Force accepting of the host key for loopback/localhost. The
829: 	 * them, and the user will get bogus HOST_CHANGED warnings.  This
830: 	 * essentially disables host authentication for localhost; however,
833: 	if (options.no_host_authentication_for_localhost == 1 && local &&
834: 	    options.host_key_alias == NULL) {
835: 		debug("Forcing accepting of host key for "
844: 	get_hostfile_hostname_ipaddr(hostname, hostaddr, port, &host, &ip);
847: 	 * Turn off check_host_ip if the connection is to localhost, via proxy
850: 	if (options.check_host_ip && (local ||
852: 		options.check_host_ip = 0;
854: 	host_hostkeys = init_hostkeys();
856: 		load_hostkeys(host_hostkeys, host, user_hostfiles[i]);
858: 		load_hostkeys(host_hostkeys, host, system_hostfiles[i]);
861: 	if (!want_cert && options.check_host_ip) {
871: 	want_cert = key_is_cert(host_key);
872: 	type = key_type(host_key);
875: 	 * Check if the host key is present in the user's list of known
878: 	host_status = check_key_in_hostkeys(host_hostkeys, host_key,
879: 	    &host_found);
887: 		ip_status = check_key_in_hostkeys(ip_hostkeys, host_key,
889: 		if (host_status == HOST_CHANGED &&
890: 		    (ip_status != HOST_CHANGED || 
892: 		    !key_equal(ip_found->key, host_found->key))))
893: 			host_ip_differ = 1;
895: 		ip_status = host_status;
897: 	switch (host_status) {
898: 	case HOST_OK:
899: 		/* The host is known and the key matches. */
900: 		debug("Host '%.200s' is known and matches the %s host %s.",
901: 		    host, type, want_cert ? "certificate" : "key");
903: 		    host_found->file, host_found->line);
904: 		if (want_cert && !check_host_cert(hostname, host_key))
906: 		if (options.check_host_ip && ip_status == HOST_NEW) {
908: 				logit("%s host key for IP address "
911: 			else if (!add_host_to_hostfile(user_hostfiles[0], ip,
912: 			    host_key, options.hash_known_hosts))
913: 				logit("Failed to add the %s host key for IP "
918: 				logit("Warning: Permanently added the %s host "
921: 		} else if (options.visual_host_key) {
922: 			fp = sshkey_fingerprint(host_key,
923: 			    options.fingerprint_hash, SSH_FP_DEFAULT);
924: 			ra = sshkey_fingerprint(host_key,
925: 			    options.fingerprint_hash, SSH_FP_RANDOMART);
928: 			logit("Host key fingerprint is %s\n%s\n", fp, ra);
934: 	case HOST_NEW:
935: 		if (options.host_key_alias == NULL && port != 0 &&
938: 			if (check_host_key(hostname, hostaddr, 0, host_key,
947: 		/* The host is new. */
948: 		if (options.strict_host_key_checking == 1) {
950: 			 * User has requested strict host key checking.  We
951: 			 * will not add the host key automatically.  The only
954: 			error("No %s host key is known for %.200s and you "
955: 			    "have requested strict checking.", type, host);
957: 		} else if (options.strict_host_key_checking == 2) {
960: 			if (show_other_keys(host_hostkeys, host_key))
963: 				    " known for this host.");
967: 			fp = sshkey_fingerprint(host_key,
968: 			    options.fingerprint_hash, SSH_FP_DEFAULT);
969: 			ra = sshkey_fingerprint(host_key,
970: 			    options.fingerprint_hash, SSH_FP_RANDOMART);
974: 			if (options.verify_host_key_dns) {
975: 				if (matching_host_key_dns)
977: 					    "Matching host key fingerprint"
981: 					    "No matching host key fingerprint"
985: 			    "The authenticity of host '%.200s (%s)' can't be "
990: 			    host, ip, msg1, type, fp,
991: 			    options.visual_host_key ? "\n" : "",
992: 			    options.visual_host_key ? ra : "",
1004: 		if (options.check_host_ip && ip_status == HOST_NEW) {
1005: 			snprintf(hostline, sizeof(hostline), "%s,%s", host, ip);
1007: 			if (options.hash_known_hosts) {
1008: 				/* Add hash of host and IP separately */
1009: 				r = add_host_to_hostfile(user_hostfiles[0],
1010: 				    host, host_key, options.hash_known_hosts) &&
1011: 				    add_host_to_hostfile(user_hostfiles[0], ip,
1012: 				    host_key, options.hash_known_hosts);
1014: 				/* Add unhashed "host,ip" */
1015: 				r = add_host_to_hostfile(user_hostfiles[0],
1016: 				    hostline, host_key,
1017: 				    options.hash_known_hosts);
1020: 			r = add_host_to_hostfile(user_hostfiles[0], host,
1021: 			    host_key, options.hash_known_hosts);
1022: 			hostp = host;
1026: 			logit("Failed to add the host to the list of known "
1032: 	case HOST_REVOKED:
1034: 		error("@       WARNING: REVOKED HOST KEY DETECTED!               @");
1036: 		error("The %s host key for %s is marked as revoked.", type, host);
1038: 		error("impersonate this host.");
1041: 		 * If strict host key checking is in use, the user will have
1044: 		if (options.strict_host_key_checking) {
1045: 			error("%s host key for %.200s was revoked and you have "
1046: 			    "requested strict checking.", type, host);
1051: 	case HOST_CHANGED:
1058: 			debug("Host certificate authority does not "
1060: 			    host_found->file, host_found->line);
1065: 		if (options.check_host_ip && host_ip_differ) {
1067: 			if (ip_status == HOST_NEW)
1069: 			else if (ip_status == HOST_OK)
1076: 			error("The %s host key for %s has changed,", type, host);
1079: 			error("DNS SPOOFING is happening or the IP address for the host");
1080: 			error("and its host key have changed at the same time.");
1081: 			if (ip_status != HOST_NEW)
1085: 		/* The host key has changed. */
1086: 		warn_changed_key(host_key);
1087: 		error("Add correct host key in %.100s to get rid of this message.",
1089: 		error("Offending %s key in %s:%lu", key_type(host_found->key),
1090: 		    host_found->file, host_found->line);
1093: 		 * If strict host key checking is in use, the user will have
1096: 		if (options.strict_host_key_checking) {
1097: 			error("%s host key for %.200s has changed and you have "
1098: 			    "requested strict checking.", type, host);
1104: 		 * If strict host key checking has not been requested, allow
1154: 			fatal("Error: forwarding disabled due to host key "
1159: 		 * This could be done by converting the host key to an
1160: 		 * identifying sentence, tell that the host identifies itself
1165: 	case HOST_FOUND:
1170: 	if (options.check_host_ip && host_status != HOST_CHANGED &&
1171: 	    ip_status == HOST_CHANGED) {
1173: 		    "Warning: the %s host key for '%.200s' "
1176: 		    type, host, ip, ip_found->file, ip_found->line);
1177: 		if (host_status == HOST_OK) {
1180: 			    "\nMatching host key in %s:%lu",
1181: 			    host_found->file, host_found->line);
1183: 		if (options.strict_host_key_checking == 1) {
1187: 		} else if (options.strict_host_key_checking == 2) {
1204: 	free(host);
1205: 	if (host_hostkeys != NULL)
1206: 		free_hostkeys(host_hostkeys);
1212: 	if (want_cert && host_status != HOST_REVOKED) {
1218: 		raw_key = key_from_private(host_key);
1221: 		host_key = raw_key;
1227: 	free(host);
1228: 	if (host_hostkeys != NULL)
1229: 		free_hostkeys(host_hostkeys);
1243: 	if ((fp = sshkey_fingerprint(host_key,
1244: 	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
1245: 		error("%s: fingerprint host key: %s", __func__, ssh_err(r));
1250: 	debug("Server host key: %s %s",
1251: 	    compat20 ? sshkey_ssh_name(host_key) : sshkey_type(host_key), fp);
1253: 	if (sshkey_equal(previous_host_key, host_key)) {
1254: 		debug2("%s: server host key %s %s matches cached key",
1255: 		    __func__, sshkey_type(host_key), fp);
1261: 	if (options.revoked_host_keys != NULL) {
1262: 		r = sshkey_check_revoked(host_key, options.revoked_host_keys);
1267: 			error("Host key %s %s revoked by file %s",
1268: 			    sshkey_type(host_key), fp,
1269: 			    options.revoked_host_keys);
1273: 			error("Error checking host key %s %s in "
1274: 			    "revoked keys file %s: %s", sshkey_type(host_key),
1275: 			    fp, options.revoked_host_keys, ssh_err(r));
1281: 	if (options.verify_host_key_dns) {
1286: 		if ((r = sshkey_from_private(host_key, &plain)) != 0)
1290: 		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
1292: 				if (options.verify_host_key_dns == 1 &&
1299: 					matching_host_key_dns = 1;
1303: 					    "with the new host key to get rid "
1309: 	r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
1316: 	if (r == 0 && host_key != NULL) {
1317: 		key_free(previous_host_key);
1318: 		previous_host_key = key_from_private(host_key);
1335: 	char *host;
1342: 	host = xstrdup(orighost);
1343: 	lowercase(host);
1354: 		ssh_kex2(host, hostaddr, port);
1355: 		ssh_userauth2(local_user, server_user, host, sensitive);
1358: 		ssh_kex(host, hostaddr);
1359: 		ssh_userauth1(local_user, server_user, host, sensitive);
1385: /* print all known host keys for a given host, but skip keys of given type */
1407: 		    options.fingerprint_hash, SSH_FP_DEFAULT);
1409: 		    options.fingerprint_hash, SSH_FP_RANDOMART);
1412: 		logit("WARNING: %s key found for host %s\n"
1416: 		    found->host, found->file, found->line,
1418: 		if (options.visual_host_key)
1428: warn_changed_key(Key *host_key)
1432: 	fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
1438: 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
1442: 	error("It is also possible that a host key has just been changed.");
1443: 	error("The fingerprint for the %s key sent by the remote host is\n%s.",
1444: 	    key_type(host_key), fp);
47: #include "hostfile.h"
56: #include "hostfile.h"
83: static int show_other_keys(struct hostkeys *, Key *);
427:     struct sockaddr_storage *hostaddr, u_short port, int family,
432: 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
453: 			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
469: 				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
505:     struct sockaddr_storage *hostaddr, u_short port, int family,
725: sockaddr_is_local(struct sockaddr *hostaddr)
727: 	switch (hostaddr->sa_family) {
729: 		return (ntohl(((struct sockaddr_in *)hostaddr)->
733: 		    &(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
740:  * Prepare the hostname and ip address strings that are used to lookup
745:     u_short port, char **hostfile_hostname, char **hostfile_ipaddr)
747: 	char ntop[NI_MAXHOST];
750: 	switch (hostaddr == NULL ? -1 : hostaddr->sa_family) {
769: 	if (hostfile_ipaddr != NULL) {
771: 			if (getnameinfo(hostaddr, addrlen,
772: 			    ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST) != 0)
776: 			*hostfile_ipaddr = xstrdup("<no hostip for proxy "
787: 	if (hostfile_hostname != NULL) {
790: 			debug("using hostkeyalias: %s", *hostfile_hostname);
799:  * is not valid. user_hostfile[0] will not be updated if 'readonly' is true.
807:     char **user_hostfiles, u_int num_user_hostfiles,
808:     char **system_hostfiles, u_int num_system_hostfiles)
811: 	HostStatus ip_status;
814: 	char hostline[1000], *hostp, *fp, *ra;
819: 	int local = sockaddr_is_local(hostaddr);
821: 	int hostkey_trusted = 0; /* Known or explicitly accepted by user */
828: 	 * machines, localhost will refer to a different machine in each of
836: 		    "loopback/localhost.");
841: 	 * Prepare the hostname and address strings used for hostkey lookup.
848: 	 * command or if we don't have a hostname to compare with
851: 	    strcmp(hostname, ip) == 0 || options.proxy_command != NULL))
855: 	for (i = 0; i < num_user_hostfiles; i++)
857: 	for (i = 0; i < num_system_hostfiles; i++)
860: 	ip_hostkeys = NULL;
862: 		ip_hostkeys = init_hostkeys();
863: 		for (i = 0; i < num_user_hostfiles; i++)
864: 			load_hostkeys(ip_hostkeys, ip, user_hostfiles[i]);
865: 		for (i = 0; i < num_system_hostfiles; i++)
866: 			load_hostkeys(ip_hostkeys, ip, system_hostfiles[i]);
876: 	 * hosts or in the systemwide list.
883: 	 * localhost, looking for a certificate, or the hostname was an ip
886: 	if (!want_cert && ip_hostkeys != NULL) {
909: 				    "'%.128s' not in list of known hosts.",
915: 				    "hosts (%.30s).", type, ip,
916: 				    user_hostfiles[0]);
920: 				    "of known hosts.", type, ip);
932: 		hostkey_trusted = 1;
939: 			    ROQUIET, user_hostfiles, num_user_hostfiles,
940: 			    system_hostfiles, num_system_hostfiles) == 0) {
998: 			hostkey_trusted = 1; /* user explicitly confirmed */
1002: 		 * local known_hosts file.
1006: 			hostp = hostline;
1027: 			    "hosts (%.500s).", user_hostfiles[0]);
1030: 			    "list of known hosts.", hostp, type);
1056: 			 * all hosts that one might visit.
1088: 		    user_hostfiles[0]);
1197: 	if (!hostkey_trusted && options.update_hostkeys) {
1198: 		debug("%s: hostkey not known or explicitly trusted: "
1200: 		options.update_hostkeys = 0;
1207: 	if (ip_hostkeys != NULL)
1208: 		free_hostkeys(ip_hostkeys);
1230: 	if (ip_hostkeys != NULL)
1231: 		free_hostkeys(ip_hostkeys);
1310: 	    options.user_hostfiles, options.num_user_hostfiles,
1311: 	    options.system_hostfiles, options.num_system_hostfiles);
1332: ssh_login(Sensitive *sensitive, const char *orighost,
1333:     struct sockaddr *hostaddr, u_short port, struct passwd *pw, int timeout_ms)
1341: 	/* Convert the user-supplied hostname into all lowercase. */
1387: show_other_keys(struct hostkeys *hostkeys, Key *key)
1399: 	const struct hostkey_entry *found;
1404: 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
1199: 		    "disabling UpdateHostkeys", __func__);
1260: 	/* Check in RevokedHostKeys file if specified */
android.googlesource.com/platform/external/openssh:dns.h: [ master, ]
40: 	SSHFP_HASH_RESERVED = 0,
41: 	SSHFP_HASH_SHA1 = 1,
42: 	SSHFP_HASH_SHA256 = 2,
43: 	SSHFP_HASH_MAX = 3
39: enum sshfp_hashes {
53: int	verify_host_key_dns(const char *, struct sockaddr *,
android.googlesource.com/platform/external/openssh:dns.c: [ master, ]
204: verify_host_key_dns(const char *hostname, struct sockaddr *address,
174: is_numeric_hostname(const char *hostname)
91: 			*digest_type = SSHFP_HASH_SHA1;
96: 			*digest_type = SSHFP_HASH_SHA1;
101: 			*digest_type = SSHFP_HASH_SHA256;
106: 			*digest_type = SSHFP_HASH_SHA256;
110: 		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
114: 	case SSHFP_HASH_SHA1:
117: 	case SSHFP_HASH_SHA256:
121: 		*digest_type = SSHFP_HASH_RESERVED; /* 0 */
149: 	*digest_type = SSHFP_HASH_RESERVED;
179: 	 * We shouldn't ever get a null host but if we do then log an error
200:  * Verify the given hostname, address and host key using DNS.
212: 	u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED;
223: 	debug3("verify_host_key_dns");
254: 	/* Initialize default host key parameters */
257: 		error("Error calculating host key fingerprint.");
284: 			/* Initialize host key parameters */
314: 			debug("matching host key fingerprint found in DNS");
316: 			debug("mismatching host key fingerprint found in DNS");
318: 		debug("no host key fingerprint found in DNS");
330: 	u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
336: 	for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
170:  * Check if hostname is numerical.
171:  * Returns -1 if hostname is numeric, 0 otherwise
182: 	if (hostname == NULL) {
183: 		error("is_numeric_hostname called with NULL hostname");
189: 	hints.ai_flags = AI_NUMERICHOST;
191: 	if (getaddrinfo(hostname, NULL, &hints, &ai) == 0) {
205:     struct sshkey *hostkey, int *flags)
211: 	u_int8_t hostkey_algorithm;
213: 	u_char *hostkey_digest;
214: 	size_t hostkey_digest_len;
224: 	if (hostkey == NULL)
227: 	if (is_numeric_hostname(hostname)) {
228: 		debug("skipped DNS lookup for numerical hostname");
233: 	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
255: 	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
256: 	    &hostkey_digest, &hostkey_digest_len, hostkey)) {
280: 		if (hostkey_digest_type != dnskey_digest_type) {
281: 			hostkey_digest_type = dnskey_digest_type;
282: 			free(hostkey_digest);
285: 			if (!dns_read_key(&hostkey_algorithm,
286: 			    &hostkey_digest_type, &hostkey_digest,
287: 			    &hostkey_digest_len, hostkey)) {
297: 		if (hostkey_algorithm == dnskey_algorithm &&
298: 		    hostkey_digest_type == dnskey_digest_type) {
299: 			if (hostkey_digest_len == dnskey_digest_len &&
300: 			    timingsafe_bcmp(hostkey_digest, dnskey_digest,
301: 			    hostkey_digest_len) == 0)
307: 	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
327: export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
342: 				    hostname, DNS_RDATATYPE_SSHFP,
346: 				fprintf(f, "%s IN SSHFP %d %d ", hostname,
android.googlesource.com/platform/external/openssh:auth.c: [ master, ]
411: check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
416: 	HostStatus host_status;
421: 	load_hostkeys(hostkeys, host, sysfile);
435: 			load_hostkeys(hostkeys, host, user_hostfile);
440: 	host_status = check_key_in_hostkeys(hostkeys, key, &found);
441: 	if (host_status == HOST_REVOKED)
443: 		    found->host);
444: 	else if (host_status == HOST_OK)
446: 		    found->host, found->file, found->line);
448: 		debug("%s: key for host %s not found", __func__, host);
452: 	return host_status;
700: 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
62: #include "hostfile.h"
65: #include "canohost.h"
101: 	const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
185: 		hostname = get_canonical_hostname(options.use_dns);
192: 			if (match_user(pw->pw_name, hostname, ipaddr,
196: 				    pw->pw_name, hostname);
203: 			if (match_user(pw->pw_name, hostname, ipaddr,
209: 			    "not listed in AllowUsers", pw->pw_name, hostname);
217: 			    "not in any group", pw->pw_name, hostname);
228: 				    pw->pw_name, hostname);
241: 				    "in AllowGroups", pw->pw_name, hostname);
317: 		    get_canonical_hostname(options.use_dns), "ssh");
321: 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
410: HostStatus
414: 	char *user_hostfile;
417: 	struct hostkeys *hostkeys;
418: 	const struct hostkey_entry *found;
420: 	hostkeys = init_hostkeys();
423: 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
425: 		    (stat(user_hostfile, &st) == 0) &&
430: 			    pw->pw_name, user_hostfile);
432: 			    user_hostfile);
438: 		free(user_hostfile);
450: 	free_hostkeys(hostkeys);
662: 		    get_canonical_hostname(options.use_dns), "ssh");
android.googlesource.com/platform/external/openssh:sshd.8: [ master, ]
652: .Sh SSH_KNOWN_HOSTS FILE FORMAT
49: .Op Fl c Ar host_certificate_file
53: .Op Fl h Ar host_key_file
109: that would apply to the specified user, host, and address will be set before
114: .Dq host ,
122: .It Fl c Ar host_certificate_file
126: The certificate file must match a host key file specified using the
165: .It Fl h Ar host_key_file
166: Specifies a file from which a host key is read.
170: host key files are normally not readable by anyone but root).
172: .Pa /etc/ssh/ssh_host_key
174: .Pa /etc/ssh/ssh_host_dsa_key ,
175: .Pa /etc/ssh/ssh_host_ecdsa_key .
176: .Pa /etc/ssh/ssh_host_ed25519_key
178: .Pa /etc/ssh/ssh_host_rsa_key
180: It is possible to have multiple host key files for
181: the different protocol versions and host key algorithms.
245: structure that holds the remote host name.
246: If the resolved host name is longer than
249: This allows hosts with very long host names that
269: USER@HOST pattern in
284: each host has a host-specific key,
286: used to identify the host.
295: host and server keys.
297: RSA host key against its own database to verify that it has not changed.
300: random number using both the host key and the server key, and sends
325: host-based authentication,
571: name of the remote host or its IP address must be present in the
606: .It Cm permitopen="host:port"
610: such that it may only connect to the specified host and port.
657: files contain host public keys for all known hosts.
660: maintained automatically: whenever the user connects from an unknown host,
681: wildcards); each pattern in turn is matched against the canonical host
686: to indicate negation: if the host name matches a negated
697: Alternately, hostnames may be stored in a hashed form which hides host names
705: Bits, exponent, and modulus are taken directly from the RSA host key; they
707: .Pa /etc/ssh/ssh_host_key.pub .
714: When performing host authentication, authentication is accepted if any
734: recommended) to have several lines or different host keys for the same
736: This will inevitably happen when short forms of host names
743: long, and you definitely don't want to type in the host keys by hand.
747: .Pa /etc/ssh/ssh_host_key.pub
748: and adding the host names at the front.
752: including removing hosts matching a host name and converting all host
765: # A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
783: This file is used for host-based authentication (see
800: but allows host-based authentication without permitting login with
842: Contains a list of host keys for all hosts the user has logged into
843: that are not already in the systemwide list of known host keys.
855: This file is for host-based authentication (see
880: but allows host-based authentication without permitting login with
883: .It Pa /etc/ssh/ssh_host_key
884: .It Pa /etc/ssh/ssh_host_dsa_key
885: .It Pa /etc/ssh/ssh_host_ecdsa_key
886: .It Pa /etc/ssh/ssh_host_ed25519_key
887: .It Pa /etc/ssh/ssh_host_rsa_key
888: These files contain the private parts of the host keys.
895: .It Pa /etc/ssh/ssh_host_key.pub
896: .It Pa /etc/ssh/ssh_host_dsa_key.pub
897: .It Pa /etc/ssh/ssh_host_ecdsa_key.pub
898: .It Pa /etc/ssh/ssh_host_ed25519_key.pub
899: .It Pa /etc/ssh/ssh_host_rsa_key.pub
900: These files contain the public parts of the host keys.
911: Systemwide list of known host keys.
913: system administrator to contain the public host keys of all machines in the
64: and provide secure encrypted communications between two untrusted hosts
129: .Cm HostKey
264: .Cm HostbasedAuthentication ,
455: 	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
456: 		# X11UseLocalhost=yes
460: 		# X11UseLocalhost=no
577: In addition to the wildcard matching that may be applied to hostnames or
615: No pattern matching is performed on the specified hostnames,
654: .Pa /etc/ssh/ssh_known_hosts
656: .Pa ~/.ssh/known_hosts
664: hostnames, bits, exponent, modulus, comment.
676: Hostnames is a comma-separated list of patterns
689: A hostname or address may optionally be enclosed within
699: Hashed hostnames start with a
702: Only one hashed hostname may appear on a single line and none of the above
722: The known hosts file also provides a facility to mark keys as revoked,
751: .Pa ~/.ssh/known_hosts
753: names to their hashed representations.
755: An example ssh_known_hosts file:
760: # A hashed hostname
841: .It Pa ~/.ssh/known_hosts
854: .It Pa /etc/hosts.equiv
879: .Pa hosts.equiv ,
906: the user so their contents can be copied to known hosts files.
910: .It Pa /etc/ssh/ssh_known_hosts
263: .Cm RhostsRSAAuthentication ,
782: .It Pa ~/.rhosts
797: .It Pa ~/.shosts
799: .Pa .rhosts ,
877: .It Pa /etc/shosts.equiv
android.googlesource.com/platform/external/openssh:Android.mk: [ master, ]
41:     hash.c \
19:     canohost.c \
43:     hostfile.c \
225:     auth2-hostbased.c \
216:     auth-rhosts.c \
android.googlesource.com/platform/external/openssh:roaming_common.c: [ master, ]
226: 	u_char hash[SSH_DIGEST_MAX_LENGTH];
234: 	if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, hash, sizeof(hash)) != 0)
238: 	buffer_append(&b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
172: 	    || errno == EHOSTUNREACH)))) {
android.googlesource.com/platform/external/openssh:ssh.1: [ master, ]
55: .Op Fl L Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport
62: .Op Fl R Oo Ar bind_address : Oc Ns Ar port : Ns Ar host : Ns Ar hostport
64: .Op Fl W Ar host : Ns Ar port
93: it is executed on the remote host instead of a login shell.
115: This can also be specified on a per-host basis in a configuration file.
118: Users with the ability to bypass file permissions on the remote host
147: The default value can be set on a host-by-host basis in the
244: .Ic ssh -f host xterm .
258: .Cm Host
284: a per-host basis in the configuration file.
302: .Ar port : host : hostport
305: Specifies that the given port on the local (client) host is to be
306: forwarded to the given host and port on the remote side.
314: .Ar host
337: This also may be specified on a per-host basis in the configuration file.
446: .It Host
497: Port to connect to on the remote host.
499: per-host basis in the configuration file.
523: .Ar port : host : hostport
526: Specifies that the given port on the remote (server) host is to be
527: forwarded to the given host and port on the local side.
533: .Ar host
611: .It Fl W Ar host : Ns Ar port
613: .Ar host
655: This can also be specified on a per-host basis in a configuration file.
658: Users with the ability to bypass file permissions on the remote host
715: host-based authentication,
723: Host-based authentication works as follows:
740: host key (see the description of
855: host for checking; however, since all communications are encrypted,
861: Host keys are stored in
868: If a host's identification ever changes,
876: host key is not known or has changed.
983: the user connects to the remote host using
1085: .Sh VERIFYING HOST KEYS
1094: .Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
1098: Because of the difficulty of comparing host keys
1100: there is also support to compare host keys visually,
1110: find out that the host key has changed when a completely different pattern
1114: host key is the same, not guaranteed proof.
1131: .Dq host.example.com .
1133: host.example.com:
1135: $ ssh-keygen -r host.example.com.
1141: .Dl $ dig -t SSHFP host.example.com
1145: $ ssh -o "VerifyHostKeyDNS ask" host.example.com
1147: Matching host key fingerprint found in DNS.
1230: indicates the host where the shell runs, and
1318: This file is used for host-based authentication (see above).
1333: but allows host-based authentication without permitting login with
1389: Contains a list of host keys for all hosts the user has logged into
1390: that are not already in the systemwide list of known host keys.
1405: This file is for host-based authentication (see above).
1411: but allows host-based authentication without permitting login with
1419: .It Pa /etc/ssh/ssh_host_key
1420: .It Pa /etc/ssh/ssh_host_dsa_key
1421: .It Pa /etc/ssh/ssh_host_ecdsa_key
1422: .It Pa /etc/ssh/ssh_host_ed25519_key
1423: .It Pa /etc/ssh/ssh_host_rsa_key
1424: These files contain the private parts of the host keys
1425: and are used for host-based authentication.
1428: must be setuid root, since the host key is readable only by root.
1433: to access the host keys,
1436: be setuid root when host-based authentication is used.
1442: Systemwide list of known host keys.
1444: system administrator to contain the public host keys of all machines in the
1585: .%T Hash Visualization: a New Technique to improve Real-World Security
66: .Oo Ar user Ns @ Oc Ns Ar hostname
75: two untrusted hosts over an insecure network.
82: .Ar hostname
203: .Dq localhost
263: Allows remote hosts to connect to local forwarded ports.
316: .Ar hostport
330: .Dq localhost
436: .It FingerprintHash
445: .It HashKnownHosts
447: .It HostbasedAuthentication
448: .It HostbasedKeyTypes
449: .It HostKeyAlgorithms
450: .It HostKeyAlias
451: .It HostName
463: .It NoHostAuthenticationForLocalhost
535: .Ar hostport
725: .Pa /etc/hosts.equiv
741: .Pa /etc/ssh/ssh_known_hosts
743: .Pa ~/.ssh/known_hosts ,
749: .Pa /etc/hosts.equiv ,
860: identification for all hosts it has ever been used with.
862: .Pa ~/.ssh/known_hosts
865: .Pa /etc/ssh/ssh_known_hosts
866: is automatically checked for known hosts.
867: Any new hosts are automatically added to the user's file.
996: (localhost)
1000: $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
1117: all known hosts, the following command line can be used:
1119: .Dl $ ssh-keygen -lv -f ~/.ssh/known_hosts
1227: .Dq hostname:n ,
1229: .Dq hostname
1388: .It Pa ~/.ssh/known_hosts
1404: .It Pa /etc/hosts.equiv
1410: .Pa hosts.equiv ,
1441: .It Pa /etc/ssh/ssh_known_hosts
418: .It CanonicalizeHostname
422: .It CheckHostIP
442: .It GlobalKnownHostsFile
477: .It RhostsRSAAuthentication
484: .It StrictHostKeyChecking
488: .It UpdateHostKeys
491: .It UserKnownHostsFile
492: .It VerifyHostKeyDNS
493: .It VisualHostKey
727: .Pa /etc/shosts.equiv
730: .Pa ~/.rhosts
732: .Pa ~/.shosts
750: .Pa ~/.rhosts ,
816: .Pa ~/.rhosts
874: .Cm StrictHostKeyChecking
1089: .Cm StrictHostKeyChecking
1104: .Cm VisualHostKey
1152: .Cm VerifyHostKeyDNS
1317: .It Pa ~/.rhosts
1330: .It Pa ~/.shosts
1332: .Pa .rhosts ,
1408: .It Pa /etc/shosts.equiv
android.googlesource.com/platform/external/openssh:gss-genr.c: [ master, ]
211: /* Create a service name for the given host */
213: ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
218: 	xasprintf(&val, "host@%s", host);
231: ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
234: 	    GSS_C_QOP_DEFAULT, buffer, hash)))
253: ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
266: 	major = ssh_gssapi_import_name(*ctx, host);
223: 	    &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
android.googlesource.com/platform/external/openssh:auth2-pubkey.c: [ master, ]
232: 		    options.fingerprint_hash, SSH_FP_DEFAULT);
241: 		fp = sshkey_fingerprint(key, options.fingerprint_hash,
388: 			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
429: 			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
457: 	    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
56: #include "hostfile.h"
61: #include "canohost.h"
android.googlesource.com/platform/external/openssh:ssh-keyscan.1: [ master, ]
23: .Op Ar host | addrlist namelist
28: is a utility for gathering the public ssh host keys of a number of
71: Hash all hostnames and addresses in the output.
79: Port to connect to on the remote host.
84: seconds have elapsed since a connection was initiated to a host or since the
85: last time anything was read from that host, then the connection is
86: closed and the host in question considered unavailable.
130: host-or-namelist bits exponent modulus
135: host-or-namelist keytype base64-encoded-key
151: Print the rsa host key for machine
175: It generates "Connection closed by remote host" messages on the consoles
29: hosts.
31: .Pa ssh_known_hosts
38: uses non-blocking socket I/O to contact as many hosts as possible in
41: hosts can be collected in tens of seconds, even when some of those
42: hosts are down or do not run ssh.
58: Read hosts or
67: will read hosts or
72: Hashed names may be used normally by
89: Specifies the type of the key to fetch from the scanned hosts.
113: If an ssh_known_hosts file is constructed using
121: attacks which have begun after the ssh_known_hosts file was created.
149: .Pa /etc/ssh/ssh_known_hosts
152: .Ar hostname :
154: $ ssh-keyscan hostname
157: Find all hosts from the file
158: .Pa ssh_hosts
160: .Pa ssh_known_hosts :
162: $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
163: 	sort -u - ssh_known_hosts | diff ssh_known_hosts -
android.googlesource.com/platform/external/openssh:ssh-keygen.1: [ master, ]
77: .Op Fl E Ar fingerprint_hash
177: Additionally, the system administrator may use this to generate host keys,
188: (host keys must have an empty passphrase), or it may be a string of
211: .Dq user@host
223: for which host keys
224: do not exist, generate the host keys with the default key file path,
228: to generate new host keys.
274: .It Fl E Ar fingerprint_hash
275: Specifies the hash algorithm used when displaying key fingerprints.
297: This option is useful to find hashed host names or addresses and may also be
314: Hash a
329: When signing a key, create a host certificate instead of a user
411: Specify one or more principals (user or host names) to be included in
473: At present, no options are valid for host keys.
647: user or host authentication.
649: more principal (user or host) names and a set of options that
652: on a certificate rather than trusting many user/host keys.
658: supports two types of certificates: user and host.
659: User certificates authenticate users to servers, whereas host certificates
667: A host certificate requires the
671: .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
673: The host certificate will be output to
674: .Pa /path/to/host_key-cert.pub .
683: .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
690: Certificates may be limited to be valid for a set of principal (user/host)
696: .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
717: For certificates to be used for user or host authentication, the CA
737: Plain public keys are revoked by listing their hash or contents in the KRL and
770: Revokes the specified key by its SHA1 hash.
85: .Fl F Ar hostname
86: .Op Fl f Ar known_hosts_file
90: .Op Fl f Ar known_hosts_file
92: .Fl R Ar hostname
93: .Op Fl f Ar known_hosts_file
95: .Fl r Ar hostname
291: .It Fl F Ar hostname
293: .Ar hostname
295: .Pa known_hosts
300: option to print found keys in a hashed format.
315: .Pa known_hosts
317: This replaces all hostnames and addresses with hashed representations
320: These hashes may be used normally by
326: This option will not modify existing hashed hostnames and is therefore safe
327: to use on files that mix hashed and non-hashed names.
495: .It Fl R Ar hostname
497: .Ar hostname
499: .Pa known_hosts
501: This option is useful to delete hashed hosts (see the
504: .It Fl r Ar hostname
506: .Ar hostname
660: authenticate server hosts to users.
692: By default, generated certificates are valid for all users or hosts.
android.googlesource.com/platform/external/openssh:scp.1: [ master, ]
33: .Ar host1 :
40: .Ar host2 :
56: File names may contain a user and host specification to indicate
57: that the file is to be copied to/from that host.
63: as host specifiers.
77: Copies between two remote hosts are transferred through the local host.
151: .It Host
189: Specifies the port to connect to on the remote host.
46: copies files between hosts on a network.
64: Copies between two remote hosts are also permitted.
79: hosts.
150: .It HashKnownHosts
152: .It HostbasedAuthentication
153: .It HostbasedKeyTypes
154: .It HostKeyAlgorithms
155: .It HostKeyAlias
156: .It HostName
165: .It NoHostAuthenticationForLocalhost
133: .It CanonicalizeHostname
137: .It CheckHostIP
147: .It GlobalKnownHostsFile
175: .It RhostsRSAAuthentication
180: .It StrictHostKeyChecking
182: .It UpdateHostKeys
185: .It UserKnownHostsFile
186: .It VerifyHostKeyDNS
android.googlesource.com/platform/external/openssh:sshd_config.5: [ master, ]
170: If the pattern takes the form USER@HOST then USER and HOST
245: It is recommended to use a dedicated user that has no other role on the host
502: If the pattern takes the form USER@HOST then USER and HOST
516: Specifies the hash algorithm used when logging key fingerprints.
555: to force remote port forwardings to be available to the local host only,
586: with successful public key client host authentication is allowed
587: (host-based authentication).
611: Specifies a file containing a public host certificate.
612: The certificate's public key must match a private host key already specified
619: Specifies a file containing a private host key
622: .Pa /etc/ssh/ssh_host_key
624: .Pa /etc/ssh/ssh_host_dsa_key ,
625: .Pa /etc/ssh/ssh_host_ecdsa_key ,
626: .Pa /etc/ssh/ssh_host_ed25519_key
628: .Pa /etc/ssh/ssh_host_rsa_key
633: It is possible to have multiple host key files.
642: It is also possible to specify public host key files instead.
648: with an agent that has access to the private host keys.
811: .Ar host | Ar IPv4_addr | Ar IPv6_addr
816: .Ar host | Ar IPv4_addr : Ar port
822: .Ar host | Ar IPv6_addr Oc : Ar port
938: .Cm Host ,
957: or one with bits set in this host portion of the address.
1064: .Ar host : port
1267: with successful RSA host authentication is allowed.
1362: if the network goes down or the client host crashes.
1384: should look up the remote host name and check that
1385: the resolved host name for the remote IP address maps back to the
172: users from particular hosts.
504: users from particular hosts.
515: .It Cm FingerprintHash
543: Specifies whether remote hosts are allowed to connect to ports
548: This prevents other remote hosts from connecting to forwarded ports.
552: allowing other hosts to connect.
573: .It Cm HostbasedAcceptedKeyTypes
574: Specifies the key types that will be accepted for hostbased authentication
584: .It Cm HostbasedAuthentication
585: Specifies whether rhosts or /etc/hosts.equiv authentication together
593: .It Cm HostbasedUsesNameFromPacketOnly
599: .Pa /etc/hosts.equiv
601: .Cm HostbasedAuthentication .
610: .It Cm HostCertificate
614: .Cm HostKey .
618: .It Cm HostKey
646: .It Cm HostKeyAgent
662: .Cm HostbasedAuthentication .
664: .Pa /etc/hosts.equiv
674: .Pa ~/.ssh/known_hosts
678: .Cm HostbasedAuthentication .
986: .Cm HostbasedAcceptedKeyTypes ,
987: .Cm HostbasedAuthentication ,
988: .Cm HostbasedUsesNameFromPacketOnly ,
1013: .Cm X11UseLocalHost .
1266: Specifies whether rhosts or /etc/hosts.equiv authentication together
1356: .Dq ghost
1473: .Cm X11UseLocalhost
1494: .It Cm X11UseLocalhost
1501: hostname part of the
1504: .Dq localhost .
1505: This prevents remote hosts from connecting to the proxy display.
1508: .Cm X11UseLocalhost
589: .Cm RhostsRSAAuthentication
596: .Pa ~/.shosts ,
597: .Pa ~/.rhosts ,
654: .It Cm IgnoreRhosts
656: .Pa .rhosts
658: .Pa .shosts
660: .Cm RhostsRSAAuthentication