From 383ffe6c5f31d3ecd89caadc8aef1bc2b821d63a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 26 Jun 2010 10:02:03 +1000 Subject: [PATCH] - djm@cvs.openbsd.org 2010/06/25 23:10:30 [ssh.c] log the hostname and address that we connected to at LogLevel=verbose after authentication is successful to mitigate "phishing" attacks by servers with trusted keys that accept authentication silently and automatically before presenting fake password/passphrase prompts; "nice!" markus@ --- ChangeLog | 7 +++++++ ssh.c | 9 ++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2467840e0..b0f82de2f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -67,6 +67,13 @@ [auth1.c auth2-none.c] skip the initial check for access with an empty password when PermitEmptyPasswords=no; bz#1638; ok markus@ + - djm@cvs.openbsd.org 2010/06/25 23:10:30 + [ssh.c] + log the hostname and address that we connected to at LogLevel=verbose + after authentication is successful to mitigate "phishing" attacks by + servers with trusted keys that accept authentication silently and + automatically before presenting fake password/passphrase prompts; + "nice!" markus@ 20100622 - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512 diff --git a/ssh.c b/ssh.c index 228afecf4..6537ad9a2 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.338 2010/05/16 12:55:51 markus Exp $ */ +/* $OpenBSD: ssh.c,v 1.339 2010/06/25 23:10:30 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -829,6 +829,13 @@ main(int ac, char **av) ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw, timeout_ms); + if (packet_connection_is_on_socket()) { + verbose("Authenticated to %s ([%s]:%d).", host, + get_remote_ipaddr(), get_remote_port()); + } else { + verbose("Authenticated to %s (via proxy).", host); + } + /* We no longer need the private host keys. Clear them now. */ if (sensitive_data.nkeys != 0) { for (i = 0; i < sensitive_data.nkeys; i++) {