diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2007-10-03 08:00:42 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2007-10-03 08:00:42 +0000 |
| commit | 51c6a5d43b09835289a469165aa7a2bfb79dbdc6 (patch) | |
| tree | 49b4c738d465d09c72fd048bb77b91514058b40c /src | |
| parent | 15b8da1980538f5c56115777610867230b0ac9d1 (diff) | |
Based on a patch brought by Johnny Luong, libcurl now offers
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and the curl tool --hostpubmd5. They both make
the SCP or SFTP connection verify the remote host's md5 checksum of the public
key before doing a connect, to reduce the risk of a man-in-the-middle attack.
Diffstat (limited to 'src')
| -rw-r--r-- | src/main.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/main.c b/src/main.c index cf68e845b..4f9b3e4ec 100644 --- a/src/main.c +++ b/src/main.c @@ -407,6 +407,7 @@ struct Configurable { char *key_type; char *key_passwd; char *pubkey; + char *hostpubmd5; char *engine; bool list_engines; bool crlf; @@ -639,6 +640,7 @@ static void help(void) " --cacert <file> CA certificate to verify peer against (SSL)", " --capath <directory> CA directory (made using c_rehash) to verify", " peer against (SSL)", + " --hostpubmd5 <md5> Hex encoded MD5 string of the host public key. (SSH)", " --ciphers <list> SSL ciphers to use (SSL)", " --compressed Request compressed response (using deflate or gzip)", " --connect-timeout <seconds> Maximum time allowed for connection", @@ -1541,6 +1543,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ {"Ef","engine", TRUE}, {"Eg","capath ", TRUE}, {"Eh","pubkey", TRUE}, + {"Ei", "hostpubmd5", TRUE}, {"f", "fail", FALSE}, {"F", "form", TRUE}, {"Fs","form-string", TRUE}, @@ -2159,6 +2162,11 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ case 'h': /* --pubkey public key file */ GetStr(&config->pubkey, nextarg); break; + case 'i': /* --hostpubmd5 md5 of the host public key */ + GetStr(&config->hostpubmd5, nextarg); + if (!config->hostpubmd5 || strlen(config->hostpubmd5) != 32) + return PARAM_BAD_USE; + break; default: /* certificate file */ { char *ptr = strchr(nextarg, ':'); @@ -4206,6 +4214,12 @@ operate(struct Configurable *config, int argc, argv_item_t argv[]) my_setopt(curl, CURLOPT_SSH_PRIVATE_KEYFILE, config->key); my_setopt(curl, CURLOPT_SSH_PUBLIC_KEYFILE, config->pubkey); + /* SSH host key md5 checking allows us to fail if we are + * not talking to who we think we should + */ + my_setopt(curl, CURLOPT_SSH_HOST_PUBLIC_KEY_MD5, config->hostpubmd5); + + /* default to strict verifyhost */ my_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2); if(config->cacert || config->capath) { |