I'm using dropbear on an embedded device that has to connect to a
server at an IP address that isn't known in advance, but is verifiable
with a host key.
So I added the ability to use "*" in the known_hosts file to match any
hostname/IP. This is better than disabling host key checking
altogether, as I can still verify it's connecting to an authorized
server.
Someone else may find the patch useful.
-- Jamie
This allows the known_hosts file to use wildcard "*" to match any host.
This is used to prevent the interactive "y/n" question as long as the
host key is in the recognised list - essential for non-interactive setup
of tunnels, to IPs that aren't known when the /root directory is created.
--- dropbear-0.46/cli-kex.c.orig 2006-08-30 03:49:40.000000000 +0100
+++ dropbear-0.46/cli-kex.c 2006-08-30 03:58:54.000000000 +0100
@@ -202,6 +202,14 @@
break;
}
+ /* Match "*" wildcard hostname. */
+ if (line->len >= 2
+ && strncmp("* ", buf_getptr(line, 2), 2) == 0) {
+ buf_incrpos(line, 2);
+ TRACE(("matched wildcard host"))
+ goto check_algo;
+ }
+
/* The line is too short to be sensible */
/* "30" is 'enough to hold ssh-dss plus the spaces, ie so we
don't
* buf_getfoo() past the end and die horribly - the base64
parsing
@@ -225,6 +233,7 @@
continue;
}
+ check_algo:
if ( strncmp(buf_getptr(line, algolen), algoname, algolen) !=
0) {
TRACE(("algo doesn't match"))
continue;
