From 3b903827ebe16c97f705cb3b6ef6e9702d770087 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Fri, 21 May 2010 14:56:25 +1000
Subject: [PATCH]    - djm@cvs.openbsd.org 2010/05/11 02:58:04     
 [auth-rsa.c]      don't accept certificates marked as "cert-authority" here;
 ok markus@

---
 ChangeLog  | 3 +++
 auth-rsa.c | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 35cd857a2..d5a5aa6d2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
      [regress/Makefile regress/cert-userkey.sh]
      regress tests for AuthorizedPrincipalsFile and "principals=" key option.
      feedback and ok markus@
+   - djm@cvs.openbsd.org 2010/05/11 02:58:04
+     [auth-rsa.c]
+     don't accept certificates marked as "cert-authority" here; ok markus@
 
 20100511
  - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve
diff --git a/auth-rsa.c b/auth-rsa.c
index 326937ac0..ef6767bfb 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rsa.c,v 1.75 2010/04/16 01:47:26 djm Exp $ */
+/* $OpenBSD: auth-rsa.c,v 1.76 2010/05/11 02:58:04 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -256,7 +256,8 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 		 */
 		if (!auth_parse_options(pw, key_options, file, linenum))
 			continue;
-
+		if (key_is_cert_authority)
+			continue;
 		/* break out, this key is allowed */
 		allowed = 1;
 		break;