- djm@cvs.openbsd.org 2009/08/27 17:44:52
[authfd.c ssh-add.c authfd.h] Do not fall back to adding keys without contraints (ssh-add -c / -t ...) when the agent refuses the constrained add request. This was a useful migration measure back in 2002 when constraints were new, but just adds risk now. bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
This commit is contained in:
parent
6b286a4682
commit
893d73549d
|
@ -60,6 +60,13 @@
|
|||
[sftp-server.8]
|
||||
allow setting an explicit umask on the commandline to override whatever
|
||||
default the user has. bz#1229; ok dtucker@ deraadt@ markus@
|
||||
- djm@cvs.openbsd.org 2009/08/27 17:44:52
|
||||
[authfd.c ssh-add.c authfd.h]
|
||||
Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
|
||||
when the agent refuses the constrained add request. This was a useful
|
||||
migration measure back in 2002 when constraints were new, but just
|
||||
adds risk now.
|
||||
bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
|
||||
|
||||
20091002
|
||||
- (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps.
|
||||
|
|
8
authfd.c
8
authfd.c
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: authfd.c,v 1.80 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/* $OpenBSD: authfd.c,v 1.81 2009/08/27 17:44:52 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -545,12 +545,6 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
|
|||
return decode_reply(type);
|
||||
}
|
||||
|
||||
int
|
||||
ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
|
||||
{
|
||||
return ssh_add_identity_constrained(auth, key, comment, 0, 0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Removes an identity from the authentication server. This call is not
|
||||
* meant to be used by normal applications.
|
||||
|
|
3
authfd.h
3
authfd.h
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: authfd.h,v 1.36 2006/08/03 03:34:41 deraadt Exp $ */
|
||||
/* $OpenBSD: authfd.h,v 1.37 2009/08/27 17:44:52 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
|
@ -75,7 +75,6 @@ void ssh_close_authentication_connection(AuthenticationConnection *);
|
|||
int ssh_get_num_identities(AuthenticationConnection *, int);
|
||||
Key *ssh_get_first_identity(AuthenticationConnection *, char **, int);
|
||||
Key *ssh_get_next_identity(AuthenticationConnection *, char **, int);
|
||||
int ssh_add_identity(AuthenticationConnection *, Key *, const char *);
|
||||
int ssh_add_identity_constrained(AuthenticationConnection *, Key *,
|
||||
const char *, u_int, u_int);
|
||||
int ssh_remove_identity(AuthenticationConnection *, Key *);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-add.c,v 1.90 2007/09/09 11:38:01 sobrado Exp $ */
|
||||
/* $OpenBSD: ssh-add.c,v 1.91 2009/08/27 17:44:52 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
|
@ -195,9 +195,6 @@ add_file(AuthenticationConnection *ac, const char *filename)
|
|||
if (confirm != 0)
|
||||
fprintf(stderr,
|
||||
"The user has to confirm each use of the key\n");
|
||||
} else if (ssh_add_identity(ac, private, comment)) {
|
||||
fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
|
||||
ret = 0;
|
||||
} else {
|
||||
fprintf(stderr, "Could not add identity: %s\n", filename);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue