upstream: fix bug in HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
This commit is contained in:
parent
5c1a63562c
commit
e76135e300
39
monitor.c
39
monitor.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */
|
/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
* Copyright 2002 Markus Friedl <markus@openbsd.org>
|
||||||
|
@ -846,6 +846,35 @@ mm_answer_authserv(int sock, struct sshbuf *m)
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check that the key type appears in the supplied pattern list, ignoring
|
||||||
|
* mismatches in the signature algorithm. (Signature algorithm checks are
|
||||||
|
* performed in the unprivileged authentication code).
|
||||||
|
* Returns 1 on success, 0 otherwise.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
key_base_type_match(const char *method, const struct sshkey *key,
|
||||||
|
const char *list)
|
||||||
|
{
|
||||||
|
char *s, *l, *ol = xstrdup(list);
|
||||||
|
int found = 0;
|
||||||
|
|
||||||
|
l = ol;
|
||||||
|
for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
|
||||||
|
if (sshkey_type_from_name(s) == key->type) {
|
||||||
|
found = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (!found) {
|
||||||
|
error("%s key type %s is not in permitted list %s", method,
|
||||||
|
sshkey_ssh_name(key), list);
|
||||||
|
}
|
||||||
|
|
||||||
|
free(ol);
|
||||||
|
return found;
|
||||||
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
mm_answer_authpassword(int sock, struct sshbuf *m)
|
mm_answer_authpassword(int sock, struct sshbuf *m)
|
||||||
{
|
{
|
||||||
|
@ -1151,8 +1180,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
|
||||||
break;
|
break;
|
||||||
if (auth2_key_already_used(authctxt, key))
|
if (auth2_key_already_used(authctxt, key))
|
||||||
break;
|
break;
|
||||||
if (match_pattern_list(sshkey_ssh_name(key),
|
if (!key_base_type_match(auth_method, key,
|
||||||
options.pubkey_key_types, 0) != 1)
|
options.pubkey_key_types))
|
||||||
break;
|
break;
|
||||||
allowed = user_key_allowed(ssh, authctxt->pw, key,
|
allowed = user_key_allowed(ssh, authctxt->pw, key,
|
||||||
pubkey_auth_attempt, &opts);
|
pubkey_auth_attempt, &opts);
|
||||||
|
@ -1163,8 +1192,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
|
||||||
break;
|
break;
|
||||||
if (auth2_key_already_used(authctxt, key))
|
if (auth2_key_already_used(authctxt, key))
|
||||||
break;
|
break;
|
||||||
if (match_pattern_list(sshkey_ssh_name(key),
|
if (!key_base_type_match(auth_method, key,
|
||||||
options.hostbased_key_types, 0) != 1)
|
options.hostbased_key_types))
|
||||||
break;
|
break;
|
||||||
allowed = hostbased_key_allowed(authctxt->pw,
|
allowed = hostbased_key_allowed(authctxt->pw,
|
||||||
cuser, chost, key);
|
cuser, chost, key);
|
||||||
|
|
Loading…
Reference in New Issue