diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2018-09-20 03:28:07 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2018-09-20 03:28:07 +0000 |
| commit | 7ebcdd380eac543357d00c6f348279eec75860af (patch) | |
| tree | 9436d630921cf202d41f6b2e67bb6d359ee895ec /usr.bin/ssh/auth2-hostbased.c | |
| parent | 8cda2fefba76417fbd2efb69b536324dad2fe1cc (diff) | |
Add sshd_config CASignatureAlgorithms option to allow control over
which signature algorithms a CA may use when signing certificates.
In particular, this allows a sshd to ban certificates signed with
RSA/SHA1.
ok markus@
Diffstat (limited to 'usr.bin/ssh/auth2-hostbased.c')
| -rw-r--r-- | usr.bin/ssh/auth2-hostbased.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c index 32be2bc7da8..fc463d8166d 100644 --- a/usr.bin/ssh/auth2-hostbased.c +++ b/usr.bin/ssh/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.37 2018/08/28 12:17:45 mestre Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.38 2018/09/20 03:28:06 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -111,6 +111,13 @@ userauth_hostbased(struct ssh *ssh) __func__, sshkey_type(key)); goto done; } + if ((r = sshkey_check_cert_sigtype(key, + options.ca_sign_algorithms)) != 0) { + logit("%s: certificate signature algorithm %s: %s", __func__, + (key->cert == NULL || key->cert->signature_type == NULL) ? + "(null)" : key->cert->signature_type, ssh_err(r)); + goto done; + } if (!authctxt->valid || authctxt->user == NULL) { debug2("%s: disabled because of invalid user", __func__); |