diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2018-11-16 02:43:57 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2018-11-16 02:43:57 +0000 |
| commit | c78b8ddbe1943346050b96a4e54024513d82bd50 (patch) | |
| tree | 89f4f168f686036c74723a8bde54539abd21e68f /usr.bin/ssh/monitor.c | |
| parent | 847293b51c494acc2b731ae6718247d94cdab7cb (diff) | |
fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options.
If only RSA-SHA2 siganture types were specified, then authentication would
always fail for RSA keys as the monitor checks only the base key (not the
signature algorithm) type against *AcceptedKeyTypes.
bz#2746; reported by Jakub Jelen; ok dtucker
Diffstat (limited to 'usr.bin/ssh/monitor.c')
| -rw-r--r-- | usr.bin/ssh/monitor.c | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index 12b33e75589..cb43e17432a 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.187 2018/09/13 02:08:33 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -875,6 +875,35 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m) return (authok != 0); } +/* + * Check that the key type appears in the supplied pattern list, ignoring + * mismatches in the signature algorithm. (Signature algorithm checks are + * performed in the unprivileged authentication code). + * Returns 1 on success, 0 otherwise. + */ +static int +key_base_type_match(const char *method, const struct sshkey *key, + const char *list) +{ + char *s, *l, *ol = xstrdup(list); + int found = 0; + + l = ol; + for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { + if (sshkey_type_from_name(s) == key->type) { + found = 1; + break; + } + } + if (!found) { + error("%s key type %s is not in permitted list %s", method, + sshkey_ssh_name(key), list); + } + + free(ol); + return found; +} + int mm_answer_keyallowed(int sock, struct sshbuf *m) { @@ -909,8 +938,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) break; if (auth2_key_already_used(authctxt, key)) break; - if (match_pattern_list(sshkey_ssh_name(key), - options.pubkey_key_types, 0) != 1) + if (!key_base_type_match(auth_method, key, + options.pubkey_key_types)) break; allowed = user_key_allowed(ssh, authctxt->pw, key, pubkey_auth_attempt, &opts); @@ -921,8 +950,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) break; if (auth2_key_already_used(authctxt, key)) break; - if (match_pattern_list(sshkey_ssh_name(key), - options.hostbased_key_types, 0) != 1) + if (!key_base_type_match(auth_method, key, + options.hostbased_key_types)) break; allowed = hostbased_key_allowed(authctxt->pw, cuser, chost, key); |