summaryrefslogtreecommitdiff
path: root/usr.bin/ssh
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2015-10-13 16:15:22 +0000
committerDamien Miller <djm@cvs.openbsd.org>2015-10-13 16:15:22 +0000
commita0224350a6696ab186a9a953698930fe50f58512 (patch)
treef8d9cf473ef9729fe02c03006bfba01518ce59b2 /usr.bin/ssh
parentdb5f9a203ccd7157a14c383dbca6ea3308cd47c2 (diff)
apply PubkeyAcceptedKeyTypes filtering earlier, so all skipped
keys are noted before pubkey authentication starts. ok dtucker@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r--usr.bin/ssh/sshconnect2.c23
1 files changed, 15 insertions, 8 deletions
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index 135e07acc98..eb98fa63e2f 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.227 2015/09/24 06:15:11 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.228 2015/10/13 16:15:21 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -1320,7 +1320,20 @@ pubkey_prepare(Authctxt *authctxt)
TAILQ_REMOVE(&files, id, next);
TAILQ_INSERT_TAIL(preferred, id, next);
}
- TAILQ_FOREACH(id, preferred, next) {
+ /* finally, filter by PubkeyAcceptedKeyTypes */
+ TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
+ if (id->key != NULL &&
+ match_pattern_list(sshkey_ssh_name(id->key),
+ options.pubkey_key_types, 0) != 1) {
+ debug("Skipping %s key %s - "
+ "not in PubkeyAcceptedKeyTypes",
+ sshkey_ssh_name(id->key), id->filename);
+ TAILQ_REMOVE(preferred, id, next);
+ sshkey_free(id->key);
+ free(id->filename);
+ memset(id, 0, sizeof(*id));
+ continue;
+ }
debug2("key: %s (%p),%s", id->filename, id->key,
id->userprovided ? " explicit" : "");
}
@@ -1348,12 +1361,6 @@ try_identity(Identity *id)
{
if (!id->key)
return (0);
- if (match_pattern_list(sshkey_ssh_name(id->key),
- options.pubkey_key_types, 0) != 1) {
- debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes",
- sshkey_ssh_name(id->key), id->filename);
- return (0);
- }
if (key_type_plain(id->key->type) == KEY_RSA &&
(datafellows & SSH_BUG_RSASIGMD5) != 0) {
debug("Skipped %s key %s for RSA/MD5 server",