diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2015-10-13 16:15:22 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2015-10-13 16:15:22 +0000 |
commit | a0224350a6696ab186a9a953698930fe50f58512 (patch) | |
tree | f8d9cf473ef9729fe02c03006bfba01518ce59b2 /usr.bin/ssh | |
parent | db5f9a203ccd7157a14c383dbca6ea3308cd47c2 (diff) |
apply PubkeyAcceptedKeyTypes filtering earlier, so all skipped
keys are noted before pubkey authentication starts. ok dtucker@
Diffstat (limited to 'usr.bin/ssh')
-rw-r--r-- | usr.bin/ssh/sshconnect2.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 135e07acc98..eb98fa63e2f 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.227 2015/09/24 06:15:11 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.228 2015/10/13 16:15:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1320,7 +1320,20 @@ pubkey_prepare(Authctxt *authctxt) TAILQ_REMOVE(&files, id, next); TAILQ_INSERT_TAIL(preferred, id, next); } - TAILQ_FOREACH(id, preferred, next) { + /* finally, filter by PubkeyAcceptedKeyTypes */ + TAILQ_FOREACH_SAFE(id, preferred, next, id2) { + if (id->key != NULL && + match_pattern_list(sshkey_ssh_name(id->key), + options.pubkey_key_types, 0) != 1) { + debug("Skipping %s key %s - " + "not in PubkeyAcceptedKeyTypes", + sshkey_ssh_name(id->key), id->filename); + TAILQ_REMOVE(preferred, id, next); + sshkey_free(id->key); + free(id->filename); + memset(id, 0, sizeof(*id)); + continue; + } debug2("key: %s (%p),%s", id->filename, id->key, id->userprovided ? " explicit" : ""); } @@ -1348,12 +1361,6 @@ try_identity(Identity *id) { if (!id->key) return (0); - if (match_pattern_list(sshkey_ssh_name(id->key), - options.pubkey_key_types, 0) != 1) { - debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes", - sshkey_ssh_name(id->key), id->filename); - return (0); - } if (key_type_plain(id->key->type) == KEY_RSA && (datafellows & SSH_BUG_RSASIGMD5) != 0) { debug("Skipped %s key %s for RSA/MD5 server", |