openssh/backport-upstream-Do-not-apply-authorized_keys-options-when-signature.patch

From 62bbf8f825cc390ecb0523752ddac1435006f206 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 15 Sep 2024 00:41:18 +0000
Subject: [PATCH] upstream: Do not apply authorized_keys options when signature
 verification fails. Prevents restrictive key options being incorrectly
 applied to subsequent keys in authorized_keys.

Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit/62bbf8f825cc390ecb0523752ddac1435006f206
---
 monitor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monitor.c b/monitor.c
index ceeb035..a2647fd 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1564,7 +1564,7 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
 	}
 	auth2_record_key(authctxt, ret == 0, key);
 
-	if (key_blobtype == MM_USERKEY)
+	if (key_blobtype == MM_USERKEY && ret == 0)
 		auth_activate_options(ssh, key_opts);
 	monitor_reset_key_state();
 
-- 
2.43.0