81 lines
2.7 KiB
Diff
81 lines
2.7 KiB
Diff
From e76135e3007f1564427b2956c628923d8dc2f75a Mon Sep 17 00:00:00 2001
|
|
From: "djm@openbsd.org" <djm@openbsd.org>
|
|
Date: Fri, 16 Nov 2018 02:43:56 +0000
|
|
Subject: [PATCH 110/294] upstream: fix bug in HostbasedAcceptedKeyTypes and
|
|
|
|
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
|
|
specified, then authentication would always fail for RSA keys as the monitor
|
|
checks only the base key (not the signature algorithm) type against
|
|
*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
|
|
|
|
OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
|
|
---
|
|
monitor.c | 37 +++++++++++++++++++++++++++++++++----
|
|
1 file changed, 33 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/monitor.c b/monitor.c
|
|
index f56ea85..553e4aa 100644
|
|
--- a/monitor.c
|
|
+++ b/monitor.c
|
|
@@ -912,6 +912,35 @@ mm_answer_authrole(int sock, struct sshbuf *m)
|
|
}
|
|
#endif
|
|
|
|
+/*
|
|
+ * Check that the key type appears in the supplied pattern list, ignoring
|
|
+ * mismatches in the signature algorithm. (Signature algorithm checks are
|
|
+ * performed in the unprivileged authentication code).
|
|
+ * Returns 1 on success, 0 otherwise.
|
|
+ */
|
|
+static int
|
|
+key_base_type_match(const char *method, const struct sshkey *key,
|
|
+ const char *list)
|
|
+{
|
|
+ char *s, *l, *ol = xstrdup(list);
|
|
+ int found = 0;
|
|
+
|
|
+ l = ol;
|
|
+ for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
|
|
+ if (sshkey_type_from_name(s) == key->type) {
|
|
+ found = 1;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ if (!found) {
|
|
+ error("%s key type %s is not in permitted list %s", method,
|
|
+ sshkey_ssh_name(key), list);
|
|
+ }
|
|
+
|
|
+ free(ol);
|
|
+ return found;
|
|
+}
|
|
+
|
|
int
|
|
mm_answer_authpassword(int sock, struct sshbuf *m)
|
|
{
|
|
@@ -1217,8 +1246,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
|
|
break;
|
|
if (auth2_key_already_used(authctxt, key))
|
|
break;
|
|
- if (match_pattern_list(sshkey_ssh_name(key),
|
|
- options.pubkey_key_types, 0) != 1)
|
|
+ if (!key_base_type_match(auth_method, key,
|
|
+ options.pubkey_key_types))
|
|
break;
|
|
allowed = user_key_allowed(ssh, authctxt->pw, key,
|
|
pubkey_auth_attempt, &opts);
|
|
@@ -1229,8 +1258,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
|
|
break;
|
|
if (auth2_key_already_used(authctxt, key))
|
|
break;
|
|
- if (match_pattern_list(sshkey_ssh_name(key),
|
|
- options.hostbased_key_types, 0) != 1)
|
|
+ if (!key_base_type_match(auth_method, key,
|
|
+ options.hostbased_key_types))
|
|
break;
|
|
allowed = hostbased_key_allowed(authctxt->pw,
|
|
cuser, chost, key);
|
|
--
|
|
1.8.3.1
|
|
|