summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-01-25 12:24:16 +0000
committerColin Watson <cjwatson@debian.org>2010-01-25 12:24:16 +0000
commit02d776600121afc31658f3b857ab9d41c7cad5ca (patch)
tree46d879a915140a1383efdd7bd08b66c064795824
parent59247ecde39f2d826a94ab07f6095ca1f6644e88 (diff)
* Backport from upstream:
- Do not fall back to adding keys without contraints (ssh-add -c / -t ...) when the agent refuses the constrained add request. This was a useful migration measure back in 2002 when constraints were new, but just adds risk now (LP: #209447).
-rw-r--r--authfd.c6
-rw-r--r--authfd.h1
-rw-r--r--debian/changelog5
-rw-r--r--ssh-add.c3
4 files changed, 5 insertions, 10 deletions
diff --git a/authfd.c b/authfd.c
index 61faad123..5dba87d26 100644
--- a/authfd.c
+++ b/authfd.c
@@ -545,12 +545,6 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
545 return decode_reply(type); 545 return decode_reply(type);
546} 546}
547 547
548int
549ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
550{
551 return ssh_add_identity_constrained(auth, key, comment, 0, 0);
552}
553
554/* 548/*
555 * Removes an identity from the authentication server. This call is not 549 * Removes an identity from the authentication server. This call is not
556 * meant to be used by normal applications. 550 * meant to be used by normal applications.
diff --git a/authfd.h b/authfd.h
index 3da256112..31b24e173 100644
--- a/authfd.h
+++ b/authfd.h
@@ -75,7 +75,6 @@ void ssh_close_authentication_connection(AuthenticationConnection *);
75int ssh_get_num_identities(AuthenticationConnection *, int); 75int ssh_get_num_identities(AuthenticationConnection *, int);
76Key *ssh_get_first_identity(AuthenticationConnection *, char **, int); 76Key *ssh_get_first_identity(AuthenticationConnection *, char **, int);
77Key *ssh_get_next_identity(AuthenticationConnection *, char **, int); 77Key *ssh_get_next_identity(AuthenticationConnection *, char **, int);
78int ssh_add_identity(AuthenticationConnection *, Key *, const char *);
79int ssh_add_identity_constrained(AuthenticationConnection *, Key *, 78int ssh_add_identity_constrained(AuthenticationConnection *, Key *,
80 const char *, u_int, u_int); 79 const char *, u_int, u_int);
81int ssh_remove_identity(AuthenticationConnection *, Key *); 80int ssh_remove_identity(AuthenticationConnection *, Key *);
diff --git a/debian/changelog b/debian/changelog
index 8ff7c54ac..ed90f6561 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,11 @@ openssh (1:5.3p1-1) UNRELEASED; urgency=low
3 * New upstream release. 3 * New upstream release.
4 * Update to GSSAPI patch from 4 * Update to GSSAPI patch from
5 http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch. 5 http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch.
6 * Backport from upstream:
7 - Do not fall back to adding keys without contraints (ssh-add -c / -t
8 ...) when the agent refuses the constrained add request. This was a
9 useful migration measure back in 2002 when constraints were new, but
10 just adds risk now (LP: #209447).
6 11
7 -- Colin Watson <cjwatson@debian.org> Sun, 24 Jan 2010 22:32:25 +0000 12 -- Colin Watson <cjwatson@debian.org> Sun, 24 Jan 2010 22:32:25 +0000
8 13
diff --git a/ssh-add.c b/ssh-add.c
index d58c82156..b31a88636 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -203,9 +203,6 @@ add_file(AuthenticationConnection *ac, const char *filename)
203 if (confirm != 0) 203 if (confirm != 0)
204 fprintf(stderr, 204 fprintf(stderr,
205 "The user has to confirm each use of the key\n"); 205 "The user has to confirm each use of the key\n");
206 } else if (ssh_add_identity(ac, private, comment)) {
207 fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
208 ret = 0;
209 } else { 206 } else {
210 fprintf(stderr, "Could not add identity: %s\n", filename); 207 fprintf(stderr, "Could not add identity: %s\n", filename);
211 } 208 }