Backport upstream patch to unbreak authentication using lone certificate keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself (thanks, Paul Querna; LP: #1575961).

5 files changed, 60 insertions, 8 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index 589d66c5c..4d6e084d7 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c
-7f3fb4e5fdddc6600e70ae663c21511fbcf2c64c
+43a633de1cabe77e652125dac394a99ad9cac3b4
+43a633de1cabe77e652125dac394a99ad9cac3b4
 f0329aac23c61e1a5197d6d57349a63f459bccb0
 f0329aac23c61e1a5197d6d57349a63f459bccb0
 openssh_7.2p2.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 748efee5b..efaa766ae 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:7.2p2-5) UNRELEASED; urgency=medium
+
+  * Backport upstream patch to unbreak authentication using lone certificate
+    keys in ssh-agent: when attempting pubkey auth with a certificate, if no
+    separate private key is found among the keys then try with the
+    certificate key itself (thanks, Paul Querna; LP: #1575961).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 28 Apr 2016 01:46:20 +0100
+
 openssh (1:7.2p2-4) unstable; urgency=medium
 
   * Drop dependency on libnss-files-udeb (closes: #819686).
diff --git a/debian/patches/series b/debian/patches/series
index b5c9fb392..d2d89669f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ sigstop.patch
 systemd-readiness.patch
 debian-config.patch
 CVE-2015-8325.patch
+unbreak-certificate-auth.patch
diff --git a/debian/patches/unbreak-certificate-auth.patch b/debian/patches/unbreak-certificate-auth.patch
new file mode 100644
index 000000000..cbf7c1800
--- /dev/null
+++ b/debian/patches/unbreak-certificate-auth.patch
@@ -0,0 +1,46 @@
+From 43a633de1cabe77e652125dac394a99ad9cac3b4 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 14 Mar 2016 16:20:54 +0000
+Subject: upstream commit
+
+unbreak authentication using lone certificate keys in
+ ssh-agent: when attempting pubkey auth with a certificate, if no separate
+ private key is found among the keys then try with the certificate key itself.
+
+bz#2550 reported by Peter Moody
+
+Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=c38905ba391434834da86abfc988a2b8b9b62477
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1575961
+Last-Update: 2016-04-28
+
+Patch-Name: unbreak-certificate-auth.patch
+---
+ sshconnect2.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/sshconnect2.c b/sshconnect2.c
+index b452eae..40facda 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */
++/* $OpenBSD: sshconnect2.c,v 1.240 2016/03/14 16:20:54 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2008 Damien Miller.  All rights reserved.
+@@ -1224,12 +1224,8 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
+                            "certificate", __func__, id->filename,
+                            id->agent_fd != -1 ? " from agent" : "");
+                } else {
+-                       /* XXX maybe verbose/error? */
+-                       debug("%s: no private key for certificate "
++                       debug("%s: no separate private key for certificate "
+                            "\"%s\"", __func__, id->filename);
+-                       free(blob);
+-                       buffer_free(&b);
+-                       return 0;
+                }
+        }
+ 
diff --git a/sshconnect2.c b/sshconnect2.c
index b452eae24..40facdab5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.240 2016/03/14 16:20:54 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1224,12 +1224,8 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
                             "certificate", __func__, id->filename,
                             id->agent_fd != -1 ? " from agent" : "");
                 } else {
-                        /* XXX maybe verbose/error? */
-                        debug("%s: no private key for certificate "
+                        debug("%s: no separate private key for certificate "
                             "\"%s\"", __func__, id->filename);
-                        free(blob);
-                        buffer_free(&b);
-                        return 0;
                 }
         }