diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2008-06-14 08:59:49 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2008-06-14 08:59:49 +1000 |
| commit | f2c16d30b456c3b149999e91d16bf28f82197d3f (patch) | |
| tree | 74a4a098eed0b40dbd945e7adc8a51da41ebd419 | |
| parent | 99bb7619d42476a98be48eae7a0237d6dc750cd3 (diff) | |
- dtucker@cvs.openbsd.org 2008/06/13 13:56:59
[monitor.c]
Clear key options in the monitor on failed authentication, prevents
applying additional restrictions to non-pubkey authentications in
the case where pubkey fails but another method subsequently succeeds.
bz #1472, found by Colin Watson, ok markus@ djm
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | monitor.c | 6 |
2 files changed, 12 insertions, 2 deletions
| @@ -3,6 +3,12 @@ | |||
| 3 | - deraadt@cvs.openbsd.org 2008/06/13 09:44:36 | 3 | - deraadt@cvs.openbsd.org 2008/06/13 09:44:36 |
| 4 | [packet.c] | 4 | [packet.c] |
| 5 | compile on older gcc; no decl after code | 5 | compile on older gcc; no decl after code |
| 6 | - dtucker@cvs.openbsd.org 2008/06/13 13:56:59 | ||
| 7 | [monitor.c] | ||
| 8 | Clear key options in the monitor on failed authentication, prevents | ||
| 9 | applying additional restrictions to non-pubkey authentications in | ||
| 10 | the case where pubkey fails but another method subsequently succeeds. | ||
| 11 | bz #1472, found by Colin Watson, ok markus@ djm@ | ||
| 6 | 12 | ||
| 7 | 20080612 | 13 | 20080612 |
| 8 | - (dtucker) OpenBSD CVS Sync | 14 | - (dtucker) OpenBSD CVS Sync |
| @@ -4341,4 +4347,4 @@ | |||
| 4341 | OpenServer 6 and add osr5bigcrypt support so when someone migrates | 4347 | OpenServer 6 and add osr5bigcrypt support so when someone migrates |
| 4342 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ | 4348 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
| 4343 | 4349 | ||
| 4344 | $Id: ChangeLog,v 1.5004 2008/06/13 12:02:50 dtucker Exp $ | 4350 | $Id: ChangeLog,v 1.5005 2008/06/13 22:59:49 dtucker Exp $ |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.96 2008/05/08 12:21:16 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.97 2008/06/13 13:56:59 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -1015,6 +1015,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1015 | allowed = options.pubkey_authentication && | 1015 | allowed = options.pubkey_authentication && |
| 1016 | user_key_allowed(authctxt->pw, key); | 1016 | user_key_allowed(authctxt->pw, key); |
| 1017 | auth_method = "publickey"; | 1017 | auth_method = "publickey"; |
| 1018 | if (options.pubkey_authentication && allowed != 1) | ||
| 1019 | auth_clear_options(); | ||
| 1018 | break; | 1020 | break; |
| 1019 | case MM_HOSTKEY: | 1021 | case MM_HOSTKEY: |
| 1020 | allowed = options.hostbased_authentication && | 1022 | allowed = options.hostbased_authentication && |
| @@ -1027,6 +1029,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1027 | allowed = options.rhosts_rsa_authentication && | 1029 | allowed = options.rhosts_rsa_authentication && |
| 1028 | auth_rhosts_rsa_key_allowed(authctxt->pw, | 1030 | auth_rhosts_rsa_key_allowed(authctxt->pw, |
| 1029 | cuser, chost, key); | 1031 | cuser, chost, key); |
| 1032 | if (options.rhosts_rsa_authentication && allowed != 1) | ||
| 1033 | auth_clear_options(); | ||
| 1030 | auth_method = "rsa"; | 1034 | auth_method = "rsa"; |
| 1031 | break; | 1035 | break; |
| 1032 | default: | 1036 | default: |