diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-11-30 02:57:40 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-11-30 19:44:01 +1100 |
commit | fd6dcef2030d23c43f986d26979f84619c10589d (patch) | |
tree | a9b9d64866a656d5e187f7d63b61e1c1bede5e8f /auth-options.h | |
parent | 7fc4766ac78abae81ee75b22b7550720bfa28a33 (diff) |
upstream commit
When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.
The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.
Pointed out by Jann Horn of Project Zero; ok dtucker@
Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
Diffstat (limited to 'auth-options.h')
-rw-r--r-- | auth-options.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/auth-options.h b/auth-options.h index 34852e5c0..52cbb42aa 100644 --- a/auth-options.h +++ b/auth-options.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.h,v 1.21 2015/01/14 10:30:34 markus Exp $ */ | 1 | /* $OpenBSD: auth-options.h,v 1.22 2016/11/30 02:57:40 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -35,6 +35,6 @@ extern char *authorized_principals; | |||
35 | 35 | ||
36 | int auth_parse_options(struct passwd *, char *, char *, u_long); | 36 | int auth_parse_options(struct passwd *, char *, char *, u_long); |
37 | void auth_clear_options(void); | 37 | void auth_clear_options(void); |
38 | int auth_cert_options(struct sshkey *, struct passwd *); | 38 | int auth_cert_options(struct sshkey *, struct passwd *, const char **); |
39 | 39 | ||
40 | #endif | 40 | #endif |