upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
author: djm@openbsd.org <djm@openbsd.org> 2018-09-20 03:28:06 +0000
committer: Damien Miller <djm@mindrot.org> 2018-09-20 14:00:29 +1000
commit: 86e5737c39153af134158f24d0cab5827cbd5852 (patch)
tree: 1add30c99e83b544792233280451f70f03053586 /auth2-hostbased.c
parent: f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 73944bcb7..764ceff74 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.37 2018/08/28 12:17:45 mestre Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.38 2018/09/20 03:28:06 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -112,6 +112,13 @@ userauth_hostbased(struct ssh *ssh)
                    __func__, sshkey_type(key));
                goto done;
        }
+        if ((r = sshkey_check_cert_sigtype(key,
+            options.ca_sign_algorithms)) != 0) {
+                logit("%s: certificate signature algorithm %s: %s", __func__,
+                    (key->cert == NULL || key->cert->signature_type == NULL) ?
+                    "(null)" : key->cert->signature_type, ssh_err(r));
+                goto done;
+        }
        if (!authctxt->valid || authctxt->user == NULL) {
                debug2("%s: disabled because of invalid user", __func__);
author	djm@openbsd.org <djm@openbsd.org>	2018-09-20 03:28:06 +0000
committer	Damien Miller <djm@mindrot.org>	2018-09-20 14:00:29 +1000
commit	86e5737c39153af134158f24d0cab5827cbd5852 (patch)
tree	1add30c99e83b544792233280451f70f03053586 /auth2-hostbased.c
parent	f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff)