Fix user enumeration vulnerability

Apply upstream patch to delay bailout for invalid authenticating user
until after the packet containing the request has been fully parsed.

Closes: #906236

1 files changed, 5 insertions, 4 deletions

diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 8996f7e05..82a7dcdae 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
         size_t alen, blen, slen;
         int r, pktype, authenticated = 0;
 
-        if (!authctxt->valid) {
-                debug2("%s: disabled because of invalid user", __func__);
-                return 0;
-        }
         /* XXX use sshkey_froms() */
         if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
             (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
@@ -118,6 +114,11 @@ userauth_hostbased(struct ssh *ssh)
                 goto done;
         }
 
+        if (!authctxt->valid || authctxt->user == NULL) {
+                debug2("%s: disabled because of invalid user", __func__);
+                goto done;
+        }
+
         if ((b = sshbuf_new()) == NULL)
                 fatal("%s: sshbuf_new failed", __func__);
         /* reconstruct packet */