summaryrefslogtreecommitdiff
path: root/auth2-hostbased.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-07-03 11:39:54 +0000
committerDamien Miller <djm@mindrot.org>2018-07-03 23:26:36 +1000
commit4ba0d54794814ec0de1ec87987d0c3b89379b436 (patch)
treeb8d904880f8927374b377b2e4d5661213c1138b6 /auth2-hostbased.c
parent95344c257412b51199ead18d54eaed5bafb75617 (diff)
upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
Diffstat (limited to 'auth2-hostbased.c')
-rw-r--r--auth2-hostbased.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 8996f7e05..f70609cb0 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-hostbased.c,v 1.33 2018/01/23 05:27:21 djm Exp $ */ 1/* $OpenBSD: auth2-hostbased.c,v 1.34 2018/07/03 11:39:54 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -111,8 +111,7 @@ userauth_hostbased(struct ssh *ssh)
111 "signature format"); 111 "signature format");
112 goto done; 112 goto done;
113 } 113 }
114 if (match_pattern_list(sshkey_ssh_name(key), 114 if (match_pattern_list(pkalg, options.hostbased_key_types, 0) != 1) {
115 options.hostbased_key_types, 0) != 1) {
116 logit("%s: key type %s not in HostbasedAcceptedKeyTypes", 115 logit("%s: key type %s not in HostbasedAcceptedKeyTypes",
117 __func__, sshkey_type(key)); 116 __func__, sshkey_type(key));
118 goto done; 117 goto done;