diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-07-03 11:39:54 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-07-03 23:26:36 +1000 |
commit | 4ba0d54794814ec0de1ec87987d0c3b89379b436 (patch) | |
tree | b8d904880f8927374b377b2e4d5661213c1138b6 /auth2-hostbased.c | |
parent | 95344c257412b51199ead18d54eaed5bafb75617 (diff) |
upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
Diffstat (limited to 'auth2-hostbased.c')
-rw-r--r-- | auth2-hostbased.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 8996f7e05..f70609cb0 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-hostbased.c,v 1.33 2018/01/23 05:27:21 djm Exp $ */ | 1 | /* $OpenBSD: auth2-hostbased.c,v 1.34 2018/07/03 11:39:54 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -111,8 +111,7 @@ userauth_hostbased(struct ssh *ssh) | |||
111 | "signature format"); | 111 | "signature format"); |
112 | goto done; | 112 | goto done; |
113 | } | 113 | } |
114 | if (match_pattern_list(sshkey_ssh_name(key), | 114 | if (match_pattern_list(pkalg, options.hostbased_key_types, 0) != 1) { |
115 | options.hostbased_key_types, 0) != 1) { | ||
116 | logit("%s: key type %s not in HostbasedAcceptedKeyTypes", | 115 | logit("%s: key type %s not in HostbasedAcceptedKeyTypes", |
117 | __func__, sshkey_type(key)); | 116 | __func__, sshkey_type(key)); |
118 | goto done; | 117 | goto done; |