Backport upstream patch to unbreak authentication using lone certificate keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself (thanks, Paul Querna; LP: #1575961).

author: Colin Watson <cjwatson@debian.org> 2016-04-28 01:46:08 +0100
committer: Colin Watson <cjwatson@debian.org> 2016-04-28 01:51:47 +0100
commit: 6d7593fbdec7235d9d21506860513ba43ef3df2f (patch)
tree: e18507525889b022031e5daa0996e87d108e38d7 /debian/patches
parent: 8590fd4848ae41b97726d7147daae271a3ab5063 (diff)
parent: 43a633de1cabe77e652125dac394a99ad9cac3b4 (diff)
2 files changed, 47 insertions, 0 deletions
diff --git a/debian/patches/series b/debian/patches/series
index b5c9fb392..d2d89669f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ sigstop.patch
 systemd-readiness.patch
 debian-config.patch
 CVE-2015-8325.patch
+unbreak-certificate-auth.patch
diff --git a/debian/patches/unbreak-certificate-auth.patch b/debian/patches/unbreak-certificate-auth.patch
new file mode 100644
index 000000000..cbf7c1800
--- /dev/null
+++ b/debian/patches/unbreak-certificate-auth.patch
@@ -0,0 +1,46 @@
+From 43a633de1cabe77e652125dac394a99ad9cac3b4 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 14 Mar 2016 16:20:54 +0000
+Subject: upstream commit
+unbreak authentication using lone certificate keys in
+ ssh-agent: when attempting pubkey auth with a certificate, if no separate
+ private key is found among the keys then try with the certificate key itself.
+bz#2550 reported by Peter Moody
+Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=c38905ba391434834da86abfc988a2b8b9b62477
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1575961
+Last-Update: 2016-04-28
+Patch-Name: unbreak-certificate-auth.patch
+---
+ sshconnect2.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+diff --git a/sshconnect2.c b/sshconnect2.c
+index b452eae..40facda 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.240 2016/03/14 16:20:54 djm Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2008 Damien Miller.  All rights reserved.
+@@ -1224,12 +1224,8 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
+                            "certificate", __func__, id->filename,
+                            id->agent_fd != -1 ? " from agent" : "");
+                } else {
+-                       /* XXX maybe verbose/error? */
+-                       debug("%s: no private key for certificate "
+                       debug("%s: no separate private key for certificate "
+                            "\"%s\"", __func__, id->filename);
+-                       free(blob);
+-                       buffer_free(&b);
+-                       return 0;
+                }
+        }
+
author	Colin Watson <cjwatson@debian.org>	2016-04-28 01:46:08 +0100
committer	Colin Watson <cjwatson@debian.org>	2016-04-28 01:51:47 +0100
commit	6d7593fbdec7235d9d21506860513ba43ef3df2f (patch)
tree	e18507525889b022031e5daa0996e87d108e38d7 /debian/patches
parent	8590fd4848ae41b97726d7147daae271a3ab5063 (diff)
parent	43a633de1cabe77e652125dac394a99ad9cac3b4 (diff)

diff --git a/debian/patches/series b/debian/patches/series index b5c9fb392..d2d89669f 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -26,3 +26,4 @@ sigstop.patch
26	systemd-readiness.patch	26	systemd-readiness.patch
27	debian-config.patch	27	debian-config.patch
28	CVE-2015-8325.patch	28	CVE-2015-8325.patch
		29	unbreak-certificate-auth.patch


diff --git a/debian/patches/unbreak-certificate-auth.patch b/debian/patches/unbreak-certificate-auth.patch new file mode 100644 index 000000000..cbf7c1800 --- /dev/null +++ b/debian/patches/unbreak-certificate-auth.patch
@@ -0,0 +1,46 @@
		1	From 43a633de1cabe77e652125dac394a99ad9cac3b4 Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Mon, 14 Mar 2016 16:20:54 +0000
		4	Subject: upstream commit
		5
		6	unbreak authentication using lone certificate keys in
		7	ssh-agent: when attempting pubkey auth with a certificate, if no separate
		8	private key is found among the keys then try with the certificate key itself.
		9
		10	bz#2550 reported by Peter Moody
		11
		12	Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
		13
		14	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=c38905ba391434834da86abfc988a2b8b9b62477
		15	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1575961
		16	Last-Update: 2016-04-28
		17
		18	Patch-Name: unbreak-certificate-auth.patch
		19	---
		20	sshconnect2.c \| 8 ++------
		21	1 file changed, 2 insertions(+), 6 deletions(-)
		22
		23	diff --git a/sshconnect2.c b/sshconnect2.c
		24	index b452eae..40facda 100644
		25	--- a/sshconnect2.c
		26	+++ b/sshconnect2.c
		27	@@ -1,4 +1,4 @@
		28	-/* $OpenBSD: sshconnect2.c,v 1.239 2016/02/23 01:34:14 djm Exp $ */
		29	+/* $OpenBSD: sshconnect2.c,v 1.240 2016/03/14 16:20:54 djm Exp $ */
		30	/*
		31	* Copyright (c) 2000 Markus Friedl. All rights reserved.
		32	* Copyright (c) 2008 Damien Miller. All rights reserved.
		33	@@ -1224,12 +1224,8 @@ sign_and_send_pubkey(Authctxt authctxt, Identity id)
		34	"certificate", __func__, id->filename,
		35	id->agent_fd != -1 ? " from agent" : "");
		36	} else {
		37	- /* XXX maybe verbose/error? */
		38	- debug("%s: no private key for certificate "
		39	+ debug("%s: no separate private key for certificate "
		40	"\"%s\"", __func__, id->filename);
		41	- free(blob);
		42	- buffer_free(&b);
		43	- return 0;
		44	}
		45	}
		46