diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-11-16 02:43:56 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-11-16 13:52:17 +1100 |
| commit | e76135e3007f1564427b2956c628923d8dc2f75a (patch) | |
| tree | b19e59ca7d62f23123d77dec9e4d08db4718b462 /monitor.c | |
| parent | 5c1a63562cac0574c226224075b0829a50b48c9d (diff) | |
upstream: fix bug in HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
specified, then authentication would always fail for RSA keys as the monitor
checks only the base key (not the signature algorithm) type against
*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 39 |
1 files changed, 34 insertions, 5 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -846,6 +846,35 @@ mm_answer_authserv(int sock, struct sshbuf *m) | |||
| 846 | return (0); | 846 | return (0); |
| 847 | } | 847 | } |
| 848 | 848 | ||
| 849 | /* | ||
| 850 | * Check that the key type appears in the supplied pattern list, ignoring | ||
| 851 | * mismatches in the signature algorithm. (Signature algorithm checks are | ||
| 852 | * performed in the unprivileged authentication code). | ||
| 853 | * Returns 1 on success, 0 otherwise. | ||
| 854 | */ | ||
| 855 | static int | ||
| 856 | key_base_type_match(const char *method, const struct sshkey *key, | ||
| 857 | const char *list) | ||
| 858 | { | ||
| 859 | char *s, *l, *ol = xstrdup(list); | ||
| 860 | int found = 0; | ||
| 861 | |||
| 862 | l = ol; | ||
| 863 | for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { | ||
| 864 | if (sshkey_type_from_name(s) == key->type) { | ||
| 865 | found = 1; | ||
| 866 | break; | ||
| 867 | } | ||
| 868 | } | ||
| 869 | if (!found) { | ||
| 870 | error("%s key type %s is not in permitted list %s", method, | ||
| 871 | sshkey_ssh_name(key), list); | ||
| 872 | } | ||
| 873 | |||
| 874 | free(ol); | ||
| 875 | return found; | ||
| 876 | } | ||
| 877 | |||
| 849 | int | 878 | int |
| 850 | mm_answer_authpassword(int sock, struct sshbuf *m) | 879 | mm_answer_authpassword(int sock, struct sshbuf *m) |
| 851 | { | 880 | { |
| @@ -1151,8 +1180,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
| 1151 | break; | 1180 | break; |
| 1152 | if (auth2_key_already_used(authctxt, key)) | 1181 | if (auth2_key_already_used(authctxt, key)) |
| 1153 | break; | 1182 | break; |
| 1154 | if (match_pattern_list(sshkey_ssh_name(key), | 1183 | if (!key_base_type_match(auth_method, key, |
| 1155 | options.pubkey_key_types, 0) != 1) | 1184 | options.pubkey_key_types)) |
| 1156 | break; | 1185 | break; |
| 1157 | allowed = user_key_allowed(ssh, authctxt->pw, key, | 1186 | allowed = user_key_allowed(ssh, authctxt->pw, key, |
| 1158 | pubkey_auth_attempt, &opts); | 1187 | pubkey_auth_attempt, &opts); |
| @@ -1163,8 +1192,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
| 1163 | break; | 1192 | break; |
| 1164 | if (auth2_key_already_used(authctxt, key)) | 1193 | if (auth2_key_already_used(authctxt, key)) |
| 1165 | break; | 1194 | break; |
| 1166 | if (match_pattern_list(sshkey_ssh_name(key), | 1195 | if (!key_base_type_match(auth_method, key, |
| 1167 | options.hostbased_key_types, 0) != 1) | 1196 | options.hostbased_key_types)) |
| 1168 | break; | 1197 | break; |
| 1169 | allowed = hostbased_key_allowed(authctxt->pw, | 1198 | allowed = hostbased_key_allowed(authctxt->pw, |
| 1170 | cuser, chost, key); | 1199 | cuser, chost, key); |