diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-01-13 07:39:19 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-01-13 19:27:18 +1100 |
| commit | 1f729f0614d1376c3332fa1edb6a5e5cec7e9e03 (patch) | |
| tree | f651f10aa00dcecdf8e9362c0abb6282bbc99c95 /monitor.c | |
| parent | 816d1538c24209a93ba0560b27c4fda57c3fff65 (diff) | |
upstream commit
add sshd_config HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
will be accepted. Currently defaults to all. Feedback & ok markus@
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 14 |
1 files changed, 13 insertions, 1 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.136 2014/12/22 07:51:30 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.137 2015/01/13 07:39:19 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -100,6 +100,7 @@ | |||
| 100 | #include "ssh2.h" | 100 | #include "ssh2.h" |
| 101 | #include "roaming.h" | 101 | #include "roaming.h" |
| 102 | #include "authfd.h" | 102 | #include "authfd.h" |
| 103 | #include "match.h" | ||
| 103 | 104 | ||
| 104 | #ifdef GSSAPI | 105 | #ifdef GSSAPI |
| 105 | static Gssctxt *gsscontext = NULL; | 106 | static Gssctxt *gsscontext = NULL; |
| @@ -1167,10 +1168,18 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1167 | debug3("%s: key_from_blob: %p", __func__, key); | 1168 | debug3("%s: key_from_blob: %p", __func__, key); |
| 1168 | 1169 | ||
| 1169 | if (key != NULL && authctxt->valid) { | 1170 | if (key != NULL && authctxt->valid) { |
| 1171 | /* These should not make it past the privsep child */ | ||
| 1172 | if (key_type_plain(key->type) == KEY_RSA && | ||
| 1173 | (datafellows & SSH_BUG_RSASIGMD5) != 0) | ||
| 1174 | fatal("%s: passed a SSH_BUG_RSASIGMD5 key", __func__); | ||
| 1175 | |||
| 1170 | switch (type) { | 1176 | switch (type) { |
| 1171 | case MM_USERKEY: | 1177 | case MM_USERKEY: |
| 1172 | allowed = options.pubkey_authentication && | 1178 | allowed = options.pubkey_authentication && |
| 1173 | !auth2_userkey_already_used(authctxt, key) && | 1179 | !auth2_userkey_already_used(authctxt, key) && |
| 1180 | match_pattern_list(sshkey_ssh_name(key), | ||
| 1181 | options.pubkey_key_types, | ||
| 1182 | strlen(options.pubkey_key_types), 0) == 1 && | ||
| 1174 | user_key_allowed(authctxt->pw, key); | 1183 | user_key_allowed(authctxt->pw, key); |
| 1175 | pubkey_auth_info(authctxt, key, NULL); | 1184 | pubkey_auth_info(authctxt, key, NULL); |
| 1176 | auth_method = "publickey"; | 1185 | auth_method = "publickey"; |
| @@ -1179,6 +1188,9 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1179 | break; | 1188 | break; |
| 1180 | case MM_HOSTKEY: | 1189 | case MM_HOSTKEY: |
| 1181 | allowed = options.hostbased_authentication && | 1190 | allowed = options.hostbased_authentication && |
| 1191 | match_pattern_list(sshkey_ssh_name(key), | ||
| 1192 | options.hostbased_key_types, | ||
| 1193 | strlen(options.hostbased_key_types), 0) == 1 && | ||
| 1182 | hostbased_key_allowed(authctxt->pw, | 1194 | hostbased_key_allowed(authctxt->pw, |
| 1183 | cuser, chost, key); | 1195 | cuser, chost, key); |
| 1184 | pubkey_auth_info(authctxt, key, | 1196 | pubkey_auth_info(authctxt, key, |