diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-11-16 02:43:56 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-11-16 13:52:17 +1100 |
commit | e76135e3007f1564427b2956c628923d8dc2f75a (patch) | |
tree | b19e59ca7d62f23123d77dec9e4d08db4718b462 /monitor.c | |
parent | 5c1a63562cac0574c226224075b0829a50b48c9d (diff) |
upstream: fix bug in HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
specified, then authentication would always fail for RSA keys as the monitor
checks only the base key (not the signature algorithm) type against
*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 39 |
1 files changed, 34 insertions, 5 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -846,6 +846,35 @@ mm_answer_authserv(int sock, struct sshbuf *m) | |||
846 | return (0); | 846 | return (0); |
847 | } | 847 | } |
848 | 848 | ||
849 | /* | ||
850 | * Check that the key type appears in the supplied pattern list, ignoring | ||
851 | * mismatches in the signature algorithm. (Signature algorithm checks are | ||
852 | * performed in the unprivileged authentication code). | ||
853 | * Returns 1 on success, 0 otherwise. | ||
854 | */ | ||
855 | static int | ||
856 | key_base_type_match(const char *method, const struct sshkey *key, | ||
857 | const char *list) | ||
858 | { | ||
859 | char *s, *l, *ol = xstrdup(list); | ||
860 | int found = 0; | ||
861 | |||
862 | l = ol; | ||
863 | for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { | ||
864 | if (sshkey_type_from_name(s) == key->type) { | ||
865 | found = 1; | ||
866 | break; | ||
867 | } | ||
868 | } | ||
869 | if (!found) { | ||
870 | error("%s key type %s is not in permitted list %s", method, | ||
871 | sshkey_ssh_name(key), list); | ||
872 | } | ||
873 | |||
874 | free(ol); | ||
875 | return found; | ||
876 | } | ||
877 | |||
849 | int | 878 | int |
850 | mm_answer_authpassword(int sock, struct sshbuf *m) | 879 | mm_answer_authpassword(int sock, struct sshbuf *m) |
851 | { | 880 | { |
@@ -1151,8 +1180,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1151 | break; | 1180 | break; |
1152 | if (auth2_key_already_used(authctxt, key)) | 1181 | if (auth2_key_already_used(authctxt, key)) |
1153 | break; | 1182 | break; |
1154 | if (match_pattern_list(sshkey_ssh_name(key), | 1183 | if (!key_base_type_match(auth_method, key, |
1155 | options.pubkey_key_types, 0) != 1) | 1184 | options.pubkey_key_types)) |
1156 | break; | 1185 | break; |
1157 | allowed = user_key_allowed(ssh, authctxt->pw, key, | 1186 | allowed = user_key_allowed(ssh, authctxt->pw, key, |
1158 | pubkey_auth_attempt, &opts); | 1187 | pubkey_auth_attempt, &opts); |
@@ -1163,8 +1192,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1163 | break; | 1192 | break; |
1164 | if (auth2_key_already_used(authctxt, key)) | 1193 | if (auth2_key_already_used(authctxt, key)) |
1165 | break; | 1194 | break; |
1166 | if (match_pattern_list(sshkey_ssh_name(key), | 1195 | if (!key_base_type_match(auth_method, key, |
1167 | options.hostbased_key_types, 0) != 1) | 1196 | options.hostbased_key_types)) |
1168 | break; | 1197 | break; |
1169 | allowed = hostbased_key_allowed(authctxt->pw, | 1198 | allowed = hostbased_key_allowed(authctxt->pw, |
1170 | cuser, chost, key); | 1199 | cuser, chost, key); |