diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-10-13 16:15:21 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-10-14 03:22:09 +1100 |
| commit | e679c09cd1951f963793aa3d9748d1c3fdcf808f (patch) | |
| tree | 9ee1b2bc1282dc1b4704482c24cefe8e8b8e1c37 /sshconnect2.c | |
| parent | 179c353f564ec7ada64b87730b25fb41107babd7 (diff) | |
upstream commit
apply PubkeyAcceptedKeyTypes filtering earlier, so all
skipped keys are noted before pubkey authentication starts. ok dtucker@
Upstream-ID: ba4f52f54268a421a2a5f98bb375403f4cb044b8
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index e82188392..3ab686e86 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect2.c,v 1.227 2015/09/24 06:15:11 djm Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.228 2015/10/13 16:15:21 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2008 Damien Miller. All rights reserved. |
| @@ -1328,7 +1328,20 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1328 | TAILQ_REMOVE(&files, id, next); | 1328 | TAILQ_REMOVE(&files, id, next); |
| 1329 | TAILQ_INSERT_TAIL(preferred, id, next); | 1329 | TAILQ_INSERT_TAIL(preferred, id, next); |
| 1330 | } | 1330 | } |
| 1331 | TAILQ_FOREACH(id, preferred, next) { | 1331 | /* finally, filter by PubkeyAcceptedKeyTypes */ |
| 1332 | TAILQ_FOREACH_SAFE(id, preferred, next, id2) { | ||
| 1333 | if (id->key != NULL && | ||
| 1334 | match_pattern_list(sshkey_ssh_name(id->key), | ||
| 1335 | options.pubkey_key_types, 0) != 1) { | ||
| 1336 | debug("Skipping %s key %s - " | ||
| 1337 | "not in PubkeyAcceptedKeyTypes", | ||
| 1338 | sshkey_ssh_name(id->key), id->filename); | ||
| 1339 | TAILQ_REMOVE(preferred, id, next); | ||
| 1340 | sshkey_free(id->key); | ||
| 1341 | free(id->filename); | ||
| 1342 | memset(id, 0, sizeof(*id)); | ||
| 1343 | continue; | ||
| 1344 | } | ||
| 1332 | debug2("key: %s (%p),%s", id->filename, id->key, | 1345 | debug2("key: %s (%p),%s", id->filename, id->key, |
| 1333 | id->userprovided ? " explicit" : ""); | 1346 | id->userprovided ? " explicit" : ""); |
| 1334 | } | 1347 | } |
| @@ -1356,12 +1369,6 @@ try_identity(Identity *id) | |||
| 1356 | { | 1369 | { |
| 1357 | if (!id->key) | 1370 | if (!id->key) |
| 1358 | return (0); | 1371 | return (0); |
| 1359 | if (match_pattern_list(sshkey_ssh_name(id->key), | ||
| 1360 | options.pubkey_key_types, 0) != 1) { | ||
| 1361 | debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes", | ||
| 1362 | sshkey_ssh_name(id->key), id->filename); | ||
| 1363 | return (0); | ||
| 1364 | } | ||
| 1365 | if (key_type_plain(id->key->type) == KEY_RSA && | 1372 | if (key_type_plain(id->key->type) == KEY_RSA && |
| 1366 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { | 1373 | (datafellows & SSH_BUG_RSASIGMD5) != 0) { |
| 1367 | debug("Skipped %s key %s for RSA/MD5 server", | 1374 | debug("Skipped %s key %s for RSA/MD5 server", |