summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog8
-rw-r--r--debian/patches/fix-key-type-check.patch88
-rw-r--r--debian/patches/series1
-rw-r--r--monitor.c39
5 files changed, 133 insertions, 7 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 8a18e26dc..a45865db0 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2125924e47db3713a85a70e0f8d6c23818d2ea054 25e021158aa22cc64da4fca1618ee0bfd2d031049
3125924e47db3713a85a70e0f8d6c23818d2ea054 35e021158aa22cc64da4fca1618ee0bfd2d031049
43d246f10429fc9a37b98eabef94fe8dc7c61002b 43d246f10429fc9a37b98eabef94fe8dc7c61002b
53d246f10429fc9a37b98eabef94fe8dc7c61002b 53d246f10429fc9a37b98eabef94fe8dc7c61002b
6openssh_7.9p1.orig.tar.gz 6openssh_7.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 61189919c..ce7ec26fe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1openssh (1:7.9p1-8) UNRELEASED; urgency=medium
2
3 * Apply upstream patch to fix bug in HostbasedAcceptedKeyTypes and
4 PubkeyAcceptedKeyTypes options in the case where only RSA-SHA2 signature
5 types were specified.
6
7 -- Colin Watson <cjwatson@debian.org> Thu, 28 Feb 2019 10:33:32 +0000
8
1openssh (1:7.9p1-7) unstable; urgency=medium 9openssh (1:7.9p1-7) unstable; urgency=medium
2 10
3 * Recommend "default-logind | logind | libpam-systemd" rather than just 11 * Recommend "default-logind | logind | libpam-systemd" rather than just
diff --git a/debian/patches/fix-key-type-check.patch b/debian/patches/fix-key-type-check.patch
new file mode 100644
index 000000000..846df5768
--- /dev/null
+++ b/debian/patches/fix-key-type-check.patch
@@ -0,0 +1,88 @@
1From 5e021158aa22cc64da4fca1618ee0bfd2d031049 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 16 Nov 2018 02:43:56 +0000
4Subject: upstream: fix bug in HostbasedAcceptedKeyTypes and
5
6PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
7specified, then authentication would always fail for RSA keys as the monitor
8checks only the base key (not the signature algorithm) type against
9*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
10
11OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
12
13Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2
14Last-Update: 2019-02-28
15
16Patch-Name: fix-key-type-check.patch
17---
18 monitor.c | 39 ++++++++++++++++++++++++++++++++++-----
19 1 file changed, 34 insertions(+), 5 deletions(-)
20
21diff --git a/monitor.c b/monitor.c
22index 08fddabd7..037d6d333 100644
23--- a/monitor.c
24+++ b/monitor.c
25@@ -1,4 +1,4 @@
26-/* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */
27+/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */
28 /*
29 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
30 * Copyright 2002 Markus Friedl <markus@openbsd.org>
31@@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m)
32 return (0);
33 }
34
35+/*
36+ * Check that the key type appears in the supplied pattern list, ignoring
37+ * mismatches in the signature algorithm. (Signature algorithm checks are
38+ * performed in the unprivileged authentication code).
39+ * Returns 1 on success, 0 otherwise.
40+ */
41+static int
42+key_base_type_match(const char *method, const struct sshkey *key,
43+ const char *list)
44+{
45+ char *s, *l, *ol = xstrdup(list);
46+ int found = 0;
47+
48+ l = ol;
49+ for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
50+ if (sshkey_type_from_name(s) == key->type) {
51+ found = 1;
52+ break;
53+ }
54+ }
55+ if (!found) {
56+ error("%s key type %s is not in permitted list %s", method,
57+ sshkey_ssh_name(key), list);
58+ }
59+
60+ free(ol);
61+ return found;
62+}
63+
64 int
65 mm_answer_authpassword(int sock, struct sshbuf *m)
66 {
67@@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
68 break;
69 if (auth2_key_already_used(authctxt, key))
70 break;
71- if (match_pattern_list(sshkey_ssh_name(key),
72- options.pubkey_key_types, 0) != 1)
73+ if (!key_base_type_match(auth_method, key,
74+ options.pubkey_key_types))
75 break;
76 allowed = user_key_allowed(ssh, authctxt->pw, key,
77 pubkey_auth_attempt, &opts);
78@@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
79 break;
80 if (auth2_key_already_used(authctxt, key))
81 break;
82- if (match_pattern_list(sshkey_ssh_name(key),
83- options.hostbased_key_types, 0) != 1)
84+ if (!key_base_type_match(auth_method, key,
85+ options.hostbased_key_types))
86 break;
87 allowed = hostbased_key_allowed(authctxt->pw,
88 cuser, chost, key);
diff --git a/debian/patches/series b/debian/patches/series
index 4403cba3b..12358dcf0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ scp-disallow-dot-or-empty-filename.patch
28sanitize-scp-filenames-via-snmprintf.patch 28sanitize-scp-filenames-via-snmprintf.patch
29have-progressmeter-force-update-at-beginning-and-end-transfer.patch 29have-progressmeter-force-update-at-beginning-and-end-transfer.patch
30check-filenames-in-scp-client.patch 30check-filenames-in-scp-client.patch
31fix-key-type-check.patch
diff --git a/monitor.c b/monitor.c
index 08fddabd7..037d6d333 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m)
892 return (0); 892 return (0);
893} 893}
894 894
895/*
896 * Check that the key type appears in the supplied pattern list, ignoring
897 * mismatches in the signature algorithm. (Signature algorithm checks are
898 * performed in the unprivileged authentication code).
899 * Returns 1 on success, 0 otherwise.
900 */
901static int
902key_base_type_match(const char *method, const struct sshkey *key,
903 const char *list)
904{
905 char *s, *l, *ol = xstrdup(list);
906 int found = 0;
907
908 l = ol;
909 for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
910 if (sshkey_type_from_name(s) == key->type) {
911 found = 1;
912 break;
913 }
914 }
915 if (!found) {
916 error("%s key type %s is not in permitted list %s", method,
917 sshkey_ssh_name(key), list);
918 }
919
920 free(ol);
921 return found;
922}
923
895int 924int
896mm_answer_authpassword(int sock, struct sshbuf *m) 925mm_answer_authpassword(int sock, struct sshbuf *m)
897{ 926{
@@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
1197 break; 1226 break;
1198 if (auth2_key_already_used(authctxt, key)) 1227 if (auth2_key_already_used(authctxt, key))
1199 break; 1228 break;
1200 if (match_pattern_list(sshkey_ssh_name(key), 1229 if (!key_base_type_match(auth_method, key,
1201 options.pubkey_key_types, 0) != 1) 1230 options.pubkey_key_types))
1202 break; 1231 break;
1203 allowed = user_key_allowed(ssh, authctxt->pw, key, 1232 allowed = user_key_allowed(ssh, authctxt->pw, key,
1204 pubkey_auth_attempt, &opts); 1233 pubkey_auth_attempt, &opts);
@@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
1209 break; 1238 break;
1210 if (auth2_key_already_used(authctxt, key)) 1239 if (auth2_key_already_used(authctxt, key))
1211 break; 1240 break;
1212 if (match_pattern_list(sshkey_ssh_name(key), 1241 if (!key_base_type_match(auth_method, key,
1213 options.hostbased_key_types, 0) != 1) 1242 options.hostbased_key_types))
1214 break; 1243 break;
1215 allowed = hostbased_key_allowed(authctxt->pw, 1244 allowed = hostbased_key_allowed(authctxt->pw,
1216 cuser, chost, key); 1245 cuser, chost, key);