1 files changed, 7 insertions, 6 deletions

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index c820c2816..5aa319ccc 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.52 2015/06/15 18:42:19 jsing Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -831,7 +831,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
 {
         char *ca_fp, *principals_file = NULL;
         const char *reason;
-        int ret = 0, found_principal = 0;
+        int ret = 0, found_principal = 0, use_authorized_principals;
 
         if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
                 return 0;
@@ -859,9 +859,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
         /* Try querying command if specified */
         if (!found_principal && match_principals_command(pw, key->cert))
                 found_principal = 1;
-        /* If principals file or command specify, then require a match here */
-        if (!found_principal && (principals_file != NULL ||
-            options.authorized_principals_command != NULL)) {
+        /* If principals file or command is specified, then require a match */
+        use_authorized_principals = principals_file != NULL ||
+            options.authorized_principals_command != NULL;
+        if (!found_principal && use_authorized_principals) {
                 reason = "Certificate does not contain an authorized principal";
  fail_reason:
                 error("%s", reason);
@@ -869,7 +870,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
                 goto out;
         }
         if (key_cert_check_authority(key, 0, 1,
-            principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
+            use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
                 goto fail_reason;
         if (auth_cert_options(key, pw) != 0)
                 goto out;