diff options
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 815ea0f25..c3ecd9afc 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-pubkey.c,v 1.99 2020/02/06 22:30:54 naddy Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.100 2020/08/27 01:07:09 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -97,7 +97,7 @@ userauth_pubkey(struct ssh *ssh) | |||
97 | u_char *pkblob = NULL, *sig = NULL, have_sig; | 97 | u_char *pkblob = NULL, *sig = NULL, have_sig; |
98 | size_t blen, slen; | 98 | size_t blen, slen; |
99 | int r, pktype; | 99 | int r, pktype; |
100 | int req_presence = 0, authenticated = 0; | 100 | int req_presence = 0, req_verify = 0, authenticated = 0; |
101 | struct sshauthopt *authopts = NULL; | 101 | struct sshauthopt *authopts = NULL; |
102 | struct sshkey_sig_details *sig_details = NULL; | 102 | struct sshkey_sig_details *sig_details = NULL; |
103 | 103 | ||
@@ -239,6 +239,20 @@ userauth_pubkey(struct ssh *ssh) | |||
239 | authenticated = 0; | 239 | authenticated = 0; |
240 | goto done; | 240 | goto done; |
241 | } | 241 | } |
242 | req_verify = (options.pubkey_auth_options & | ||
243 | PUBKEYAUTH_VERIFY_REQUIRED) || | ||
244 | authopts->require_verify; | ||
245 | if (req_verify && (sig_details->sk_flags & | ||
246 | SSH_SK_USER_VERIFICATION_REQD) == 0) { | ||
247 | error("public key %s signature for %s%s from " | ||
248 | "%.128s port %d rejected: user " | ||
249 | "verification requirement not met ", key_s, | ||
250 | authctxt->valid ? "" : "invalid user ", | ||
251 | authctxt->user, ssh_remote_ipaddr(ssh), | ||
252 | ssh_remote_port(ssh)); | ||
253 | authenticated = 0; | ||
254 | goto done; | ||
255 | } | ||
242 | } | 256 | } |
243 | auth2_record_key(authctxt, authenticated, key); | 257 | auth2_record_key(authctxt, authenticated, key); |
244 | } else { | 258 | } else { |