1 files changed, 16 insertions, 2 deletions

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 815ea0f25..c3ecd9afc 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.99 2020/02/06 22:30:54 naddy Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.100 2020/08/27 01:07:09 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -97,7 +97,7 @@ userauth_pubkey(struct ssh *ssh)
         u_char *pkblob = NULL, *sig = NULL, have_sig;
         size_t blen, slen;
         int r, pktype;
-        int req_presence = 0, authenticated = 0;
+        int req_presence = 0, req_verify = 0, authenticated = 0;
         struct sshauthopt *authopts = NULL;
         struct sshkey_sig_details *sig_details = NULL;
 
@@ -239,6 +239,20 @@ userauth_pubkey(struct ssh *ssh)
                                 authenticated = 0;
                                 goto done;
                         }
+                        req_verify = (options.pubkey_auth_options &
+                            PUBKEYAUTH_VERIFY_REQUIRED) ||
+                            authopts->require_verify;
+                        if (req_verify && (sig_details->sk_flags &
+                            SSH_SK_USER_VERIFICATION_REQD) == 0) {
+                                error("public key %s signature for %s%s from "
+                                    "%.128s port %d rejected: user "
+                                    "verification requirement not met ", key_s,
+                                    authctxt->valid ? "" : "invalid user ",
+                                    authctxt->user, ssh_remote_ipaddr(ssh),
+                                    ssh_remote_port(ssh));
+                                authenticated = 0;
+                                goto done;
+                        }
                 }
                 auth2_record_key(authctxt, authenticated, key);
         } else {