1 files changed, 88 insertions, 0 deletions
diff --git a/debian/patches/fix-key-type-check.patch b/debian/patches/fix-key-type-check.patch
new file mode 100644
index 000000000..846df5768
--- /dev/null
+++ b/debian/patches/fix-key-type-check.patch
@@ -0,0 +1,88 @@
+From 5e021158aa22cc64da4fca1618ee0bfd2d031049 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 16 Nov 2018 02:43:56 +0000
+Subject: upstream: fix bug in HostbasedAcceptedKeyTypes and
+PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
+specified, then authentication would always fail for RSA keys as the monitor
+checks only the base key (not the signature algorithm) type against
+*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
+OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2
+Last-Update: 2019-02-28
+Patch-Name: fix-key-type-check.patch
+---
+ monitor.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+diff --git a/monitor.c b/monitor.c
+index 08fddabd7..037d6d333 100644
+--- a/monitor.c
+++ b/monitor.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */
+ /*
+  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
+  * Copyright 2002 Markus Friedl <markus@openbsd.org>
+@@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m)
+        return (0);
+ }
+ 
+/*
+ * Check that the key type appears in the supplied pattern list, ignoring
+ * mismatches in the signature algorithm. (Signature algorithm checks are
+ * performed in the unprivileged authentication code).
+ * Returns 1 on success, 0 otherwise.
+ */
+static int
+key_base_type_match(const char *method, const struct sshkey *key,
+    const char *list)
+{
+       char *s, *l, *ol = xstrdup(list);
+       int found = 0;
+
+       l = ol;
+       for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
+               if (sshkey_type_from_name(s) == key->type) {
+                       found = 1;
+                       break;
+               }
+       }
+       if (!found) {
+               error("%s key type %s is not in permitted list %s", method,
+                   sshkey_ssh_name(key), list);
+       }
+
+       free(ol);
+       return found;
+}
+
+ int
+ mm_answer_authpassword(int sock, struct sshbuf *m)
+ {
+@@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
+                                break;
+                        if (auth2_key_already_used(authctxt, key))
+                                break;
+-                       if (match_pattern_list(sshkey_ssh_name(key),
+-                           options.pubkey_key_types, 0) != 1)
+                       if (!key_base_type_match(auth_method, key,
+                           options.pubkey_key_types))
+                                break;
+                        allowed = user_key_allowed(ssh, authctxt->pw, key,
+                            pubkey_auth_attempt, &opts);
+@@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
+                                break;
+                        if (auth2_key_already_used(authctxt, key))
+                                break;
+-                       if (match_pattern_list(sshkey_ssh_name(key),
+-                           options.hostbased_key_types, 0) != 1)
+                       if (!key_base_type_match(auth_method, key,
+                           options.hostbased_key_types))
+                                break;
+                        allowed = hostbased_key_allowed(authctxt->pw,
+                            cuser, chost, key);

diff --git a/debian/patches/fix-key-type-check.patch b/debian/patches/fix-key-type-check.patch new file mode 100644 index 000000000..846df5768 --- /dev/null +++ b/debian/patches/fix-key-type-check.patch
@@ -0,0 +1,88 @@
	1	From 5e021158aa22cc64da4fca1618ee0bfd2d031049 Mon Sep 17 00:00:00 2001
	2	From: "djm@openbsd.org" <djm@openbsd.org>
	3	Date: Fri, 16 Nov 2018 02:43:56 +0000
	4	Subject: upstream: fix bug in HostbasedAcceptedKeyTypes and
	5
	6	PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
	7	specified, then authentication would always fail for RSA keys as the monitor
	8	checks only the base key (not the signature algorithm) type against
	9	*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
	10
	11	OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
	12
	13	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2
	14	Last-Update: 2019-02-28
	15
	16	Patch-Name: fix-key-type-check.patch
	17	---
	18	monitor.c \| 39 ++++++++++++++++++++++++++++++++++-----
	19	1 file changed, 34 insertions(+), 5 deletions(-)
	20
	21	diff --git a/monitor.c b/monitor.c
	22	index 08fddabd7..037d6d333 100644
	23	--- a/monitor.c
	24	+++ b/monitor.c
	25	@@ -1,4 +1,4 @@
	26	-/* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */
	27	+/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */
	28	/*
	29	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
	30	* Copyright 2002 Markus Friedl <markus@openbsd.org>
	31	@@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m)
	32	return (0);
	33	}
	34
	35	+/*
	36	+ * Check that the key type appears in the supplied pattern list, ignoring
	37	+ * mismatches in the signature algorithm. (Signature algorithm checks are
	38	+ * performed in the unprivileged authentication code).
	39	+ * Returns 1 on success, 0 otherwise.
	40	+ */
	41	+static int
	42	+key_base_type_match(const char method, const struct sshkey key,
	43	+ const char *list)
	44	+{
	45	+ char s, l, *ol = xstrdup(list);
	46	+ int found = 0;
	47	+
	48	+ l = ol;
	49	+ for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
	50	+ if (sshkey_type_from_name(s) == key->type) {
	51	+ found = 1;
	52	+ break;
	53	+ }
	54	+ }
	55	+ if (!found) {
	56	+ error("%s key type %s is not in permitted list %s", method,
	57	+ sshkey_ssh_name(key), list);
	58	+ }
	59	+
	60	+ free(ol);
	61	+ return found;
	62	+}
	63	+
	64	int
	65	mm_answer_authpassword(int sock, struct sshbuf *m)
	66	{
	67	@@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
	68	break;
	69	if (auth2_key_already_used(authctxt, key))
	70	break;
	71	- if (match_pattern_list(sshkey_ssh_name(key),
	72	- options.pubkey_key_types, 0) != 1)
	73	+ if (!key_base_type_match(auth_method, key,
	74	+ options.pubkey_key_types))
	75	break;
	76	allowed = user_key_allowed(ssh, authctxt->pw, key,
	77	pubkey_auth_attempt, &opts);
	78	@@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
	79	break;
	80	if (auth2_key_already_used(authctxt, key))
	81	break;
	82	- if (match_pattern_list(sshkey_ssh_name(key),
	83	- options.hostbased_key_types, 0) != 1)
	84	+ if (!key_base_type_match(auth_method, key,
	85	+ options.hostbased_key_types))
	86	break;
	87	allowed = hostbased_key_allowed(authctxt->pw,
	88	cuser, chost, key);