diff options
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/fix-key-type-check.patch | 88 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 89 insertions, 0 deletions
diff --git a/debian/patches/fix-key-type-check.patch b/debian/patches/fix-key-type-check.patch new file mode 100644 index 000000000..846df5768 --- /dev/null +++ b/debian/patches/fix-key-type-check.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | From 5e021158aa22cc64da4fca1618ee0bfd2d031049 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 16 Nov 2018 02:43:56 +0000 | ||
4 | Subject: upstream: fix bug in HostbasedAcceptedKeyTypes and | ||
5 | |||
6 | PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were | ||
7 | specified, then authentication would always fail for RSA keys as the monitor | ||
8 | checks only the base key (not the signature algorithm) type against | ||
9 | *AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker | ||
10 | |||
11 | OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b | ||
12 | |||
13 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2 | ||
14 | Last-Update: 2019-02-28 | ||
15 | |||
16 | Patch-Name: fix-key-type-check.patch | ||
17 | --- | ||
18 | monitor.c | 39 ++++++++++++++++++++++++++++++++++----- | ||
19 | 1 file changed, 34 insertions(+), 5 deletions(-) | ||
20 | |||
21 | diff --git a/monitor.c b/monitor.c | ||
22 | index 08fddabd7..037d6d333 100644 | ||
23 | --- a/monitor.c | ||
24 | +++ b/monitor.c | ||
25 | @@ -1,4 +1,4 @@ | ||
26 | -/* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */ | ||
27 | +/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ | ||
28 | /* | ||
29 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | ||
30 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | ||
31 | @@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m) | ||
32 | return (0); | ||
33 | } | ||
34 | |||
35 | +/* | ||
36 | + * Check that the key type appears in the supplied pattern list, ignoring | ||
37 | + * mismatches in the signature algorithm. (Signature algorithm checks are | ||
38 | + * performed in the unprivileged authentication code). | ||
39 | + * Returns 1 on success, 0 otherwise. | ||
40 | + */ | ||
41 | +static int | ||
42 | +key_base_type_match(const char *method, const struct sshkey *key, | ||
43 | + const char *list) | ||
44 | +{ | ||
45 | + char *s, *l, *ol = xstrdup(list); | ||
46 | + int found = 0; | ||
47 | + | ||
48 | + l = ol; | ||
49 | + for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { | ||
50 | + if (sshkey_type_from_name(s) == key->type) { | ||
51 | + found = 1; | ||
52 | + break; | ||
53 | + } | ||
54 | + } | ||
55 | + if (!found) { | ||
56 | + error("%s key type %s is not in permitted list %s", method, | ||
57 | + sshkey_ssh_name(key), list); | ||
58 | + } | ||
59 | + | ||
60 | + free(ol); | ||
61 | + return found; | ||
62 | +} | ||
63 | + | ||
64 | int | ||
65 | mm_answer_authpassword(int sock, struct sshbuf *m) | ||
66 | { | ||
67 | @@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | ||
68 | break; | ||
69 | if (auth2_key_already_used(authctxt, key)) | ||
70 | break; | ||
71 | - if (match_pattern_list(sshkey_ssh_name(key), | ||
72 | - options.pubkey_key_types, 0) != 1) | ||
73 | + if (!key_base_type_match(auth_method, key, | ||
74 | + options.pubkey_key_types)) | ||
75 | break; | ||
76 | allowed = user_key_allowed(ssh, authctxt->pw, key, | ||
77 | pubkey_auth_attempt, &opts); | ||
78 | @@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | ||
79 | break; | ||
80 | if (auth2_key_already_used(authctxt, key)) | ||
81 | break; | ||
82 | - if (match_pattern_list(sshkey_ssh_name(key), | ||
83 | - options.hostbased_key_types, 0) != 1) | ||
84 | + if (!key_base_type_match(auth_method, key, | ||
85 | + options.hostbased_key_types)) | ||
86 | break; | ||
87 | allowed = hostbased_key_allowed(authctxt->pw, | ||
88 | cuser, chost, key); | ||
diff --git a/debian/patches/series b/debian/patches/series index 4403cba3b..12358dcf0 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -28,3 +28,4 @@ scp-disallow-dot-or-empty-filename.patch | |||
28 | sanitize-scp-filenames-via-snmprintf.patch | 28 | sanitize-scp-filenames-via-snmprintf.patch |
29 | have-progressmeter-force-update-at-beginning-and-end-transfer.patch | 29 | have-progressmeter-force-update-at-beginning-and-end-transfer.patch |
30 | check-filenames-in-scp-client.patch | 30 | check-filenames-in-scp-client.patch |
31 | fix-key-type-check.patch | ||