diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 39 |
1 files changed, 34 insertions, 5 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m) | |||
892 | return (0); | 892 | return (0); |
893 | } | 893 | } |
894 | 894 | ||
895 | /* | ||
896 | * Check that the key type appears in the supplied pattern list, ignoring | ||
897 | * mismatches in the signature algorithm. (Signature algorithm checks are | ||
898 | * performed in the unprivileged authentication code). | ||
899 | * Returns 1 on success, 0 otherwise. | ||
900 | */ | ||
901 | static int | ||
902 | key_base_type_match(const char *method, const struct sshkey *key, | ||
903 | const char *list) | ||
904 | { | ||
905 | char *s, *l, *ol = xstrdup(list); | ||
906 | int found = 0; | ||
907 | |||
908 | l = ol; | ||
909 | for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { | ||
910 | if (sshkey_type_from_name(s) == key->type) { | ||
911 | found = 1; | ||
912 | break; | ||
913 | } | ||
914 | } | ||
915 | if (!found) { | ||
916 | error("%s key type %s is not in permitted list %s", method, | ||
917 | sshkey_ssh_name(key), list); | ||
918 | } | ||
919 | |||
920 | free(ol); | ||
921 | return found; | ||
922 | } | ||
923 | |||
895 | int | 924 | int |
896 | mm_answer_authpassword(int sock, struct sshbuf *m) | 925 | mm_answer_authpassword(int sock, struct sshbuf *m) |
897 | { | 926 | { |
@@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1197 | break; | 1226 | break; |
1198 | if (auth2_key_already_used(authctxt, key)) | 1227 | if (auth2_key_already_used(authctxt, key)) |
1199 | break; | 1228 | break; |
1200 | if (match_pattern_list(sshkey_ssh_name(key), | 1229 | if (!key_base_type_match(auth_method, key, |
1201 | options.pubkey_key_types, 0) != 1) | 1230 | options.pubkey_key_types)) |
1202 | break; | 1231 | break; |
1203 | allowed = user_key_allowed(ssh, authctxt->pw, key, | 1232 | allowed = user_key_allowed(ssh, authctxt->pw, key, |
1204 | pubkey_auth_attempt, &opts); | 1233 | pubkey_auth_attempt, &opts); |
@@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1209 | break; | 1238 | break; |
1210 | if (auth2_key_already_used(authctxt, key)) | 1239 | if (auth2_key_already_used(authctxt, key)) |
1211 | break; | 1240 | break; |
1212 | if (match_pattern_list(sshkey_ssh_name(key), | 1241 | if (!key_base_type_match(auth_method, key, |
1213 | options.hostbased_key_types, 0) != 1) | 1242 | options.hostbased_key_types)) |
1214 | break; | 1243 | break; |
1215 | allowed = hostbased_key_allowed(authctxt->pw, | 1244 | allowed = hostbased_key_allowed(authctxt->pw, |
1216 | cuser, chost, key); | 1245 | cuser, chost, key); |