summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/monitor.c b/monitor.c
index b830e0374..5a28d1b34 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.136 2014/12/22 07:51:30 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.137 2015/01/13 07:39:19 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -100,6 +100,7 @@
100#include "ssh2.h" 100#include "ssh2.h"
101#include "roaming.h" 101#include "roaming.h"
102#include "authfd.h" 102#include "authfd.h"
103#include "match.h"
103 104
104#ifdef GSSAPI 105#ifdef GSSAPI
105static Gssctxt *gsscontext = NULL; 106static Gssctxt *gsscontext = NULL;
@@ -1167,10 +1168,18 @@ mm_answer_keyallowed(int sock, Buffer *m)
1167 debug3("%s: key_from_blob: %p", __func__, key); 1168 debug3("%s: key_from_blob: %p", __func__, key);
1168 1169
1169 if (key != NULL && authctxt->valid) { 1170 if (key != NULL && authctxt->valid) {
1171 /* These should not make it past the privsep child */
1172 if (key_type_plain(key->type) == KEY_RSA &&
1173 (datafellows & SSH_BUG_RSASIGMD5) != 0)
1174 fatal("%s: passed a SSH_BUG_RSASIGMD5 key", __func__);
1175
1170 switch (type) { 1176 switch (type) {
1171 case MM_USERKEY: 1177 case MM_USERKEY:
1172 allowed = options.pubkey_authentication && 1178 allowed = options.pubkey_authentication &&
1173 !auth2_userkey_already_used(authctxt, key) && 1179 !auth2_userkey_already_used(authctxt, key) &&
1180 match_pattern_list(sshkey_ssh_name(key),
1181 options.pubkey_key_types,
1182 strlen(options.pubkey_key_types), 0) == 1 &&
1174 user_key_allowed(authctxt->pw, key); 1183 user_key_allowed(authctxt->pw, key);
1175 pubkey_auth_info(authctxt, key, NULL); 1184 pubkey_auth_info(authctxt, key, NULL);
1176 auth_method = "publickey"; 1185 auth_method = "publickey";
@@ -1179,6 +1188,9 @@ mm_answer_keyallowed(int sock, Buffer *m)
1179 break; 1188 break;
1180 case MM_HOSTKEY: 1189 case MM_HOSTKEY:
1181 allowed = options.hostbased_authentication && 1190 allowed = options.hostbased_authentication &&
1191 match_pattern_list(sshkey_ssh_name(key),
1192 options.hostbased_key_types,
1193 strlen(options.hostbased_key_types), 0) == 1 &&
1182 hostbased_key_allowed(authctxt->pw, 1194 hostbased_key_allowed(authctxt->pw,
1183 cuser, chost, key); 1195 cuser, chost, key);
1184 pubkey_auth_info(authctxt, key, 1196 pubkey_auth_info(authctxt, key,