diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 39 |
1 files changed, 34 insertions, 5 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -846,6 +846,35 @@ mm_answer_authserv(int sock, struct sshbuf *m) | |||
846 | return (0); | 846 | return (0); |
847 | } | 847 | } |
848 | 848 | ||
849 | /* | ||
850 | * Check that the key type appears in the supplied pattern list, ignoring | ||
851 | * mismatches in the signature algorithm. (Signature algorithm checks are | ||
852 | * performed in the unprivileged authentication code). | ||
853 | * Returns 1 on success, 0 otherwise. | ||
854 | */ | ||
855 | static int | ||
856 | key_base_type_match(const char *method, const struct sshkey *key, | ||
857 | const char *list) | ||
858 | { | ||
859 | char *s, *l, *ol = xstrdup(list); | ||
860 | int found = 0; | ||
861 | |||
862 | l = ol; | ||
863 | for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { | ||
864 | if (sshkey_type_from_name(s) == key->type) { | ||
865 | found = 1; | ||
866 | break; | ||
867 | } | ||
868 | } | ||
869 | if (!found) { | ||
870 | error("%s key type %s is not in permitted list %s", method, | ||
871 | sshkey_ssh_name(key), list); | ||
872 | } | ||
873 | |||
874 | free(ol); | ||
875 | return found; | ||
876 | } | ||
877 | |||
849 | int | 878 | int |
850 | mm_answer_authpassword(int sock, struct sshbuf *m) | 879 | mm_answer_authpassword(int sock, struct sshbuf *m) |
851 | { | 880 | { |
@@ -1151,8 +1180,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1151 | break; | 1180 | break; |
1152 | if (auth2_key_already_used(authctxt, key)) | 1181 | if (auth2_key_already_used(authctxt, key)) |
1153 | break; | 1182 | break; |
1154 | if (match_pattern_list(sshkey_ssh_name(key), | 1183 | if (!key_base_type_match(auth_method, key, |
1155 | options.pubkey_key_types, 0) != 1) | 1184 | options.pubkey_key_types)) |
1156 | break; | 1185 | break; |
1157 | allowed = user_key_allowed(ssh, authctxt->pw, key, | 1186 | allowed = user_key_allowed(ssh, authctxt->pw, key, |
1158 | pubkey_auth_attempt, &opts); | 1187 | pubkey_auth_attempt, &opts); |
@@ -1163,8 +1192,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1163 | break; | 1192 | break; |
1164 | if (auth2_key_already_used(authctxt, key)) | 1193 | if (auth2_key_already_used(authctxt, key)) |
1165 | break; | 1194 | break; |
1166 | if (match_pattern_list(sshkey_ssh_name(key), | 1195 | if (!key_base_type_match(auth_method, key, |
1167 | options.hostbased_key_types, 0) != 1) | 1196 | options.hostbased_key_types)) |
1168 | break; | 1197 | break; |
1169 | allowed = hostbased_key_allowed(authctxt->pw, | 1198 | allowed = hostbased_key_allowed(authctxt->pw, |
1170 | cuser, chost, key); | 1199 | cuser, chost, key); |