From f2c16d30b456c3b149999e91d16bf28f82197d3f Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Sat, 14 Jun 2008 08:59:49 +1000
Subject:    - dtucker@cvs.openbsd.org 2008/06/13 13:56:59      [monitor.c]    
  Clear key options in the monitor on failed authentication, prevents     
 applying additional restrictions to non-pubkey authentications in      the
 case where pubkey fails but another method subsequently succeeds.      bz
 #1472, found by Colin Watson, ok markus@ djm

---
 ChangeLog | 8 +++++++-
 monitor.c | 6 +++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 81c36752c..362febe67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,12 @@
    - deraadt@cvs.openbsd.org 2008/06/13 09:44:36
      [packet.c]
      compile on older gcc; no decl after code
+   - dtucker@cvs.openbsd.org 2008/06/13 13:56:59
+     [monitor.c]
+     Clear key options in the monitor on failed authentication, prevents
+     applying additional restrictions to non-pubkey authentications in
+     the case where pubkey fails but another method subsequently succeeds.
+     bz #1472, found by Colin Watson, ok markus@ djm@
 
 20080612
  - (dtucker) OpenBSD CVS Sync
@@ -4341,4 +4347,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.5004 2008/06/13 12:02:50 dtucker Exp $
+$Id: ChangeLog,v 1.5005 2008/06/13 22:59:49 dtucker Exp $
diff --git a/monitor.c b/monitor.c
index f872edbb5..8a9ea7849 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.96 2008/05/08 12:21:16 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.97 2008/06/13 13:56:59 dtucker Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1015,6 +1015,8 @@ mm_answer_keyallowed(int sock, Buffer *m)
 			allowed = options.pubkey_authentication &&
 			    user_key_allowed(authctxt->pw, key);
 			auth_method = "publickey";
+			if (options.pubkey_authentication && allowed != 1)
+				auth_clear_options();
 			break;
 		case MM_HOSTKEY:
 			allowed = options.hostbased_authentication &&
@@ -1027,6 +1029,8 @@ mm_answer_keyallowed(int sock, Buffer *m)
 			allowed = options.rhosts_rsa_authentication &&
 			    auth_rhosts_rsa_key_allowed(authctxt->pw,
 			    cuser, chost, key);
+			if (options.rhosts_rsa_authentication && allowed != 1)
+				auth_clear_options();
 			auth_method = "rsa";
 			break;
 		default:
-- 
cgit v1.2.3