From 179be0f5e62f1f492462571944e45a3da660d82b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 1 May 2015 03:23:51 +0000
Subject: upstream commit

prevent authorized_keys options picked up on public key
 tests without a corresponding private key authentication being applied to
 other authentication methods. Reported by halex@, ok markus@
---
 monitor.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'monitor.c')

diff --git a/monitor.c b/monitor.c
index d0ee4f7a6..f520c978f 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1185,7 +1185,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
 	Key *key;
 	char *cuser, *chost;
 	u_char *blob;
-	u_int bloblen;
+	u_int bloblen, pubkey_auth_attempt;
 	enum mm_keytype type = 0;
 	int allowed = 0;
 
@@ -1195,6 +1195,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
 	cuser = buffer_get_string(m, NULL);
 	chost = buffer_get_string(m, NULL);
 	blob = buffer_get_string(m, &bloblen);
+	pubkey_auth_attempt = buffer_get_int(m);
 
 	key = key_from_blob(blob, bloblen);
 
@@ -1220,7 +1221,8 @@ mm_answer_keyallowed(int sock, Buffer *m)
 			    pubkey_auth_attempt);
 			pubkey_auth_info(authctxt, key, NULL);
 			auth_method = "publickey";
-			if (options.pubkey_authentication && allowed != 1)
+			if (options.pubkey_authentication &&
+			    (!pubkey_auth_attempt || allowed != 1))
 				auth_clear_options();
 			break;
 		case MM_HOSTKEY:
-- 
cgit v1.2.3