View | Details | Raw Unified | Return to bug 2746 | Differences between
and this patch

Collapse All | Expand All

(-)a/monitor.c (-4 / +10 lines)
Lines 1168-1176 mm_answer_keyallowed(int sock, struct sshbuf *m) Link Here
1168
				break;
1168
				break;
1169
			if (auth2_key_already_used(authctxt, key))
1169
			if (auth2_key_already_used(authctxt, key))
1170
				break;
1170
				break;
1171
			if (match_pattern_list(sshkey_ssh_name(key),
1171
			if (sshkey_type_allowed_by_config(key,
1172
			    options.pubkey_key_types, 0) != 1)
1172
			    options.pubkey_key_types) != 1) {
1173
				debug("Key type %s not in PubkeyAcceptedKeyTypes",
1174
				    sshkey_ssh_name(key));
1173
				break;
1175
				break;
1176
			}
1174
			allowed = user_key_allowed(ssh, authctxt->pw, key,
1177
			allowed = user_key_allowed(ssh, authctxt->pw, key,
1175
			    pubkey_auth_attempt, &opts);
1178
			    pubkey_auth_attempt, &opts);
1176
			break;
1179
			break;
Lines 1180-1188 mm_answer_keyallowed(int sock, struct sshbuf *m) Link Here
1180
				break;
1183
				break;
1181
			if (auth2_key_already_used(authctxt, key))
1184
			if (auth2_key_already_used(authctxt, key))
1182
				break;
1185
				break;
1183
			if (match_pattern_list(sshkey_ssh_name(key),
1186
			if (sshkey_type_allowed_by_config(key,
1184
			    options.hostbased_key_types, 0) != 1)
1187
			    options.hostbased_key_types) != 1) {
1188
				debug("Key type %s not in PubkeyAcceptedKeyTypes",
1189
				    sshkey_ssh_name(key));
1185
				break;
1190
				break;
1191
			}
1186
			allowed = hostbased_key_allowed(authctxt->pw,
1192
			allowed = hostbased_key_allowed(authctxt->pw,
1187
			    cuser, chost, key);
1193
			    cuser, chost, key);
1188
			auth2_record_info(authctxt,
1194
			auth2_record_info(authctxt,
(-)a/sshconnect2.c (-31 / +2 lines)
Lines 1572-1607 load_identity_file(Identity *id) Link Here
1572
	return private;
1572
	return private;
1573
}
1573
}
1574
1574
1575
static int
1576
key_type_allowed_by_config(struct sshkey *key)
1577
{
1578
	if (match_pattern_list(sshkey_ssh_name(key),
1579
	    options.pubkey_key_types, 0) == 1)
1580
		return 1;
1581
1582
	/* RSA keys/certs might be allowed by alternate signature types */
1583
	switch (key->type) {
1584
	case KEY_RSA:
1585
		if (match_pattern_list("rsa-sha2-512",
1586
		    options.pubkey_key_types, 0) == 1)
1587
			return 1;
1588
		if (match_pattern_list("rsa-sha2-256",
1589
		    options.pubkey_key_types, 0) == 1)
1590
			return 1;
1591
		break;
1592
	case KEY_RSA_CERT:
1593
		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
1594
		    options.pubkey_key_types, 0) == 1)
1595
			return 1;
1596
		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
1597
		    options.pubkey_key_types, 0) == 1)
1598
			return 1;
1599
		break;
1600
	}
1601
	return 0;
1602
}
1603
1604
1605
/*
1575
/*
1606
 * try keys in the following order:
1576
 * try keys in the following order:
1607
 * 	1. certificates listed in the config file
1577
 * 	1. certificates listed in the config file
Lines 1726-1732 pubkey_prepare(Authctxt *authctxt) Link Here
1726
	}
1696
	}
1727
	/* finally, filter by PubkeyAcceptedKeyTypes */
1697
	/* finally, filter by PubkeyAcceptedKeyTypes */
1728
	TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
1698
	TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
1729
		if (id->key != NULL && !key_type_allowed_by_config(id->key)) {
1699
		if (id->key != NULL && !sshkey_type_allowed_by_config(id->key,
1700
		    options.pubkey_key_types)) {
1730
			debug("Skipping %s key %s - "
1701
			debug("Skipping %s key %s - "
1731
			    "not in PubkeyAcceptedKeyTypes",
1702
			    "not in PubkeyAcceptedKeyTypes",
1732
			    sshkey_ssh_name(id->key), id->filename);
1703
			    sshkey_ssh_name(id->key), id->filename);
(-)a/sshkey.c (+29 lines)
Lines 4078-4083 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, Link Here
4078
	    passphrase, keyp, commentp);
4078
	    passphrase, keyp, commentp);
4079
}
4079
}
4080
4080
4081
int
4082
sshkey_type_allowed_by_config(const struct sshkey *key, const char *pubkey_types)
4083
{
4084
	if (match_pattern_list(sshkey_ssh_name(key),
4085
	    pubkey_types, 0) == 1)
4086
		return 1;
4087
4088
	/* RSA keys/certs might be allowed by alternate signature types */
4089
	switch (key->type) {
4090
	case KEY_RSA:
4091
		if (match_pattern_list("rsa-sha2-512",
4092
		    pubkey_types, 0) == 1)
4093
			return 1;
4094
		if (match_pattern_list("rsa-sha2-256",
4095
		    pubkey_types, 0) == 1)
4096
			return 1;
4097
		break;
4098
	case KEY_RSA_CERT:
4099
		if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
4100
		    pubkey_types, 0) == 1)
4101
			return 1;
4102
		if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
4103
		    pubkey_types, 0) == 1)
4104
			return 1;
4105
		break;
4106
	}
4107
	return 0;
4108
}
4109
4081
#ifdef WITH_XMSS
4110
#ifdef WITH_XMSS
4082
/*
4111
/*
4083
 * serialize the key with the current state and forward the state
4112
 * serialize the key with the current state and forward the state
(-)a/sshkey.h (-1 / +2 lines)
Lines 261-266 int ssh_xmss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, Link Here
261
int ssh_xmss_verify(const struct sshkey *key,
261
int ssh_xmss_verify(const struct sshkey *key,
262
    const u_char *signature, size_t signaturelen,
262
    const u_char *signature, size_t signaturelen,
263
    const u_char *data, size_t datalen, u_int compat);
263
    const u_char *data, size_t datalen, u_int compat);
264
int key_type_allowed_by_config(const struct sshkey *key,
265
    const char *pubkey_types);
264
#endif
266
#endif
265
267
266
#if !defined(WITH_OPENSSL)
268
#if !defined(WITH_OPENSSL)
267
- 

Return to bug 2746