artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 645be95)
apply PubkeyAcceptedKeyTypes filtering earlier, so all skipped
authordjm <djm@openbsd.org>
Tue, 13 Oct 2015 16:15:21 +0000 (16:15 +0000)
committerdjm <djm@openbsd.org>
Tue, 13 Oct 2015 16:15:21 +0000 (16:15 +0000)
keys are noted before pubkey authentication starts. ok dtucker@

usr.bin/ssh/sshconnect2.c patch | blob | history

diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index 135e07a..eb98fa6 100644 (file)
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.227 2015/09/24 06:15:11 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.228 2015/10/13 16:15:21 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1320,7 +1320,20 @@ pubkey_prepare(Authctxt *authctxt)
                TAILQ_REMOVE(&files, id, next);
                TAILQ_INSERT_TAIL(preferred, id, next);
        }
-       TAILQ_FOREACH(id, preferred, next) {
+       /* finally, filter by PubkeyAcceptedKeyTypes */
+       TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
+               if (id->key != NULL &&
+                   match_pattern_list(sshkey_ssh_name(id->key),
+                   options.pubkey_key_types, 0) != 1) {
+                       debug("Skipping %s key %s - "
+                           "not in PubkeyAcceptedKeyTypes",
+                           sshkey_ssh_name(id->key), id->filename);
+                       TAILQ_REMOVE(preferred, id, next);
+                       sshkey_free(id->key);
+                       free(id->filename);
+                       memset(id, 0, sizeof(*id));
+                       continue;
+               }
                debug2("key: %s (%p),%s", id->filename, id->key,
                    id->userprovided ? " explicit" : "");
        }
@@ -1348,12 +1361,6 @@ try_identity(Identity *id)
 {
        if (!id->key)
                return (0);
-       if (match_pattern_list(sshkey_ssh_name(id->key),
-           options.pubkey_key_types, 0) != 1) {
-               debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes",
-                   sshkey_ssh_name(id->key), id->filename);
-               return (0);
-       }
        if (key_type_plain(id->key->type) == KEY_RSA &&
            (datafellows & SSH_BUG_RSASIGMD5) != 0) {
                debug("Skipped %s key %s for RSA/MD5 server",
OpenBSD src
by Ahmet Artu Yildirim