From 043e9fe1e47c70feb660971c20eb6b9da90418b3 Mon Sep 17 00:00:00 2001 From: djm Date: Sun, 15 Sep 2024 00:41:18 +0000 Subject: [PATCH] Do not apply authorized_keys options when signature verification fails. Prevents restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733, ok markus@ --- usr.bin/ssh/monitor.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index eea5600230a..be2981eca99 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.242 2024/09/09 02:39:57 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.243 2024/09/15 00:41:18 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1243,7 +1243,7 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) } auth2_record_key(authctxt, ret == 0, key); - if (key_blobtype == MM_USERKEY) + if (key_blobtype == MM_USERKEY && ret == 0) auth_activate_options(ssh, key_opts); monitor_reset_key_state(); -- 2.20.1