From 1460d554ef5ca0d7b9382a746d54c58e4f3e57c1 Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 13 Oct 2015 16:15:21 +0000 Subject: [PATCH] apply PubkeyAcceptedKeyTypes filtering earlier, so all skipped keys are noted before pubkey authentication starts. ok dtucker@ --- usr.bin/ssh/sshconnect2.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 135e07acc98..eb98fa63e2f 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.227 2015/09/24 06:15:11 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.228 2015/10/13 16:15:21 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1320,7 +1320,20 @@ pubkey_prepare(Authctxt *authctxt) TAILQ_REMOVE(&files, id, next); TAILQ_INSERT_TAIL(preferred, id, next); } - TAILQ_FOREACH(id, preferred, next) { + /* finally, filter by PubkeyAcceptedKeyTypes */ + TAILQ_FOREACH_SAFE(id, preferred, next, id2) { + if (id->key != NULL && + match_pattern_list(sshkey_ssh_name(id->key), + options.pubkey_key_types, 0) != 1) { + debug("Skipping %s key %s - " + "not in PubkeyAcceptedKeyTypes", + sshkey_ssh_name(id->key), id->filename); + TAILQ_REMOVE(preferred, id, next); + sshkey_free(id->key); + free(id->filename); + memset(id, 0, sizeof(*id)); + continue; + } debug2("key: %s (%p),%s", id->filename, id->key, id->userprovided ? " explicit" : ""); } @@ -1348,12 +1361,6 @@ try_identity(Identity *id) { if (!id->key) return (0); - if (match_pattern_list(sshkey_ssh_name(id->key), - options.pubkey_key_types, 0) != 1) { - debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes", - sshkey_ssh_name(id->key), id->filename); - return (0); - } if (key_type_plain(id->key->type) == KEY_RSA && (datafellows & SSH_BUG_RSASIGMD5) != 0) { debug("Skipped %s key %s for RSA/MD5 server", -- 2.20.1