|
|
f5835d |
diff --git a/monitor.c b/monitor.c
|
|
|
f5835d |
index 12b33e7..a1c3c97 100644
|
|
|
f5835d |
--- a/monitor.c
|
|
|
f5835d |
+++ b/monitor.c
|
|
|
f5835d |
@@ -875,6 +875,34 @@ mm_answer_bsdauthrespond(int sock, struct sshbuf *m)
|
|
|
f5835d |
}
|
|
|
f5835d |
#endif
|
|
|
f5835d |
|
|
|
f5835d |
+/*
|
|
|
f5835d |
+ * Check that the key type appears in the supplied pattern list, ignoring
|
|
|
f5835d |
+ * mismastches in the signature algorithm. (Signature algorithm checks are
|
|
|
f5835d |
+ * performed in the unprivileged authentication code).
|
|
|
f5835d |
+ * Returns 1 on success, 0 otherwise.
|
|
|
f5835d |
+ */
|
|
|
f5835d |
+static int
|
|
|
f5835d |
+key_base_type_match(const struct sshkey *key, const char *list)
|
|
|
f5835d |
+{
|
|
|
f5835d |
+ char *s, *l, *ol = xstrdup(list);
|
|
|
f5835d |
+ int found = 0;
|
|
|
f5835d |
+
|
|
|
f5835d |
+ l = ol;
|
|
|
f5835d |
+ for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
|
|
|
f5835d |
+ if (sshkey_type_from_name(s) == key->type) {
|
|
|
f5835d |
+ found = 1;
|
|
|
f5835d |
+ break;
|
|
|
f5835d |
+ }
|
|
|
f5835d |
+ }
|
|
|
f5835d |
+ if (!found) {
|
|
|
f5835d |
+ debug("key type %s does not appear in list %s",
|
|
|
f5835d |
+ sshkey_ssh_name(key), list);
|
|
|
f5835d |
+ }
|
|
|
f5835d |
+
|
|
|
f5835d |
+ free(ol);
|
|
|
f5835d |
+ return found;
|
|
|
f5835d |
+}
|
|
|
f5835d |
+
|
|
|
f5835d |
int
|
|
|
f5835d |
mm_answer_keyallowed(int sock, struct sshbuf *m)
|
|
|
f5835d |
{
|
|
|
f5835d |
@@ -909,8 +937,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
|
|
|
f5835d |
break;
|
|
|
f5835d |
if (auth2_key_already_used(authctxt, key))
|
|
|
f5835d |
break;
|
|
|
f5835d |
- if (match_pattern_list(sshkey_ssh_name(key),
|
|
|
f5835d |
- options.pubkey_key_types, 0) != 1)
|
|
|
f5835d |
+ if (!key_base_type_match(key,
|
|
|
f5835d |
+ options.pubkey_key_types))
|
|
|
f5835d |
break;
|
|
|
f5835d |
allowed = user_key_allowed(ssh, authctxt->pw, key,
|
|
|
f5835d |
pubkey_auth_attempt, &opts);
|
|
|
f5835d |
@@ -921,8 +949,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
|
|
|
f5835d |
break;
|
|
|
f5835d |
if (auth2_key_already_used(authctxt, key))
|
|
|
f5835d |
break;
|
|
|
f5835d |
- if (match_pattern_list(sshkey_ssh_name(key),
|
|
|
f5835d |
- options.hostbased_key_types, 0) != 1)
|
|
|
f5835d |
+ if (!key_base_type_match(key,
|
|
|
f5835d |
+ options.hostbased_key_types))
|
|
|
f5835d |
break;
|
|
|
f5835d |
allowed = hostbased_key_allowed(authctxt->pw,
|
|
|
f5835d |
cuser, chost, key);
|
|
|
f5835d |
|