aboutsummaryrefslogtreecommitdiff
path: root/src/auth.c
diff options
context:
space:
mode:
authorJakub Jelen <jjelen@redhat.com>2018-07-02 16:44:47 +0200
committerAndreas Schneider <asn@cryptomilk.org>2018-08-31 14:18:34 +0200
commit09cf301eeea985d859cae88db48db9046fe73d47 (patch)
treef78da6149707f74216948f3a3b37d004b18d7190 /src/auth.c
parent594c62d718ced4706a545c2ff21add5e3e1b652f (diff)
downloadlibssh-09cf301eeea985d859cae88db48db9046fe73d47.tar.gz
libssh-09cf301eeea985d859cae88db48db9046fe73d47.tar.xz
libssh-09cf301eeea985d859cae88db48db9046fe73d47.zip
auth: Prevent authentication with non-allowed key algorithms
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/auth.c')
-rw-r--r--src/auth.c39
1 files changed, 33 insertions, 6 deletions
diff --git a/src/auth.c b/src/auth.c
index a491cf69..c1bb2cc5 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -495,6 +495,17 @@ int ssh_userauth_try_publickey(ssh_session session,
return SSH_ERROR;
}
+ sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type);
+
+ /* Check if the given public key algorithm is allowed */
+ if (!ssh_key_algorithm_allowed(session, sig_type_c)) {
+ ssh_set_error(session, SSH_REQUEST_DENIED,
+ "The key algorithm '%s' is not allowed to be used by"
+ " PUBLICKEY_ACCEPTED_TYPES configuration option",
+ sig_type_c);
+ return SSH_AUTH_DENIED;
+ }
+
rc = ssh_userauth_request_service(session);
if (rc == SSH_AGAIN) {
return SSH_AUTH_AGAIN;
@@ -507,7 +518,6 @@ int ssh_userauth_try_publickey(ssh_session session,
if (rc < 0) {
goto fail;
}
- sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type);
/* request */
rc = ssh_buffer_pack(session->out_buffer, "bsssbsS",
@@ -601,6 +611,19 @@ int ssh_userauth_publickey(ssh_session session,
return SSH_AUTH_ERROR;
}
+ /* Cert auth requires presenting the cert type name (*-cert@openssh.com) */
+ key_type = privkey->cert != NULL ? privkey->cert_type : privkey->type;
+ sig_type_c = ssh_key_get_signature_algorithm(session, key_type);
+
+ /* Check if the given public key algorithm is allowed */
+ if (!ssh_key_algorithm_allowed(session, sig_type_c)) {
+ ssh_set_error(session, SSH_REQUEST_DENIED,
+ "The key algorithm '%s' is not allowed to be used by"
+ " PUBLICKEY_ACCEPTED_TYPES configuration option",
+ sig_type_c);
+ return SSH_AUTH_DENIED;
+ }
+
rc = ssh_userauth_request_service(session);
if (rc == SSH_AGAIN) {
return SSH_AUTH_AGAIN;
@@ -608,10 +631,6 @@ int ssh_userauth_publickey(ssh_session session,
return SSH_AUTH_ERROR;
}
- /* Cert auth requires presenting the cert type name (*-cert@openssh.com) */
- key_type = privkey->cert != NULL ? privkey->cert_type : privkey->type;
- sig_type_c = ssh_key_get_signature_algorithm(session, key_type);
-
/* get public key or cert */
rc = ssh_pki_export_pubkey_blob(privkey, &str);
if (rc < 0) {
@@ -697,7 +716,6 @@ static int ssh_userauth_agent_publickey(ssh_session session,
return SSH_AUTH_ERROR;
}
-
/* public key */
rc = ssh_pki_export_pubkey_blob(pubkey, &str);
if (rc < 0) {
@@ -705,6 +723,15 @@ static int ssh_userauth_agent_publickey(ssh_session session,
}
sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type);
+ /* Check if the given public key algorithm is allowed */
+ if (!ssh_key_algorithm_allowed(session, sig_type_c)) {
+ ssh_set_error(session, SSH_REQUEST_DENIED,
+ "The key algorithm '%s' is not allowed to be used by"
+ " PUBLICKEY_ACCEPTED_TYPES configuration option",
+ sig_type_c);
+ return SSH_AUTH_DENIED;
+ }
+
/* request */
rc = ssh_buffer_pack(session->out_buffer, "bsssbsS",
SSH2_MSG_USERAUTH_REQUEST,