diff options
author | Jakub Jelen <jjelen@redhat.com> | 2018-07-02 16:44:47 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-08-31 14:18:34 +0200 |
commit | 09cf301eeea985d859cae88db48db9046fe73d47 (patch) | |
tree | f78da6149707f74216948f3a3b37d004b18d7190 /src/auth.c | |
parent | 594c62d718ced4706a545c2ff21add5e3e1b652f (diff) | |
download | libssh-09cf301eeea985d859cae88db48db9046fe73d47.tar.gz libssh-09cf301eeea985d859cae88db48db9046fe73d47.tar.xz libssh-09cf301eeea985d859cae88db48db9046fe73d47.zip |
auth: Prevent authentication with non-allowed key algorithms
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/auth.c')
-rw-r--r-- | src/auth.c | 39 |
1 files changed, 33 insertions, 6 deletions
@@ -495,6 +495,17 @@ int ssh_userauth_try_publickey(ssh_session session, return SSH_ERROR; } + sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type); + + /* Check if the given public key algorithm is allowed */ + if (!ssh_key_algorithm_allowed(session, sig_type_c)) { + ssh_set_error(session, SSH_REQUEST_DENIED, + "The key algorithm '%s' is not allowed to be used by" + " PUBLICKEY_ACCEPTED_TYPES configuration option", + sig_type_c); + return SSH_AUTH_DENIED; + } + rc = ssh_userauth_request_service(session); if (rc == SSH_AGAIN) { return SSH_AUTH_AGAIN; @@ -507,7 +518,6 @@ int ssh_userauth_try_publickey(ssh_session session, if (rc < 0) { goto fail; } - sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type); /* request */ rc = ssh_buffer_pack(session->out_buffer, "bsssbsS", @@ -601,6 +611,19 @@ int ssh_userauth_publickey(ssh_session session, return SSH_AUTH_ERROR; } + /* Cert auth requires presenting the cert type name (*-cert@openssh.com) */ + key_type = privkey->cert != NULL ? privkey->cert_type : privkey->type; + sig_type_c = ssh_key_get_signature_algorithm(session, key_type); + + /* Check if the given public key algorithm is allowed */ + if (!ssh_key_algorithm_allowed(session, sig_type_c)) { + ssh_set_error(session, SSH_REQUEST_DENIED, + "The key algorithm '%s' is not allowed to be used by" + " PUBLICKEY_ACCEPTED_TYPES configuration option", + sig_type_c); + return SSH_AUTH_DENIED; + } + rc = ssh_userauth_request_service(session); if (rc == SSH_AGAIN) { return SSH_AUTH_AGAIN; @@ -608,10 +631,6 @@ int ssh_userauth_publickey(ssh_session session, return SSH_AUTH_ERROR; } - /* Cert auth requires presenting the cert type name (*-cert@openssh.com) */ - key_type = privkey->cert != NULL ? privkey->cert_type : privkey->type; - sig_type_c = ssh_key_get_signature_algorithm(session, key_type); - /* get public key or cert */ rc = ssh_pki_export_pubkey_blob(privkey, &str); if (rc < 0) { @@ -697,7 +716,6 @@ static int ssh_userauth_agent_publickey(ssh_session session, return SSH_AUTH_ERROR; } - /* public key */ rc = ssh_pki_export_pubkey_blob(pubkey, &str); if (rc < 0) { @@ -705,6 +723,15 @@ static int ssh_userauth_agent_publickey(ssh_session session, } sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type); + /* Check if the given public key algorithm is allowed */ + if (!ssh_key_algorithm_allowed(session, sig_type_c)) { + ssh_set_error(session, SSH_REQUEST_DENIED, + "The key algorithm '%s' is not allowed to be used by" + " PUBLICKEY_ACCEPTED_TYPES configuration option", + sig_type_c); + return SSH_AUTH_DENIED; + } + /* request */ rc = ssh_buffer_pack(session->out_buffer, "bsssbsS", SSH2_MSG_USERAUTH_REQUEST, |