diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-09-20 05:28:06 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-09-20 06:00:29 +0200 |
| commit | 86e5737c39153af134158f24d0cab5827cbd5852 (patch) | |
| tree | 1add30c99e83b544792233280451f70f03053586 /auth2-pubkey.c | |
| parent | upstream: Make "ssh-add -q" do what it says on the tin: silence (diff) | |
| download | openssh-86e5737c39153af134158f24d0cab5827cbd5852.tar.xz openssh-86e5737c39153af134158f24d0cab5827cbd5852.zip | |
upstream: Add sshd_config CASignatureAlgorithms option to allow
control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.
ok markus@
OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
Diffstat (limited to 'auth2-pubkey.c')
| -rw-r--r-- | auth2-pubkey.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index f9e4e2e7f..2fb5950ea 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.85 2018/08/28 12:25:53 mestre Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.86 2018/09/20 03:28:06 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -137,7 +137,13 @@ userauth_pubkey(struct ssh *ssh) __func__, sshkey_ssh_name(key)); goto done; } - + if ((r = sshkey_check_cert_sigtype(key, + options.ca_sign_algorithms)) != 0) { + logit("%s: certificate signature algorithm %s: %s", __func__, + (key->cert == NULL || key->cert->signature_type == NULL) ? + "(null)" : key->cert->signature_type, ssh_err(r)); + goto done; + } key_s = format_key(key); if (sshkey_is_cert(key)) ca_s = format_key(key->cert->signature_key); |