diff options
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | monitor.c | 6 |
2 files changed, 12 insertions, 2 deletions
@@ -3,6 +3,12 @@ - deraadt@cvs.openbsd.org 2008/06/13 09:44:36 [packet.c] compile on older gcc; no decl after code + - dtucker@cvs.openbsd.org 2008/06/13 13:56:59 + [monitor.c] + Clear key options in the monitor on failed authentication, prevents + applying additional restrictions to non-pubkey authentications in + the case where pubkey fails but another method subsequently succeeds. + bz #1472, found by Colin Watson, ok markus@ djm@ 20080612 - (dtucker) OpenBSD CVS Sync @@ -4341,4 +4347,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5004 2008/06/13 12:02:50 dtucker Exp $ +$Id: ChangeLog,v 1.5005 2008/06/13 22:59:49 dtucker Exp $ @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.96 2008/05/08 12:21:16 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.97 2008/06/13 13:56:59 dtucker Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -1015,6 +1015,8 @@ mm_answer_keyallowed(int sock, Buffer *m) allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); auth_method = "publickey"; + if (options.pubkey_authentication && allowed != 1) + auth_clear_options(); break; case MM_HOSTKEY: allowed = options.hostbased_authentication && @@ -1027,6 +1029,8 @@ mm_answer_keyallowed(int sock, Buffer *m) allowed = options.rhosts_rsa_authentication && auth_rhosts_rsa_key_allowed(authctxt->pw, cuser, chost, key); + if (options.rhosts_rsa_authentication && allowed != 1) + auth_clear_options(); auth_method = "rsa"; break; default: |