From 62bbf8f825cc390ecb0523752ddac1435006f206 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 15 Sep 2024 00:41:18 +0000
Subject: upstream: Do not apply authorized_keys options when signature

verification fails. Prevents restrictive key options being incorrectly
applied to subsequent keys in authorized_keys. bz3733, ok markus@

OpenBSD-Commit-ID: ba3776d9da4642443c19dbc015a1333622eb5a4e
---
 monitor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/monitor.c b/monitor.c
index f4a835eee..4e68c4f80 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.242 2024/09/09 02:39:57 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.243 2024/09/15 00:41:18 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1496,7 +1496,7 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
 	}
 	auth2_record_key(authctxt, ret == 0, key);
 
-	if (key_blobtype == MM_USERKEY)
+	if (key_blobtype == MM_USERKEY && ret == 0)
 		auth_activate_options(ssh, key_opts);
 	monitor_reset_key_state();
 
-- 
cgit v1.2.3