summaryrefslogtreecommitdiff
path: root/auth2-pubkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-09-20 03:28:06 +0000
committerDamien Miller <djm@mindrot.org>2018-09-20 14:00:29 +1000
commit86e5737c39153af134158f24d0cab5827cbd5852 (patch)
tree1add30c99e83b544792233280451f70f03053586 /auth2-pubkey.c
parentf80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff)
upstream: Add sshd_config CASignatureAlgorithms option to allow
control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r--auth2-pubkey.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index f9e4e2e7..2fb5950e 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.85 2018/08/28 12:25:53 mestre Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.86 2018/09/20 03:28:06 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -137,7 +137,13 @@ userauth_pubkey(struct ssh *ssh)
__func__, sshkey_ssh_name(key));
goto done;
}
-
+ if ((r = sshkey_check_cert_sigtype(key,
+ options.ca_sign_algorithms)) != 0) {
+ logit("%s: certificate signature algorithm %s: %s", __func__,
+ (key->cert == NULL || key->cert->signature_type == NULL) ?
+ "(null)" : key->cert->signature_type, ssh_err(r));
+ goto done;
+ }
key_s = format_key(key);
if (sshkey_is_cert(key))
ca_s = format_key(key->cert->signature_key);