From 84399555f0a3c78b96c3e5a56ce9c83eaa814228 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 21 May 2010 14:58:12 +1000 Subject: [PATCH] - djm@cvs.openbsd.org 2010/05/20 11:25:26 [auth2-pubkey.c] fix logspam when key options (from="..." especially) deny non-matching keys; reported by henning@ also bz#1765; ok markus@ dtucker@ --- ChangeLog | 4 ++++ auth2-pubkey.c | 18 ++++++++++++------ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index fffbd727e..2cc1369fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ use with LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost` feedback and ok djm@ + - djm@cvs.openbsd.org 2010/05/20 11:25:26 + [auth2-pubkey.c] + fix logspam when key options (from="..." especially) deny non-matching + keys; reported by henning@ also bz#1765; ok markus@ dtucker@ 20100511 - (dtucker) [Makefile.in] Bug #1770: Link libopenbsd-compat twice to solve diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 6b4a99725..faab0e771 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.24 2010/05/07 11:30:29 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.25 2010/05/20 11:25:26 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -291,13 +291,14 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) continue; } } - if (auth_parse_options(pw, key_options, file, linenum) != 1) - continue; if (key_is_cert(key)) { - if (!key_is_cert_authority) - continue; if (!key_equal(found, key->cert->signature_key)) continue; + if (auth_parse_options(pw, key_options, file, + linenum) != 1) + continue; + if (!key_is_cert_authority) + continue; fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); debug("matching CA found: file %s, line %lu, %s %s", @@ -332,7 +333,12 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) xfree(fp); found_key = 1; break; - } else if (!key_is_cert_authority && key_equal(found, key)) { + } else if (key_equal(found, key)) { + if (auth_parse_options(pw, key_options, file, + linenum) != 1) + continue; + if (key_is_cert_authority) + continue; found_key = 1; debug("matching key found: file %s, line %lu", file, linenum);