diff options
author | Darren Tucker <dtucker@zip.com.au> | 2009-10-07 08:47:02 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2009-10-07 08:47:02 +1100 |
commit | 893d73549d7cfa277434bf0113688a5a14055408 (patch) | |
tree | 7cc83baeb70199c132f8f239be7acfcf694d0384 | |
parent | 6b286a46821fa230258f1da82d0e013cfe3bf685 (diff) |
- djm@cvs.openbsd.org 2009/08/27 17:44:52
[authfd.c ssh-add.c authfd.h]
Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
when the agent refuses the constrained add request. This was a useful
migration measure back in 2002 when constraints were new, but just
adds risk now.
bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | authfd.c | 8 | ||||
-rw-r--r-- | authfd.h | 3 | ||||
-rw-r--r-- | ssh-add.c | 5 |
4 files changed, 10 insertions, 13 deletions
@@ -60,6 +60,13 @@ [sftp-server.8] allow setting an explicit umask on the commandline to override whatever default the user has. bz#1229; ok dtucker@ deraadt@ markus@ + - djm@cvs.openbsd.org 2009/08/27 17:44:52 + [authfd.c ssh-add.c authfd.h] + Do not fall back to adding keys without contraints (ssh-add -c / -t ...) + when the agent refuses the constrained add request. This was a useful + migration measure back in 2002 when constraints were new, but just + adds risk now. + bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@ 20091002 - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps. @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.80 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: authfd.c,v 1.81 2009/08/27 17:44:52 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -545,12 +545,6 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key, return decode_reply(type); } -int -ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) -{ - return ssh_add_identity_constrained(auth, key, comment, 0, 0); -} - /* * Removes an identity from the authentication server. This call is not * meant to be used by normal applications. @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.36 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: authfd.h,v 1.37 2009/08/27 17:44:52 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -75,7 +75,6 @@ void ssh_close_authentication_connection(AuthenticationConnection *); int ssh_get_num_identities(AuthenticationConnection *, int); Key *ssh_get_first_identity(AuthenticationConnection *, char **, int); Key *ssh_get_next_identity(AuthenticationConnection *, char **, int); -int ssh_add_identity(AuthenticationConnection *, Key *, const char *); int ssh_add_identity_constrained(AuthenticationConnection *, Key *, const char *, u_int, u_int); int ssh_remove_identity(AuthenticationConnection *, Key *); @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.90 2007/09/09 11:38:01 sobrado Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.91 2009/08/27 17:44:52 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -195,9 +195,6 @@ add_file(AuthenticationConnection *ac, const char *filename) if (confirm != 0) fprintf(stderr, "The user has to confirm each use of the key\n"); - } else if (ssh_add_identity(ac, private, comment)) { - fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); - ret = 0; } else { fprintf(stderr, "Could not add identity: %s\n", filename); } |