diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-09-20 03:28:06 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-09-20 14:00:29 +1000 |
commit | 86e5737c39153af134158f24d0cab5827cbd5852 (patch) | |
tree | 1add30c99e83b544792233280451f70f03053586 /auth2-pubkey.c | |
parent | f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff) |
upstream: Add sshd_config CASignatureAlgorithms option to allow
control over which signature algorithms a CA may use when signing
certificates. In particular, this allows a sshd to ban certificates signed
with RSA/SHA1.
ok markus@
OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index f9e4e2e7..2fb5950e 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.85 2018/08/28 12:25:53 mestre Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.86 2018/09/20 03:28:06 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -137,7 +137,13 @@ userauth_pubkey(struct ssh *ssh) __func__, sshkey_ssh_name(key)); goto done; } - + if ((r = sshkey_check_cert_sigtype(key, + options.ca_sign_algorithms)) != 0) { + logit("%s: certificate signature algorithm %s: %s", __func__, + (key->cert == NULL || key->cert->signature_type == NULL) ? + "(null)" : key->cert->signature_type, ssh_err(r)); + goto done; + } key_s = format_key(key); if (sshkey_is_cert(key)) ca_s = format_key(key->cert->signature_key); |