- djm@cvs.openbsd.org 2010/05/20 11:25:26

     [auth2-pubkey.c]
     fix logspam when key options (from="..." especially) deny non-matching
     keys; reported by henning@ also bz#1765; ok markus@ dtucker@

1 files changed, 12 insertions, 6 deletions

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 6b4a9972..faab0e77 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.24 2010/05/07 11:30:29 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.25 2010/05/20 11:25:26 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -291,13 +291,14 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 				continue;
 			}
 		}
-		if (auth_parse_options(pw, key_options, file, linenum) != 1)
-			continue;
 		if (key_is_cert(key)) {
-			if (!key_is_cert_authority)
-				continue;
 			if (!key_equal(found, key->cert->signature_key))
 				continue;
+			if (auth_parse_options(pw, key_options, file,
+			    linenum) != 1)
+				continue;
+			if (!key_is_cert_authority)
+				continue;
 			fp = key_fingerprint(found, SSH_FP_MD5,
 			    SSH_FP_HEX);
 			debug("matching CA found: file %s, line %lu, %s %s",
@@ -332,7 +333,12 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 			xfree(fp);
 			found_key = 1;
 			break;
-		} else if (!key_is_cert_authority && key_equal(found, key)) {
+		} else if (key_equal(found, key)) {
+			if (auth_parse_options(pw, key_options, file,
+			    linenum) != 1)
+				continue;
+			if (key_is_cert_authority)
+				continue;
 			found_key = 1;
 			debug("matching key found: file %s, line %lu",
 			    file, linenum);