Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/OPENSSH]: src/crypto/external/bsd/openssh/dist Import OpenSSH-9.1 (previ...
details: https://anonhg.NetBSD.org/src/rev/26af3c5d753e
branches: OPENSSH
changeset: 371766:26af3c5d753e
user: christos <christos%NetBSD.org@localhost>
date: Wed Oct 05 22:35:32 2022 +0000
description:
Import OpenSSH-9.1 (previously we were on OpenSSH-9.0)
This release is focused on bug fixing.
Security
========
This release contains fixes for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety
problems as potential security vulnerabilities out of caution.
* ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
Reported by Qualys
* ssh-keygen(1): double free() in error path of file hashing step in
signing/verify code; GHPR333
* ssh-keysign(8): double-free in error path introduced in openssh-8.9
Potentially-incompatible changes
--------------------------------
* The portable OpenSSH project now signs commits and release tags
using git's recent SSH signature support. The list of developer
signing keys is included in the repository as .git_allowed_signers
and is cross-signed using the PGP key that is still used to sign
release artifacts:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
will no longer generate DSA keys, as these are insecure and have
not been used by default for some years.
New features
------------
* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
RSA key length. Keys below this length will be ignored for user
authentication and for host authentication in sshd(8).
ssh(1) will terminate a connection if the server offers an RSA key
that falls below this limit, as the SSH protocol does not include
the ability to retry a failed key exchange.
* sftp-server(8): add a "users-groups-by-id%openssh.com@localhost" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id%openssh.com@localhost" sftp-server
extension (when available) to fill in user/group names for
directory listings.
* sftp-server(8): support the "home-directory" extension request
defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
a bit with the existing "expand-path%openssh.com@localhost", but some other
clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals,
sshsig verification times and authorized_keys expiry-time options
to accept dates in the UTC time zone in addition to the default
of interpreting them in the system time zone. YYYYMMDD and
YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
with a 'Z' character.
Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
"/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work
with "-Y sign" operations, where it will be interpreted to require
that the private keys is hosted in an agent; bz3429
Bugfixes
--------
* ssh-keygen(1): implement the "verify-required" certificate option.
This was already documented when support for user-verified FIDO
keys was added, but the ssh-keygen(1) code was missing.
* ssh-agent(1): hook up the restrict_websafe command-line flag;
previously the flag was accepted but never actually used.
* sftp(1): improve filename tab completions: never try to complete
names to non-existent commands, and better match the completion
type (local or remote filename) against the argument position
being completed.
* ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
handling, especially relating to keys that request
user-verification. These should reduce the number of unnecessary
PIN prompts for keys that support intrinsic user verification.
GHPR302, GHPR329
* ssh-keygen(1): when enrolling a FIDO resident key, check if a
credential with matching application and user ID strings already
exists and, if so, prompt the user for confirmation before
overwriting the credential. GHPR329
* sshd(8): improve logging of errors when opening authorized_keys
files. bz2042
* ssh(1): avoid multiplexing operations that could cause SIGPIPE from
causing the client to exit early. bz3454
* ssh_config(5), sshd_config(5): clarify that the RekeyLimit
directive applies to both transmitted and received data. GHPR328
* ssh-keygen(1): avoid double fclose() in error path.
* sshd(8): log an error if pipe() fails while accepting a
connection. bz3447
* ssh(1), ssh-keygen(1): fix possible NULL deref when built without
FIDO support. bz3443
* ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
GHPR294.
* sshd(8): ensure that authentication passwords are cleared from
memory in error paths. GHPR286
* ssh(1), ssh-agent(1): avoid possibility of notifier code executing
kill(-1). GHPR286
* ssh_config(5): note that the ProxyJump directive also accepts the
same tokens as ProxyCommand. GHPR305.
* scp(1): do not not ftruncate(3) files early when in sftp mode. The
previous behaviour of unconditionally truncating the destination
file would cause "scp ~/foo localhost:foo" and the reverse
"scp localhost:foo ~/foo" to delete all the contents of their
destination. bz3431
* ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is
unable to load a private key; bz3429
* sftp(1), scp(1): when performing operations that glob(3) a remote
path, ensure that the implicit working directory used to construct
that path escapes glob(3) characters. This prevents glob characters
from being processed in places they shouldn't, e.g. "cd /tmp/a*/",
"get *.txt" should have the get operation treat the path "/tmp/a*"
literally and not attempt to expand it.
* ssh(1), sshd(8): be stricter in which characters will be accepted
in specifying a mask length; allow only 0-9. GHPR278
* ssh-keygen(1): avoid printing hash algorithm twice when dumping a
KRL
* ssh(1), sshd(8): continue running local I/O for open channels
during SSH transport rekeying. This should make ~-escapes work in
the client (e.g. to exit) if the connection happened to have
stalled during a rekey event.
* ssh(1), sshd(8): avoid potential poll() spin during rekeying
* Further hardening for sshbuf internals: disallow "reparenting" a
hierarchical sshbuf and zero the entire buffer if reallocation
fails. GHPR287
Portability
-----------
* ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in
FIDO security key support if libfido2 is found and usable, unless
--without-security-key-builtin was requested.
* ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
FIDO device usable on Cygwin. The windows://hello FIDO device will
be automatically used by default on this platform unless requested
otherwise, or when probing resident FIDO credentials (an operation
not currently supported by WinHello).
* Portable OpenSSH: remove workarounds for obsolete and unsupported
versions of OpenSSL libcrypto. In particular, this release removes
fallback support for OpenSSL that lacks AES-CTR or AES-GCM.
Those AES cipher modes were added to OpenSSL prior to the minimum
version currently supported by OpenSSH, so this is not expected to
impact any currently supported configurations.
* sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc
* All: resync and clean up internal CSPRNG code.
* scp(1), sftp(1), sftp-server(8): avoid linking these programs with
unnecessary libraries. They are no longer linked against libz and
libcrypto. This may be of benefit to space constrained systems
using any of those components in isolation.
* sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
architectures.
* configure: remove special casing of crypt(). configure will no
longer search for crypt() in libcrypto, as it was removed from
there years ago. configure will now only search libc and libcrypt.
* configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its
RSA implementation (CVE-2022-2274) on x86_64.
* All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR322
* ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes
required by the XMSS code on some platforms.
* sshd(8): cache timezone data in capsicum sandbox.
diffstat:
crypto/external/bsd/openssh/dist/PROTOCOL | 65 ++-
crypto/external/bsd/openssh/dist/PROTOCOL.agent | 6 +-
crypto/external/bsd/openssh/dist/PROTOCOL.key | 12 +-
crypto/external/bsd/openssh/dist/addr.c | 4 +-
crypto/external/bsd/openssh/dist/auth.c | 155 +----
crypto/external/bsd/openssh/dist/auth.h | 26 +-
crypto/external/bsd/openssh/dist/auth2-hostbased.c | 7 +-
crypto/external/bsd/openssh/dist/auth2-passwd.c | 10 +-
crypto/external/bsd/openssh/dist/auth2-pubkey.c | 357 +----------
crypto/external/bsd/openssh/dist/auth2-pubkeyfile.c | 500 ++++++++++++++++
crypto/external/bsd/openssh/dist/authfd.c | 3 +-
crypto/external/bsd/openssh/dist/authfile.c | 19 +-
crypto/external/bsd/openssh/dist/channels.c | 48 +-
crypto/external/bsd/openssh/dist/channels.h | 4 +-
crypto/external/bsd/openssh/dist/clientloop.c | 14 +-
crypto/external/bsd/openssh/dist/compat.c | 15 +-
crypto/external/bsd/openssh/dist/krl.c | 4 +-
crypto/external/bsd/openssh/dist/misc.c | 43 +-
crypto/external/bsd/openssh/dist/misc.h | 4 +-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 | 146 ++--
crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 | 129 ++-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 | 141 ++--
crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 | 129 ++-
crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 | 138 +--
crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 | 116 ++-
crypto/external/bsd/openssh/dist/moduli.c | 14 +-
crypto/external/bsd/openssh/dist/monitor.c | 2 +-
crypto/external/bsd/openssh/dist/monitor_wrap.c | 2 +-
crypto/external/bsd/openssh/dist/monitor_wrap.h | 4 +-
crypto/external/bsd/openssh/dist/mux.c | 11 +-
crypto/external/bsd/openssh/dist/packet.c | 4 +-
crypto/external/bsd/openssh/dist/readconf.c | 60 +-
crypto/external/bsd/openssh/dist/readconf.h | 12 +-
crypto/external/bsd/openssh/dist/readpass.c | 5 +-
crypto/external/bsd/openssh/dist/scp.1 | 9 +-
crypto/external/bsd/openssh/dist/scp.c | 10 +-
crypto/external/bsd/openssh/dist/servconf.c | 19 +-
crypto/external/bsd/openssh/dist/servconf.h | 3 +-
crypto/external/bsd/openssh/dist/serverloop.c | 5 +-
crypto/external/bsd/openssh/dist/sftp-client.c | 215 +++++-
crypto/external/bsd/openssh/dist/sftp-client.h | 26 +-
crypto/external/bsd/openssh/dist/sftp-common.c | 18 +-
crypto/external/bsd/openssh/dist/sftp-common.h | 5 +-
crypto/external/bsd/openssh/dist/sftp-server.c | 94 ++-
crypto/external/bsd/openssh/dist/sftp-usergroup.c | 238 +++++++
crypto/external/bsd/openssh/dist/sftp-usergroup.h | 25 +
crypto/external/bsd/openssh/dist/sftp.1 | 11 +-
crypto/external/bsd/openssh/dist/sftp.c | 202 ++++--
crypto/external/bsd/openssh/dist/sk-api.h | 6 +-
crypto/external/bsd/openssh/dist/sk-usbhid.c | 95 ++-
crypto/external/bsd/openssh/dist/ssh-add.c | 6 +-
crypto/external/bsd/openssh/dist/ssh-agent.c | 24 +-
crypto/external/bsd/openssh/dist/ssh-ed25519.c | 8 +-
crypto/external/bsd/openssh/dist/ssh-keygen.1 | 224 ++++--
crypto/external/bsd/openssh/dist/ssh-keygen.c | 194 ++++--
crypto/external/bsd/openssh/dist/ssh-keyscan.1 | 10 +-
crypto/external/bsd/openssh/dist/ssh-keyscan.c | 16 +-
crypto/external/bsd/openssh/dist/ssh-keysign.c | 6 +-
crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.8 | 23 +-
crypto/external/bsd/openssh/dist/ssh-sk-helper.8 | 23 +-
crypto/external/bsd/openssh/dist/ssh-sk-helper.c | 3 +-
crypto/external/bsd/openssh/dist/ssh-sk.c | 4 +-
crypto/external/bsd/openssh/dist/ssh-xmss.c | 4 +-
crypto/external/bsd/openssh/dist/ssh.1 | 12 +-
crypto/external/bsd/openssh/dist/ssh.c | 30 +-
crypto/external/bsd/openssh/dist/ssh_config.5 | 25 +-
crypto/external/bsd/openssh/dist/sshbuf-getput-basic.c | 2 +-
crypto/external/bsd/openssh/dist/sshbuf-getput-crypto.c | 2 +-
crypto/external/bsd/openssh/dist/sshbuf.c | 9 +-
crypto/external/bsd/openssh/dist/sshbuf.h | 2 +-
crypto/external/bsd/openssh/dist/sshconnect.c | 6 +-
crypto/external/bsd/openssh/dist/sshconnect2.c | 74 +-
crypto/external/bsd/openssh/dist/sshd.8 | 12 +-
crypto/external/bsd/openssh/dist/sshd.c | 34 +-
crypto/external/bsd/openssh/dist/sshd_config.5 | 22 +-
crypto/external/bsd/openssh/dist/sshkey.c | 98 +-
crypto/external/bsd/openssh/dist/sshkey.h | 3 +-
crypto/external/bsd/openssh/dist/sshsig.c | 7 +-
crypto/external/bsd/openssh/dist/version.h | 4 +-
crypto/external/bsd/openssh/dist/xmss_hash.c | 4 +-
80 files changed, 2608 insertions(+), 1473 deletions(-)
diffs (truncated from 6737 to 300 lines):
diff -r bcdbdf6848fa -r 26af3c5d753e crypto/external/bsd/openssh/dist/PROTOCOL
--- a/crypto/external/bsd/openssh/dist/PROTOCOL Fri Apr 15 13:58:16 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL Wed Oct 05 22:35:32 2022 +0000
@@ -102,6 +102,8 @@
described at:
http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256%libssh.org.txt@localhost?h=curve25519
+This is identical to curve25519-sha256 as later published in RFC8731.
+
2. Connection protocol changes
2.1. connection: Channel write close extension "eow%openssh.com@localhost"
@@ -613,6 +615,67 @@
https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7
+4.11. sftp: Extension request "home-directory"
+
+This request asks the server to expand the specified user's home directory.
+An empty username implies the current user. This can be used by the client
+to expand ~/ type paths locally.
+
+ byte SSH_FXP_EXTENDED
+ uint32 id
+ string "home-directory"
+ string username
+
+This extension is advertised in the SSH_FXP_VERSION hello with version
+"1".
+
+This provides similar information as the "expand-path%openssh.com@localhost" extension.
+
+This request is identical to the "home-directory" request documented in:
+
+https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5
+
+4.12. sftp: Extension request "users-groups-by-id%openssh.com@localhost"
+
+This request asks the server to returns user and/or group names that
+correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT
+request). This may be used by the client to provide usernames in
+directory listings.
+
+ byte SSH_FXP_EXTENDED
+ uint32 id
+ string "users-groups-by-id%openssh.com@localhost"
+ string uids
+ string gids
+
+Where "uids" and "gids" consists of one or more integer user or group
+identifiers:
+
+ uint32 id-0
+ ...
+
+The server will reply with a SSH_FXP_EXTENDED_REPLY:
+
+ byte SSH_FXP_EXTENDED_REPLY
+ string usernames
+ string groupnames
+
+Where "username" and "groupnames" consists of names in identical request
+order to "uids" and "gids" respectively:
+
+ string name-0
+ ...
+
+If a name cannot be identified for a given user or group ID, an empty
+string will be returned in its place.
+
+It is acceptable for either "uids" or "gids" to be an empty set, in
+which case the respective "usernames" or "groupnames" list will also
+be empty.
+
+This extension is advertised in the SSH_FXP_VERSION hello with version
+"1".
+
5. Miscellaneous changes
5.1 Public key format
@@ -649,4 +712,4 @@
OpenSSH extends the usual agent protocol. These changes are documented
in the PROTOCOL.agent file.
-$OpenBSD: PROTOCOL,v 1.44 2022/03/31 03:05:49 djm Exp $
+$OpenBSD: PROTOCOL,v 1.47 2022/09/19 10:40:52 djm Exp $
diff -r bcdbdf6848fa -r 26af3c5d753e crypto/external/bsd/openssh/dist/PROTOCOL.agent
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.agent Fri Apr 15 13:58:16 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.agent Wed Oct 05 22:35:32 2022 +0000
@@ -1,7 +1,7 @@
The SSH agent protocol is described in
https://tools.ietf.org/html/draft-miller-ssh-agent-04
-This file document's OpenSSH's extensions to the agent protocol.
+This file documents OpenSSH's extensions to the agent protocol.
1. session-bind%openssh.com@localhost extension
@@ -54,7 +54,7 @@
string to_hostname
keyspec[] to_hostkeys
-An a keyspec consists of:
+And a keyspec consists of:
string keyblob
bool is_ca
@@ -81,4 +81,4 @@
This option is only valid for XMSS keys.
-$OpenBSD: PROTOCOL.agent,v 1.16 2022/01/01 01:55:30 jsg Exp $
+$OpenBSD: PROTOCOL.agent,v 1.18 2022/09/21 22:26:50 dtucker Exp $
diff -r bcdbdf6848fa -r 26af3c5d753e crypto/external/bsd/openssh/dist/PROTOCOL.key
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.key Fri Apr 15 13:58:16 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.key Wed Oct 05 22:35:32 2022 +0000
@@ -11,7 +11,7 @@
string ciphername
string kdfname
string kdfoptions
- int number of keys N
+ uint32 number of keys N
string publickey1
string publickey2
...
@@ -42,11 +42,11 @@
...
string privatekeyN
string commentN
- char 1
- char 2
- char 3
+ byte 1
+ byte 2
+ byte 3
...
- char padlen % 255
+ byte padlen % 255
where each private key is encoded using the same rules as used for
SSH agent.
@@ -68,4 +68,4 @@
are used with empty passphrases. The options if the KDF "none"
are the empty string.
-$OpenBSD: PROTOCOL.key,v 1.2 2021/05/07 02:29:40 djm Exp $
+$OpenBSD: PROTOCOL.key,v 1.3 2022/07/01 04:45:50 djm Exp $
diff -r bcdbdf6848fa -r 26af3c5d753e crypto/external/bsd/openssh/dist/addr.c
--- a/crypto/external/bsd/openssh/dist/addr.c Fri Apr 15 13:58:16 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/addr.c Wed Oct 05 22:35:32 2022 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: addr.c,v 1.4 2021/10/22 10:51:57 dtucker Exp $ */
+/* $OpenBSD: addr.c,v 1.5 2022/04/29 04:55:07 djm Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm%mindrot.org@localhost>
@@ -393,7 +393,7 @@
*mp = '\0';
mp++;
masklen = strtoul(mp, &cp, 10);
- if (*mp == '\0' || *cp != '\0' || masklen > 128)
+ if (*mp < '0' || *mp > '9' || *cp != '\0' || masklen > 128)
return -1;
}
diff -r bcdbdf6848fa -r 26af3c5d753e crypto/external/bsd/openssh/dist/auth.c
--- a/crypto/external/bsd/openssh/dist/auth.c Fri Apr 15 13:58:16 2022 +0000
+++ b/crypto/external/bsd/openssh/dist/auth.c Wed Oct 05 22:35:32 2022 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.154 2022/02/23 11:17:10 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.158 2022/06/03 04:47:21 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -412,62 +412,6 @@
return host_status;
}
-static FILE *
-auth_openfile(const char *file, struct passwd *pw, int strict_modes,
- int log_missing, char *file_type)
-{
- char line[1024];
- struct stat st;
- int fd;
- FILE *f;
-
- if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
- if (log_missing || errno != ENOENT)
- debug("Could not open %s '%s': %s", file_type, file,
- strerror(errno));
- return NULL;
- }
-
- if (fstat(fd, &st) == -1) {
- close(fd);
- return NULL;
- }
- if (!S_ISREG(st.st_mode)) {
- logit("User %s %s %s is not a regular file",
- pw->pw_name, file_type, file);
- close(fd);
- return NULL;
- }
- unset_nonblock(fd);
- if ((f = fdopen(fd, "r")) == NULL) {
- close(fd);
- return NULL;
- }
- if (strict_modes &&
- safe_path_fd(fileno(f), file, pw, line, sizeof(line)) != 0) {
- fclose(f);
- logit("Authentication refused: %s", line);
- auth_debug_add("Ignored %s: %s", file_type, line);
- return NULL;
- }
-
- return f;
-}
-
-
-FILE *
-auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
-{
- return auth_openfile(file, pw, strict_modes, 1, "authorized keys");
-}
-
-FILE *
-auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
-{
- return auth_openfile(file, pw, strict_modes, 0,
- "authorized principals");
-}
-
struct passwd *
getpwnamallow(struct ssh *ssh, const char *user)
{
@@ -824,7 +768,8 @@
debug_f("restricting session");
/* A blank sshauthopt defaults to permitting nothing */
- restricted = sshauthopt_new();
+ if ((restricted = sshauthopt_new()) == NULL)
+ fatal_f("sshauthopt_new failed");
restricted->permit_pty_flag = 1;
restricted->restricted = 1;
@@ -832,97 +777,3 @@
fatal_f("failed to restrict session");
sshauthopt_free(restricted);
}
-
-int
-auth_authorise_keyopts(struct ssh *ssh, struct passwd *pw,
- struct sshauthopt *opts, int allow_cert_authority, const char *loc)
-{
- const char *remote_ip = ssh_remote_ipaddr(ssh);
- const char *remote_host = auth_get_canonical_hostname(ssh,
- options.use_dns);
- time_t now = time(NULL);
- char buf[64];
-
- /*
- * Check keys/principals file expiry time.
- * NB. validity interval in certificate is handled elsewhere.
- */
- if (opts->valid_before && now > 0 &&
- opts->valid_before < (uint64_t)now) {
- format_absolute_time(opts->valid_before, buf, sizeof(buf));
- debug("%s: entry expired at %s", loc, buf);
- auth_debug_add("%s: entry expired at %s", loc, buf);
- return -1;
- }
- /* Consistency checks */
- if (opts->cert_principals != NULL && !opts->cert_authority) {
- debug("%s: principals on non-CA key", loc);
- auth_debug_add("%s: principals on non-CA key", loc);
- /* deny access */
- return -1;
- }
- /* cert-authority flag isn't valid in authorized_principals files */
- if (!allow_cert_authority && opts->cert_authority) {
- debug("%s: cert-authority flag invalid here", loc);
- auth_debug_add("%s: cert-authority flag invalid here", loc);
- /* deny access */
- return -1;
- }
-
- /* Perform from= checks */
- if (opts->required_from_host_keys != NULL) {
- switch (match_host_and_ip(remote_host, remote_ip,
- opts->required_from_host_keys )) {
- case 1:
- /* Host name matches. */
- break;
- case -1:
- default:
- debug("%s: invalid from criteria", loc);
- auth_debug_add("%s: invalid from criteria", loc);
- /* FALLTHROUGH */
Home |
Main Index |
Thread Index |
Old Index