diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-11-30 02:57:40 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-11-30 19:44:01 +1100 |
| commit | fd6dcef2030d23c43f986d26979f84619c10589d (patch) | |
| tree | a9b9d64866a656d5e187f7d63b61e1c1bede5e8f /auth-options.h | |
| parent | 7fc4766ac78abae81ee75b22b7550720bfa28a33 (diff) | |
| download | openssh-git-fd6dcef2030d23c43f986d26979f84619c10589d.tar.gz | |
upstream commit
When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.
The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.
Pointed out by Jann Horn of Project Zero; ok dtucker@
Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
Diffstat (limited to 'auth-options.h')
| -rw-r--r-- | auth-options.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/auth-options.h b/auth-options.h index 34852e5c..52cbb42a 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.21 2015/01/14 10:30:34 markus Exp $ */ +/* $OpenBSD: auth-options.h,v 1.22 2016/11/30 02:57:40 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -35,6 +35,6 @@ extern char *authorized_principals; int auth_parse_options(struct passwd *, char *, char *, u_long); void auth_clear_options(void); -int auth_cert_options(struct sshkey *, struct passwd *); +int auth_cert_options(struct sshkey *, struct passwd *, const char **); #endif |