diff options
author | Damien Miller <djm@mindrot.org> | 2013-12-31 12:25:40 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2013-12-31 12:25:40 +1100 |
commit | 324541e5264e1489ca0babfaf2b39612eb80dfb3 (patch) | |
tree | 3adbfd162c3704e6aeb36f30ca09e4c04fbd25e2 /auth2-hostbased.c | |
parent | 9f4c8e797ea002a883307ca906f1f1f815010e78 (diff) | |
download | openssh-git-324541e5264e1489ca0babfaf2b39612eb80dfb3.tar.gz |
- djm@cvs.openbsd.org 2013/12/30 23:52:28
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
refuse RSA keys from old proprietary clients/servers that use the
obsolete RSA+MD5 signature scheme. it will still be possible to connect
with these clients/servers but only DSA keys will be accepted, and we'll
deprecate them entirely in a future release. ok markus@
Diffstat (limited to 'auth2-hostbased.c')
-rw-r--r-- | auth2-hostbased.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index a344dcc1..488008f6 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */ +/* $OpenBSD: auth2-hostbased.c,v 1.17 2013/12/30 23:52:27 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -100,6 +100,12 @@ userauth_hostbased(Authctxt *authctxt) "(received %d, expected %d)", key->type, pktype); goto done; } + if (key_type_plain(key->type) == KEY_RSA && + (datafellows & SSH_BUG_RSASIGMD5) != 0) { + error("Refusing RSA key because peer uses unsafe " + "signature format"); + goto done; + } service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" : authctxt->service; buffer_init(&b); |