upstream: Add RequiredRSASize for sshd(8); RSA keys that fall

beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@ OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
author: djm@openbsd.org <djm@openbsd.org> 2022-09-17 10:34:29 +0000
committer: Damien Miller <djm@mindrot.org> 2022-09-17 20:39:02 +1000
commit: 1875042c52a3b950ae5963c9ca3774a4cc7f0380 (patch)
tree: 565cb2e51ec10a389be85eab619cd379d83545ea /auth2-hostbased.c
parent: 54b333d12e55e6560b328c737d514ff3511f1afd (diff)
download: openssh-git-1875042c52a3b950ae5963c9ca3774a4cc7f0380.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 36b9d2f5..6b517db4 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.49 2022/01/06 22:01:14 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.50 2022/09/17 10:34:29 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -119,6 +119,11 @@ userauth_hostbased(struct ssh *ssh, const char *method)
 		    "(null)" : key->cert->signature_type);
 		goto done;
 	}
+	if ((r = sshkey_check_rsa_length(key,
+	    options.required_rsa_size)) != 0) {
+		logit_r(r, "refusing %s key", sshkey_type(key));
+		goto done;
+	}
 
 	if (!authctxt->valid || authctxt->user == NULL) {
 		debug2_f("disabled because of invalid user");
author	djm@openbsd.org <djm@openbsd.org>	2022-09-17 10:34:29 +0000
committer	Damien Miller <djm@mindrot.org>	2022-09-17 20:39:02 +1000
commit	1875042c52a3b950ae5963c9ca3774a4cc7f0380 (patch)
tree	565cb2e51ec10a389be85eab619cd379d83545ea /auth2-hostbased.c
parent	54b333d12e55e6560b328c737d514ff3511f1afd (diff)
download	openssh-git-1875042c52a3b950ae5963c9ca3774a4cc7f0380.tar.gz