upstream: Add RequiredRSASize for sshd(8); RSA keys that fall

beneath this limit will be ignored for user and host-based authentication. Feedback deraadt@ ok markus@ OpenBSD-Commit-ID: 187931dfc19d51873df5930a04f2d972adf1f7f1
author: djm@openbsd.org <djm@openbsd.org> 2022-09-17 10:34:29 +0000
committer: Damien Miller <djm@mindrot.org> 2022-09-17 20:39:02 +1000
commit: 1875042c52a3b950ae5963c9ca3774a4cc7f0380 (patch)
tree: 565cb2e51ec10a389be85eab619cd379d83545ea /auth2-pubkey.c
parent: 54b333d12e55e6560b328c737d514ff3511f1afd (diff)
download: openssh-git-1875042c52a3b950ae5963c9ca3774a4cc7f0380.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 962fd342..5d59febc 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.116 2022/06/15 16:08:25 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.117 2022/09/17 10:34:29 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -175,6 +175,11 @@ userauth_pubkey(struct ssh *ssh, const char *method)
 		    "(null)" : key->cert->signature_type);
 		goto done;
 	}
+	if ((r = sshkey_check_rsa_length(key,
+	    options.required_rsa_size)) != 0) {
+		logit_r(r, "refusing %s key", sshkey_type(key));
+		goto done;
+	}
 	key_s = format_key(key);
 	if (sshkey_is_cert(key))
 		ca_s = format_key(key->cert->signature_key);
author	djm@openbsd.org <djm@openbsd.org>	2022-09-17 10:34:29 +0000
committer	Damien Miller <djm@mindrot.org>	2022-09-17 20:39:02 +1000
commit	1875042c52a3b950ae5963c9ca3774a4cc7f0380 (patch)
tree	565cb2e51ec10a389be85eab619cd379d83545ea /auth2-pubkey.c
parent	54b333d12e55e6560b328c737d514ff3511f1afd (diff)
download	openssh-git-1875042c52a3b950ae5963c9ca3774a4cc7f0380.tar.gz