[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed()

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Nov 5 11:56:03 EST 2010


https://bugzilla.mindrot.org/show_bug.cgi?id=1829

--- Comment #2 from Dmitry V. Levin <ldv at altlinux.org> 2010-11-05 11:56:03 EST ---
(In reply to comment #1)
> What is the practical intent of this change?

The proposed change is result of code inspection.

I maintain an OpenSSH key blacklisting patch (see
http://www.openwall.com/lists/oss-security/2008/05/27/3 for more
details) which was originally implemented for 5.0p1, before certificate
authentication support (which was introduced later in 5.4p1).

While merging my changes to use auth_key_is_revoked() infrastructure, I
found out that one auth_key_is_revoked() call is not placed quite well:
there is no use for server to start a challenge-response dialog with
the key that is not allowed for authentication.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list