[Bug 937] ssh2 pubkey auth broken by user:style syntax

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Sep 10 18:24:11 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=937

Patric Stout <patric.stout at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |patric.stout at gmail.com

--- Comment #1 from Patric Stout <patric.stout at gmail.com> 2011-09-10 18:24:11 EST ---
Yesterday I found out about this problem too, and I am amused to see
this bug was original created 7 years ago.

That said, a solution is relative easy. The comment in auth.h suggests
that the authctxt->user field should be the username as the client
sends it. And looking at the code it is also how it is used. For
example in the public key challenge, where the client assumes the name
he sends is the one used by the server. In auth2-pubkey.c we also find
authctxt->user in this place. So that leaves us to wonder why this
field is not really what the client send, but in case of [:style] (or
[/role] in the Debian SELinux patch) a modified version.

Attached a simple patch to solve the issue, which also makes the
comment in auth.h valid again. I am not an OpenSSH expert, and I cannot
validate if in all cases this will work as intended, but for regular
(non-style loginnames) this cannot do any harm, so it can only work for
the better. 

As a side-effect of this change, a validation of username-change
triggered, which had to be avoided by another simple modification.

With this patch applied, you can login to a server with your public-key
with username:style as your loginname.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching the reporter of the bug.


More information about the openssh-bugs mailing list