[openssh-commits] [openssh] 13/17: upstream: Use hostkey parsed from hostbound userauth request

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Dec 20 09:28:38 AEDT 2021 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit a6d7677c4abcfba268053e5867f2acabe3aa371b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sun Dec 19 22:13:55 2021 +0000

    upstream: Use hostkey parsed from hostbound userauth request
    
    Require host-bound userauth requests for forwarded SSH connections.
    
    The hostkey parsed from the host-bound userauth request is now checked
    against the most recently bound session ID / hostkey on the agent socket
    and the signature refused if they do not match.
    
    ok markus@
    
    OpenBSD-Commit-ID: d69877c9a3bd8d1189a5dbdeceefa432044dae02
---
 ssh-agent.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/ssh-agent.c b/ssh-agent.c
index 6f7fa2c7..390d8aa1 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.282 2021/12/19 22:13:33 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.283 2021/12/19 22:13:55 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -728,7 +728,7 @@ process_sign_request2(SocketEntry *e)
 	char *fp = NULL, *user = NULL, *sig_dest = NULL;
 	const char *fwd_host = NULL, *dest_host = NULL;
 	struct sshbuf *msg = NULL, *data = NULL, *sid = NULL;
-	struct sshkey *key = NULL;
+	struct sshkey *key = NULL, *hostkey = NULL;
 	struct identity *id;
 	struct notifier_ctx *notifier = NULL;
 
@@ -757,7 +757,8 @@ process_sign_request2(SocketEntry *e)
 			    "to sign on unbound connection");
 			goto send;
 		}
-		if (parse_userauth_request(data, key, &user, &sid, NULL) != 0) {
+		if (parse_userauth_request(data, key, &user, &sid,
+		    &hostkey) != 0) {
 			logit_f("refusing use of destination-constrained key "
 			   "to sign an unidentified signature");
 			goto send;
@@ -780,6 +781,24 @@ process_sign_request2(SocketEntry *e)
 			    sshkey_type(id->key), fp);
 			goto send;
 		}
+		/*
+		 * Ensure that the hostkey embedded in the signature matches
+		 * the one most recently bound to the socket. An exception is
+		 * made for the initial forwarding hop.
+		 */
+		if (e->nsession_ids > 1 && hostkey == NULL) {
+			error_f("refusing use of destination-constrained key: "
+			    "no hostkey recorded in signature for forwarded "
+			    "connection");
+			goto send;
+		}
+		if (hostkey != NULL && !sshkey_equal(hostkey,
+		    e->session_ids[e->nsession_ids - 1].key)) {
+			error_f("refusing use of destination-constrained key: "
+			    "mismatch between hostkey in request and most "
+			    "recently bound session");
+			goto send;
+		}
 		xasprintf(&sig_dest, "public key authentication request for "
 		    "user \"%s\" to listed host", user);
 	}
@@ -827,6 +846,7 @@ process_sign_request2(SocketEntry *e)
 	sshbuf_free(data);
 	sshbuf_free(msg);
 	sshkey_free(key);
+	sshkey_free(hostkey);
 	free(fp);
 	free(signature);
 	free(sig_dest);

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list