[openssh-commits] [openssh] 13/17: upstream: Use hostkey parsed from hostbound userauth request
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Dec 20 09:28:38 AEDT 2021
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit a6d7677c4abcfba268053e5867f2acabe3aa371b
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Dec 19 22:13:55 2021 +0000
upstream: Use hostkey parsed from hostbound userauth request
Require host-bound userauth requests for forwarded SSH connections.
The hostkey parsed from the host-bound userauth request is now checked
against the most recently bound session ID / hostkey on the agent socket
and the signature refused if they do not match.
ok markus@
OpenBSD-Commit-ID: d69877c9a3bd8d1189a5dbdeceefa432044dae02
---
ssh-agent.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/ssh-agent.c b/ssh-agent.c
index 6f7fa2c7..390d8aa1 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.282 2021/12/19 22:13:33 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.283 2021/12/19 22:13:55 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -728,7 +728,7 @@ process_sign_request2(SocketEntry *e)
char *fp = NULL, *user = NULL, *sig_dest = NULL;
const char *fwd_host = NULL, *dest_host = NULL;
struct sshbuf *msg = NULL, *data = NULL, *sid = NULL;
- struct sshkey *key = NULL;
+ struct sshkey *key = NULL, *hostkey = NULL;
struct identity *id;
struct notifier_ctx *notifier = NULL;
@@ -757,7 +757,8 @@ process_sign_request2(SocketEntry *e)
"to sign on unbound connection");
goto send;
}
- if (parse_userauth_request(data, key, &user, &sid, NULL) != 0) {
+ if (parse_userauth_request(data, key, &user, &sid,
+ &hostkey) != 0) {
logit_f("refusing use of destination-constrained key "
"to sign an unidentified signature");
goto send;
@@ -780,6 +781,24 @@ process_sign_request2(SocketEntry *e)
sshkey_type(id->key), fp);
goto send;
}
+ /*
+ * Ensure that the hostkey embedded in the signature matches
+ * the one most recently bound to the socket. An exception is
+ * made for the initial forwarding hop.
+ */
+ if (e->nsession_ids > 1 && hostkey == NULL) {
+ error_f("refusing use of destination-constrained key: "
+ "no hostkey recorded in signature for forwarded "
+ "connection");
+ goto send;
+ }
+ if (hostkey != NULL && !sshkey_equal(hostkey,
+ e->session_ids[e->nsession_ids - 1].key)) {
+ error_f("refusing use of destination-constrained key: "
+ "mismatch between hostkey in request and most "
+ "recently bound session");
+ goto send;
+ }
xasprintf(&sig_dest, "public key authentication request for "
"user \"%s\" to listed host", user);
}
@@ -827,6 +846,7 @@ process_sign_request2(SocketEntry *e)
sshbuf_free(data);
sshbuf_free(msg);
sshkey_free(key);
+ sshkey_free(hostkey);
free(fp);
free(signature);
free(sig_dest);
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list