openssh/openssh-8.7p1-host-based-auth.patch

diff --color -rup a/sshconnect2.c b/sshconnect2.c
--- a/sshconnect2.c	2022-07-11 17:00:02.618575727 +0200
+++ b/sshconnect2.c	2022-07-11 17:03:05.096085690 +0200
@@ -2288,9 +2288,9 @@ userauth_hostbased(struct ssh *ssh)
 			if (authctxt->sensitive->keys[i] == NULL ||
 			    authctxt->sensitive->keys[i]->type == KEY_UNSPEC)
 				continue;
-			if (match_pattern_list(
+			if (!sshkey_match_keyname_to_sigalgs(
 			    sshkey_ssh_name(authctxt->sensitive->keys[i]),
-			    authctxt->active_ktype, 0) != 1)
+			    authctxt->active_ktype))
 				continue;
 			/* we take and free the key */
 			private = authctxt->sensitive->keys[i];
@@ -2316,7 +2316,8 @@ userauth_hostbased(struct ssh *ssh)
 		error_f("sshkey_fingerprint failed");
 		goto out;
 	}
-	debug_f("trying hostkey %s %s", sshkey_ssh_name(private), fp);
+	debug_f("trying hostkey %s %s using sigalg %s",
+		sshkey_ssh_name(private), fp, authctxt->active_ktype);
 
 	/* figure out a name for the client host */
 	lname = get_local_name(ssh_packet_get_connection_in(ssh));
diff --color -rup a/sshkey.c b/sshkey.c
--- a/sshkey.c	2022-07-11 17:00:02.609575554 +0200
+++ b/sshkey.c	2022-07-11 17:12:30.905976443 +0200
@@ -252,6 +252,29 @@ sshkey_ecdsa_nid_from_name(const char *n
 	return -1;
 }
 
+int
+sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs)
+{
+	int ktype;
+
+	if (sigalgs == NULL || *sigalgs == '\0' ||
+	    (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC)
+		return 0;
+	else if (ktype == KEY_RSA) {
+		return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 ||
+		    match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 ||
+		    match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1;
+	} else if (ktype == KEY_RSA_CERT) {
+		return match_pattern_list("ssh-rsa-cert-v01@openssh.com",
+		    sigalgs, 0) == 1 ||
+		    match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
+		    sigalgs, 0) == 1 ||
+		    match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
+		    sigalgs, 0) == 1;
+	} else
+		return match_pattern_list(keyname, sigalgs, 0) == 1;
+}
+
 char *
 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
 {
diff --color -rup a/sshkey.h b/sshkey.h
--- a/sshkey.h	2022-07-11 17:00:02.603575438 +0200
+++ b/sshkey.h	2022-07-11 17:13:01.052556879 +0200
@@ -194,6 +194,10 @@ int	 sshkey_is_cert(const struct sshkey
 int	 sshkey_is_sk(const struct sshkey *);
 int	 sshkey_type_is_cert(int);
 int	 sshkey_type_plain(int);
+
+/* Returns non-zero if key name match sigalgs pattern list. (handles RSA) */
+int	 sshkey_match_keyname_to_sigalgs(const char *, const char *);
+
 int	 sshkey_to_certified(struct sshkey *);
 int	 sshkey_drop_cert(struct sshkey *);
 int	 sshkey_cert_copy(const struct sshkey *, struct sshkey *);
diff --color -rup a/ssh-keysign.c b/ssh-keysign.c
--- a/ssh-keysign.c	2021-08-20 06:03:49.000000000 +0200
+++ b/ssh-keysign.c	2022-07-11 17:00:23.306973667 +0200
@@ -62,7 +62,7 @@
 extern char *__progname;
 
 static int
-valid_request(struct passwd *pw, char *host, struct sshkey **ret,
+valid_request(struct passwd *pw, char *host, struct sshkey **ret, char **pkalgp,
     u_char *data, size_t datalen)
 {
 	struct sshbuf *b;
@@ -75,6 +75,8 @@ valid_request(struct passwd *pw, char *h
 
 	if (ret != NULL)
 		*ret = NULL;
+	if (pkalgp != NULL)
+		*pkalgp = NULL;
 	fail = 0;
 
 	if ((b = sshbuf_from(data, datalen)) == NULL)
@@ -122,8 +124,6 @@ valid_request(struct passwd *pw, char *h
 		fail++;
 	} else if (key->type != pktype)
 		fail++;
-	free(pkalg);
-	free(pkblob);
 
 	/* client host name, handle trailing dot */
 	if ((r = sshbuf_get_cstring(b, &p, &len)) != 0)
@@ -154,8 +154,19 @@ valid_request(struct passwd *pw, char *h
 
 	if (fail)
 		sshkey_free(key);
-	else if (ret != NULL)
-		*ret = key;
+	else {
+		if (ret != NULL) {
+			*ret = key;
+			key = NULL;
+		}
+		if (pkalgp != NULL) {
+			*pkalgp = pkalg;
+			pkalg = NULL;
+		}
+	}
+	sshkey_free(key);
+	free(pkalg);
+	free(pkblob);
 
 	return (fail ? -1 : 0);
 }
@@ -170,7 +181,7 @@ main(int argc, char **argv)
 	struct passwd *pw;
 	int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
 	u_char *signature, *data, rver;
-	char *host, *fp;
+	char *host, *fp, *pkalg;
 	size_t slen, dlen;
 
 	if (pledge("stdio rpath getpw dns id", NULL) != 0)
@@ -258,7 +269,7 @@ main(int argc, char **argv)
 
 	if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
 		fatal_r(r, "%s: buffer error", __progname);
-	if (valid_request(pw, host, &key, data, dlen) < 0)
+	if (valid_request(pw, host, &key, &pkalg, data, dlen) < 0)
 		fatal("%s: not a valid request", __progname);
 	free(host);
 
@@ -279,7 +290,7 @@ main(int argc, char **argv)
 	}
 
 	if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen,
-	    NULL, NULL, NULL, 0)) != 0)
+	    pkalg, NULL, NULL, 0)) != 0)
 		fatal_r(r, "%s: sshkey_sign failed", __progname);
 	free(data);
Fix host-based authentication with rsa keys Resolves: rhbz#2088916 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com> 2022-07-11 15:44:53 +00:00			`diff --color -rup a/sshconnect2.c b/sshconnect2.c`
			`--- a/sshconnect2.c 2022-07-11 17:00:02.618575727 +0200`
			`+++ b/sshconnect2.c 2022-07-11 17:03:05.096085690 +0200`
			`@@ -2288,9 +2288,9 @@ userauth_hostbased(struct ssh *ssh)`
			`if (authctxt->sensitive->keys[i] == NULL \|\|`
			`authctxt->sensitive->keys[i]->type == KEY_UNSPEC)`
			`continue;`
			`- if (match_pattern_list(`
			`+ if (!sshkey_match_keyname_to_sigalgs(`
			`sshkey_ssh_name(authctxt->sensitive->keys[i]),`
			`- authctxt->active_ktype, 0) != 1)`
			`+ authctxt->active_ktype))`
			`continue;`
			`/* we take and free the key */`
			`private = authctxt->sensitive->keys[i];`
			`@@ -2316,7 +2316,8 @@ userauth_hostbased(struct ssh *ssh)`
			`error_f("sshkey_fingerprint failed");`
			`goto out;`
			`}`
			`- debug_f("trying hostkey %s %s", sshkey_ssh_name(private), fp);`
			`+ debug_f("trying hostkey %s %s using sigalg %s",`
			`+ sshkey_ssh_name(private), fp, authctxt->active_ktype);`

			`/* figure out a name for the client host */`
			`lname = get_local_name(ssh_packet_get_connection_in(ssh));`
			`diff --color -rup a/sshkey.c b/sshkey.c`
			`--- a/sshkey.c 2022-07-11 17:00:02.609575554 +0200`
			`+++ b/sshkey.c 2022-07-11 17:12:30.905976443 +0200`
			`@@ -252,6 +252,29 @@ sshkey_ecdsa_nid_from_name(const char *n`
			`return -1;`
			`}`

			`+int`
			`+sshkey_match_keyname_to_sigalgs(const char keyname, const char sigalgs)`
			`+{`
			`+ int ktype;`
			`+`
			`+ if (sigalgs == NULL \|\| *sigalgs == '\0' \|\|`
			`+ (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC)`
			`+ return 0;`
			`+ else if (ktype == KEY_RSA) {`
			`+ return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 \|\|`
			`+ match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 \|\|`
			`+ match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1;`
			`+ } else if (ktype == KEY_RSA_CERT) {`
			`+ return match_pattern_list("ssh-rsa-cert-v01@openssh.com",`
			`+ sigalgs, 0) == 1 \|\|`
			`+ match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",`
			`+ sigalgs, 0) == 1 \|\|`
			`+ match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",`
			`+ sigalgs, 0) == 1;`
			`+ } else`
			`+ return match_pattern_list(keyname, sigalgs, 0) == 1;`
			`+}`
			`+`
			`char *`
			`sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)`
			`{`
			`diff --color -rup a/sshkey.h b/sshkey.h`
			`--- a/sshkey.h 2022-07-11 17:00:02.603575438 +0200`
			`+++ b/sshkey.h 2022-07-11 17:13:01.052556879 +0200`
			`@@ -194,6 +194,10 @@ int sshkey_is_cert(const struct sshkey`
			`int sshkey_is_sk(const struct sshkey *);`
			`int sshkey_type_is_cert(int);`
			`int sshkey_type_plain(int);`
			`+`
			`+/* Returns non-zero if key name match sigalgs pattern list. (handles RSA) */`
			`+int sshkey_match_keyname_to_sigalgs(const char , const char );`
			`+`
			`int sshkey_to_certified(struct sshkey *);`
			`int sshkey_drop_cert(struct sshkey *);`
			`int sshkey_cert_copy(const struct sshkey , struct sshkey );`
			`diff --color -rup a/ssh-keysign.c b/ssh-keysign.c`
			`--- a/ssh-keysign.c 2021-08-20 06:03:49.000000000 +0200`
			`+++ b/ssh-keysign.c 2022-07-11 17:00:23.306973667 +0200`
			`@@ -62,7 +62,7 @@`
			`extern char *__progname;`

			`static int`
			`-valid_request(struct passwd pw, char host, struct sshkey **ret,`
			`+valid_request(struct passwd pw, char host, struct sshkey ret, char pkalgp,`
			`u_char *data, size_t datalen)`
			`{`
			`struct sshbuf *b;`
			`@@ -75,6 +75,8 @@ valid_request(struct passwd pw, char h`

			`if (ret != NULL)`
			`*ret = NULL;`
			`+ if (pkalgp != NULL)`
			`+ *pkalgp = NULL;`
			`fail = 0;`

			`if ((b = sshbuf_from(data, datalen)) == NULL)`
			`@@ -122,8 +124,6 @@ valid_request(struct passwd pw, char h`
			`fail++;`
			`} else if (key->type != pktype)`
			`fail++;`
			`- free(pkalg);`
			`- free(pkblob);`

			`/* client host name, handle trailing dot */`
			`if ((r = sshbuf_get_cstring(b, &p, &len)) != 0)`
			`@@ -154,8 +154,19 @@ valid_request(struct passwd pw, char h`

			`if (fail)`
			`sshkey_free(key);`
			`- else if (ret != NULL)`
			`- *ret = key;`
			`+ else {`
			`+ if (ret != NULL) {`
			`+ *ret = key;`
			`+ key = NULL;`
			`+ }`
			`+ if (pkalgp != NULL) {`
			`+ *pkalgp = pkalg;`
			`+ pkalg = NULL;`
			`+ }`
			`+ }`
			`+ sshkey_free(key);`
			`+ free(pkalg);`
			`+ free(pkblob);`

			`return (fail ? -1 : 0);`
			`}`
			`@@ -170,7 +181,7 @@ main(int argc, char **argv)`
			`struct passwd *pw;`
			`int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;`
			`u_char signature, data, rver;`
			`- char host, fp;`
			`+ char host, fp, *pkalg;`
			`size_t slen, dlen;`

			`if (pledge("stdio rpath getpw dns id", NULL) != 0)`
			`@@ -258,7 +269,7 @@ main(int argc, char **argv)`

			`if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)`
			`fatal_r(r, "%s: buffer error", __progname);`
			`- if (valid_request(pw, host, &key, data, dlen) < 0)`
			`+ if (valid_request(pw, host, &key, &pkalg, data, dlen) < 0)`
			`fatal("%s: not a valid request", __progname);`
			`free(host);`

			`@@ -279,7 +290,7 @@ main(int argc, char **argv)`
			`}`

			`if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen,`
			`- NULL, NULL, NULL, 0)) != 0)`
			`+ pkalg, NULL, NULL, 0)) != 0)`
			`fatal_r(r, "%s: sshkey_sign failed", __progname);`
			`free(data);`