[GITEA] Restrict certificate type for builtin SSH server
- While doing some sanity checks over OpenSSH's code for how they handle certificates authentication. I stumbled on an condition that checks the certificate type is really an user certificate on the server-side authentication. This checks seems to be a formality and just for the sake of good domain seperation, because an user and host certificate don't differ in their generation, verification or flags that can be included. - Add this check to the builtin SSH server to stay close to the unwritten SSH specification. - This is an breaking change for setups where the builtin SSH server is being used and for some reason host certificates were being used for authentication.
This commit is contained in:
parent
6465b74632
commit
74c88c3217
1 changed files with 6 additions and 0 deletions
|
@ -186,6 +186,12 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if cert.CertType != gossh.UserCert {
|
||||||
|
log.Warn("Certificate Rejected: Not a user certificate")
|
||||||
|
log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
// look for the exact principal
|
// look for the exact principal
|
||||||
principalLoop:
|
principalLoop:
|
||||||
for _, principal := range cert.ValidPrincipals {
|
for _, principal := range cert.ValidPrincipals {
|
||||||
|
|
Loading…
Reference in a new issue