added option to disable trivial auth methods #128
Conversation
|
I have renamed to argument to |
|
Would you merge this pull request, because we are planning to create a CVE and I think this should be mitigated before we publish a full disclosure. |
cli-authpubkey.c
Outdated
| @@ -266,6 +266,7 @@ int cli_auth_pubkey() { | |||
| /* Send a trial request */ | |||
| send_msg_userauth_pubkey(key, sigtype, 0); | |||
| cli_ses.lastprivkey = key; | |||
| cli_ses.is_trivial_auth = 0; | |||
There was a problem hiding this comment.
It shouldn't clear is_trivial_auth here since it doesn't require any user interaction? For pubkey auth I guess it should clear is_trivial_auth for an agent pubkey signature (not trial request), otherwise leave it set.
| @@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, | |||
| buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); | |||
| cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); | |||
| buf_free(sigbuf); /* Nothing confidential in the buffer */ | |||
| cli_ses.is_trivial_auth = 0; | |||
There was a problem hiding this comment.
Thanks. I have fixed trivial auth detection for public keys. It should work now as expected.
|
Hello, we are planning to release information about trivial succes authentication. Do you need help with merging the pull requests and creating the new release? |
I have added an option
-o ExitOnTrivialAuth=yesto disable trivial authentications as discussed in our mails