Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Bugs

[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed()

 

 

OpenSSH bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla-daemon at bugzilla

Oct 4, 2011, 6:59 AM

Post #1 of 5 (172 views)
Permalink
[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed()

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

--- Comment #6 from Damien Miller <djm [at] mindrot> 2011-10-05 00:59:23 EST ---
I think the behaviour that I committed is correct: the key that is
being matched has been confirmed as revoked, there is no point
continuing to match and it's probably dangerous to do so - e.g. a
subsequent listing of the same key will cause it to be "unrevoked"

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at bugzilla

Oct 4, 2011, 8:58 AM

Post #2 of 5 (165 views)
Permalink
[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

--- Comment #7 from Dmitry V. Levin <ldv [at] altlinux> 2011-10-05 02:58:46 EST ---
(In reply to comment #6)
> I think the behaviour that I committed is correct: the key that is
> being matched has been confirmed as revoked, there is no point
> continuing to match

The file may still contain valid keys.
Even in case of syntax error the code just skips broken lines.

> and it's probably dangerous to do so - e.g. a
> subsequent listing of the same key will cause it to be "unrevoked"

Would it? How a key that is already revoked could be "unrevoked"?

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at bugzilla

Oct 4, 2011, 2:44 PM

Post #3 of 5 (164 views)
Permalink
[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

--- Comment #8 from Damien Miller <djm [at] mindrot> 2011-10-05 08:44:08 EST ---
Remember what is happening here: a key has been suggested by the client
and is being compared against the lines in authorized_keys. *After* the
modulus has been matched, we check whether the key is revoked. If it is
revoked, then there is no point in checking further in the file to see
if an non-revoked entry of the same key exists.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at bugzilla

Oct 4, 2011, 3:12 PM

Post #4 of 5 (161 views)
Permalink
[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

Dmitry V. Levin <ldv [at] altlinux> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks|1930 |1803
Status|REOPENED |RESOLVED
Resolution| |FIXED

--- Comment #9 from Dmitry V. Levin <ldv [at] altlinux> 2011-10-05 09:12:28 EST ---
Agreed.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs


bugzilla-daemon at bugzilla

Oct 4, 2011, 3:12 PM

Post #5 of 5 (171 views)
Permalink
[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

Dmitry V. Levin <ldv [at] altlinux> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

OpenSSH bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.