Mailing List Archive: OpenSSH: Bugs

[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed()

Index | Next | Previous | View Threaded

bugzilla-daemon at bugzilla

Oct 4, 2011, 6:59 AM

Post #1 of 5 (124 views)
Permalink

[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed()

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

--- Comment #6 from Damien Miller <djm [at] mindrot> 2011-10-05 00:59:23 EST ---
I think the behaviour that I committed is correct: the key that is
being matched has been confirmed as revoked, there is no point
continuing to match and it's probably dangerous to do so - e.g. a
subsequent listing of the same key will cause it to be "unrevoked"

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Oct 4, 2011, 8:58 AM

Post #2 of 5 (121 views)
Permalink

[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

--- Comment #7 from Dmitry V. Levin <ldv [at] altlinux> 2011-10-05 02:58:46 EST ---
(In reply to comment #6)
> I think the behaviour that I committed is correct: the key that is
> being matched has been confirmed as revoked, there is no point
> continuing to match

The file may still contain valid keys.
Even in case of syntax error the code just skips broken lines.

> and it's probably dangerous to do so - e.g. a
> subsequent listing of the same key will cause it to be "unrevoked"

Would it? How a key that is already revoked could be "unrevoked"?

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Oct 4, 2011, 2:44 PM

Post #3 of 5 (120 views)
Permalink

[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

--- Comment #8 from Damien Miller <djm [at] mindrot> 2011-10-05 08:44:08 EST ---
Remember what is happening here: a key has been suggested by the client
and is being compared against the lines in authorized_keys. *After* the
modulus has been matched, we check whether the key is revoked. If it is
revoked, then there is no point in checking further in the file to see
if an non-revoked entry of the same key exists.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Oct 4, 2011, 3:12 PM

Post #4 of 5 (118 views)
Permalink

[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

Dmitry V. Levin <ldv [at] altlinux> changed:

What |Removed |Added
----------------------------------------------------------------------------
Blocks|1930 |1803
Status|REOPENED |RESOLVED
Resolution| |FIXED

--- Comment #9 from Dmitry V. Levin <ldv [at] altlinux> 2011-10-05 09:12:28 EST ---
Agreed.

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

bugzilla-daemon at bugzilla

Oct 4, 2011, 3:12 PM

Post #5 of 5 (123 views)
Permalink

[Bug 1829] auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() [In reply to]

https://bugzilla.mindrot.org/show_bug.cgi?id=1829

Dmitry V. Levin <ldv [at] altlinux> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED

--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads