commit 1f729f0614d1376c3332fa1edb6a5e5cec7e9e03
author djm@openbsd.org <djm@openbsd.org> Tue Jan 13 07:39:19 2015 +0000
committer Damien Miller <djm@mindrot.org> Tue Jan 13 19:27:18 2015 +1100
tree f651f10aa00dcecdf8e9362c0abb6282bbc99c95
parent 816d1538c24209a93ba0560b27c4fda57c3fff65

upstream commit

add sshd_config HostbasedAcceptedKeyTypes and
 PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
 will be accepted. Currently defaults to all. Feedback & ok markus@

sshkey.c

diff --git a/sshkey.c b/sshkey.c
index a680929..30f209a 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.10 2015/01/12 20:13:27 markus Exp $ */
+/* $OpenBSD: sshkey.c,v 1.11 2015/01/13 07:39:19 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -54,6 +54,7 @@
 #include "digest.h"
 #define SSHKEY_INTERNAL
 #include "sshkey.h"
+#include "match.h"
 
 /* openssh private key file format */
 #define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
@@ -219,9 +220,11 @@
 }
 
 int
-sshkey_names_valid2(const char *names)
+sshkey_names_valid2(const char *names, int allow_wildcard)
 {
 	char *s, *cp, *p;
+	const struct keytype *kt;
+	int type;
 
 	if (names == NULL || strcmp(names, "") == 0)
 		return 0;
@@ -229,9 +232,28 @@
 		return 0;
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
-		switch (sshkey_type_from_name(p)) {
-		case KEY_RSA1:
-		case KEY_UNSPEC:
+		type = sshkey_type_from_name(p);
+		if (type == KEY_RSA1) {
+			free(s);
+			return 0;
+		}
+		if (type == KEY_UNSPEC) {
+			if (allow_wildcard) {
+				/*
+				 * Try matching key types against the string.
+				 * If any has a positive or negative match then
+				 * the component is accepted.
+				 */
+				for (kt = keytypes; kt->type != -1; kt++) {
+					if (kt->type == KEY_RSA1)
+						continue;
+					if (match_pattern_list(kt->name,
+					    p, strlen(p), 0) != 0)
+						break;
+				}
+				if (kt->type != -1)
+					continue;
+			}
 			free(s);
 			return 0;
 		}