Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / fd6dcef2030d23c43f986d26979f84619c10589d
commitfd6dcef2030d23c43f986d26979f84619c10589d[log] [tgz]
authordjm@openbsd.org <djm@openbsd.org>Wed Nov 30 02:57:40 2016 +0000
committerDamien Miller <djm@mindrot.org>Wed Nov 30 19:44:01 2016 +1100
treea9b9d64866a656d5e187f7d63b61e1c1bede5e8f
parent7fc4766ac78abae81ee75b22b7550720bfa28a33 [diff]
upstream commit

When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, refuse to accept the
certificate unless they are identical.

The previous (documented) behaviour of having the certificate forced-
command override the other could be a bit confused and more error-prone.

Pointed out by Jann Horn of Project Zero; ok dtucker@

Upstream-ID: 79d811b6eb6bbe1221bf146dde6928f92d2cd05f
4 files changed
tree: a9b9d64866a656d5e187f7d63b61e1c1bede5e8f
  1. contrib/
  2. openbsd-compat/
  3. regress/
  4. .skipped-commit-ids
  5. aclocal.m4
  6. addrmatch.c
  7. atomicio.c
  8. atomicio.h
  9. audit-bsm.c
  10. audit-linux.c
  11. audit.c
  12. audit.h
  13. auth-bsdauth.c
  14. auth-krb5.c
  15. auth-options.c
  16. auth-options.h
  17. auth-pam.c
  18. auth-pam.h
  19. auth-passwd.c
  20. auth-rhosts.c
  21. auth-shadow.c
  22. auth-sia.c
  23. auth-sia.h
  24. auth-skey.c
  25. auth.c
  26. auth.h
  27. auth2-chall.c
  28. auth2-gss.c
  29. auth2-hostbased.c
  30. auth2-kbdint.c
  31. auth2-none.c
  32. auth2-passwd.c
  33. auth2-pubkey.c
  34. auth2.c
  35. authfd.c
  36. authfd.h
  37. authfile.c
  38. authfile.h
  39. bitmap.c
  40. bitmap.h
  41. blocks.c
  42. bufaux.c
  43. bufbn.c
  44. bufec.c
  45. buffer.c
  46. buffer.h
  47. buildpkg.sh.in
  48. canohost.c
  49. canohost.h
  50. chacha.c
  51. chacha.h
  52. channels.c
  53. channels.h
  54. cipher-3des1.c
  55. cipher-aes.c
  56. cipher-aesctr.c
  57. cipher-aesctr.h
  58. cipher-bf1.c
  59. cipher-chachapoly.c
  60. cipher-chachapoly.h
  61. cipher-ctr.c
  62. cipher.c
  63. cipher.h
  64. cleanup.c
  65. clientloop.c
  66. clientloop.h
  67. compat.c
  68. compat.h
  69. config.guess
  70. config.sub
  71. configure.ac
  72. crc32.c
  73. crc32.h
  74. CREDITS
  75. crypto_api.h
  76. deattack.c
  77. deattack.h
  78. defines.h
  79. dh.c
  80. dh.h
  81. digest-libc.c
  82. digest-openssl.c
  83. digest.h
  84. dispatch.c
  85. dispatch.h
  86. dns.c
  87. dns.h
  88. ed25519.c
  89. entropy.c
  90. entropy.h
  91. fatal.c
  92. fe25519.c
  93. fe25519.h
  94. fixalgorithms
  95. fixpaths
  96. fixprogs
  97. ge25519.c
  98. ge25519.h
  99. ge25519_base.data
  100. groupaccess.c
  101. groupaccess.h
  102. gss-genr.c
  103. gss-serv-krb5.c
  104. gss-serv.c
  105. hash.c
  106. hmac.c
  107. hmac.h
  108. hostfile.c
  109. hostfile.h
  110. includes.h
  111. INSTALL
  112. install-sh
  113. kex.c
  114. kex.h
  115. kexc25519.c
  116. kexc25519c.c
  117. kexc25519s.c
  118. kexdh.c
  119. kexdhc.c
  120. kexdhs.c
  121. kexecdh.c
  122. kexecdhc.c
  123. kexecdhs.c
  124. kexgex.c
  125. kexgexc.c
  126. kexgexs.c
  127. key.c
  128. key.h
  129. krl.c
  130. krl.h
  131. LICENCE
  132. log.c
  133. log.h
  134. loginrec.c
  135. loginrec.h
  136. logintest.c
  137. mac.c
  138. mac.h
  139. Makefile.in
  140. match.c
  141. match.h
  142. md-sha256.c
  143. md5crypt.c
  144. md5crypt.h
  145. mdoc2man.awk
  146. misc.c
  147. misc.h
  148. mkinstalldirs
  149. moduli
  150. moduli.5
  151. moduli.c
  152. monitor.c
  153. monitor.h
  154. monitor_fdpass.c
  155. monitor_fdpass.h
  156. monitor_wrap.c
  157. monitor_wrap.h
  158. msg.c
  159. msg.h
  160. mux.c
  161. myproposal.h
  162. nchan.c
  163. nchan.ms
  164. nchan2.ms
  165. opacket.c
  166. opacket.h
  167. openssh.xml.in
  168. opensshd.init.in
  169. OVERVIEW
  170. packet.c
  171. packet.h
  172. pathnames.h
  173. pkcs11.h
  174. platform-pledge.c
  175. platform-tracing.c
  176. platform.c
  177. platform.h
  178. poly1305.c
  179. poly1305.h
  180. progressmeter.c
  181. progressmeter.h
  182. PROTOCOL
  183. PROTOCOL.agent
  184. PROTOCOL.certkeys
  185. PROTOCOL.chacha20poly1305
  186. PROTOCOL.key
  187. PROTOCOL.krl
  188. PROTOCOL.mux
  189. readconf.c
  190. readconf.h
  191. README
  192. README.dns
  193. README.platform
  194. README.privsep
  195. README.tun
  196. readpass.c
  197. rijndael.c
  198. rijndael.h
  199. rsa.c
  200. rsa.h
  201. sandbox-capsicum.c
  202. sandbox-darwin.c
  203. sandbox-null.c
  204. sandbox-pledge.c
  205. sandbox-rlimit.c
  206. sandbox-seccomp-filter.c
  207. sandbox-solaris.c
  208. sandbox-systrace.c
  209. sc25519.c
  210. sc25519.h
  211. scp.1
  212. scp.c
  213. servconf.c
  214. servconf.h
  215. serverloop.c
  216. serverloop.h
  217. session.c
  218. session.h
  219. sftp-client.c
  220. sftp-client.h
  221. sftp-common.c
  222. sftp-common.h
  223. sftp-glob.c
  224. sftp-server-main.c
  225. sftp-server.8
  226. sftp-server.c
  227. sftp.1
  228. sftp.c
  229. sftp.h
  230. smult_curve25519_ref.c
  231. ssh-add.1
  232. ssh-add.c
  233. ssh-agent.1
  234. ssh-agent.c
  235. ssh-dss.c
  236. ssh-ecdsa.c
  237. ssh-ed25519.c
  238. ssh-gss.h
  239. ssh-keygen.1
  240. ssh-keygen.c
  241. ssh-keyscan.1
  242. ssh-keyscan.c
  243. ssh-keysign.8
  244. ssh-keysign.c
  245. ssh-pkcs11-client.c
  246. ssh-pkcs11-helper.8
  247. ssh-pkcs11-helper.c
  248. ssh-pkcs11.c
  249. ssh-pkcs11.h
  250. ssh-rsa.c
  251. ssh-sandbox.h
  252. ssh.1
  253. ssh.c
  254. ssh.h
  255. ssh1.h
  256. ssh2.h
  257. ssh_api.c
  258. ssh_api.h
  259. ssh_config
  260. ssh_config.5
  261. sshbuf-getput-basic.c
  262. sshbuf-getput-crypto.c
  263. sshbuf-misc.c
  264. sshbuf.c
  265. sshbuf.h
  266. sshconnect.c
  267. sshconnect.h
  268. sshconnect1.c
  269. sshconnect2.c
  270. sshd.8
  271. sshd.c
  272. sshd_config
  273. sshd_config.5
  274. ssherr.c
  275. ssherr.h
  276. sshkey.c
  277. sshkey.h
  278. sshlogin.c
  279. sshlogin.h
  280. sshpty.c
  281. sshpty.h
  282. sshtty.c
  283. survey.sh.in
  284. TODO
  285. ttymodes.c
  286. ttymodes.h
  287. uidswap.c
  288. uidswap.h
  289. umac.c
  290. umac.h
  291. utf8.c
  292. utf8.h
  293. uuencode.c
  294. uuencode.h
  295. verify.c
  296. version.h
  297. xmalloc.c
  298. xmalloc.h