From de35b141b79a3d6efe2127ed2c73fd481515e481 Mon Sep 17 00:00:00 2001 From: Gusted Date: Tue, 1 Aug 2023 00:29:34 +0200 Subject: [PATCH] [GITEA] Restrict certificate type for builtin SSH server - While doing some sanity checks over OpenSSH's code for how they handle certificates authentication. I stumbled on an condition that checks the certificate type is really an user certificate on the server-side authentication. This checks seems to be a formality and just for the sake of good domain seperation, because an user and host certificate don't differ in their generation, verification or flags that can be included. - Add this check to the builtin SSH server to stay close to the unwritten SSH specification. - This is an breaking change for setups where the builtin SSH server is being used and for some reason host certificates were being used for authentication. (cherry picked from commit 74c88c321722caafc39cfadad3e7ff88bf391c0f) (cherry picked from commit 40df1875da90c8c1c46ab52a4a7e45253457cb10) (cherry picked from commit 07152e9a9d239683f7bfde966946f75aa411008b) (cherry picked from commit 7bc135732d06c888e148bb5c746a2830ef199574) --- modules/ssh/ssh.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index a5af5c129b..37624ab679 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -191,6 +191,12 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { return false } + if cert.CertType != gossh.UserCert { + log.Warn("Certificate Rejected: Not a user certificate") + log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) + return false + } + // look for the exact principal principalLoop: for _, principal := range cert.ValidPrincipals {