From 4ab8e56c9197135a85300542d736a556203752a6 Mon Sep 17 00:00:00 2001 From: Earl Warren <109468362+earl-warren@users.noreply.github.com> Date: Fri, 1 Sep 2023 15:45:22 +0200 Subject: [PATCH] restrict certificate type for builtin SSH server (#26789) - While doing some sanity checks over OpenSSH's code for how they handle certificates authentication. I stumbled on an condition that checks the certificate type is really an user certificate on the server-side authentication. This checks seems to be a formality and just for the sake of good domain seperation, because an user and host certificate don't differ in their generation, verification or flags that can be included. - Add this check to the builtin SSH server to stay close to the unwritten SSH specification. - This is an breaking change for setups where the builtin SSH server is being used and for some reason host certificates were being used for authentication. - (cherry picked from commit de35b141b79a3d6efe2127ed2c73fd481515e481) Refs: https://codeberg.org/forgejo/forgejo/pulls/1172 ## :warning: BREAKING :warning: Like OpenSSH, the built-in SSH server will now only accept SSH user certificates, not server certificates. Co-authored-by: Gusted Co-authored-by: Giteabot --- modules/ssh/ssh.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index a5af5c129b..37624ab679 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -191,6 +191,12 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { return false } + if cert.CertType != gossh.UserCert { + log.Warn("Certificate Rejected: Not a user certificate") + log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) + return false + } + // look for the exact principal principalLoop: for _, principal := range cert.ValidPrincipals {