Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

Luke Simmons <luke5083@live.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |luke5083@live.com

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

Bertrand Jacquin <bertrand@jacquin.bzh> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |bertrand@jacquin.bzh

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

Ismail Donmez <ismail@i10z.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |ismail@i10z.com

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

felix@eckhofer.com <felix@eckhofer.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |felix@eckhofer.com

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

Benjamin Gilbert <bgilbert@backtick.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |bgilbert@backtick.net

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

github@kalvdans.no-ip.org changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |github@kalvdans.no-ip.org

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3675

--- Comment #4 from Andres Freund <andres@anarazel.de> ---
> On the one hand it feels a bit like trying to fight the last battle, but on the other it is a meaningful attack surface reduction.

Agreed on both points.

Thanks for the quick writing of the patch!


I don't know the openssh codebase well, so my ability to provide review
is limited.

I think there might still be one path "unprotected" after this.
userauth_hostbased() uses sshkey_from_blob() and
a) checks options.hostbased_accepted_algos afterwards
b) uses sshkey_from_blob(), not sshkey_from_blob_expect_type(), with a
subsequent check of the certificate type


Another thing I noticed is that it might end up being a bit harder to
debug some of the error paths after the change, due to going from
specific error messages to more generic error codes. OTOH, it seems
unlikely that these paths are encountered outside of attacks.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs