mirror of
				https://github.com/go-gitea/gitea.git
				synced 2025-10-27 00:23:41 +09:00 
			
		
		
		
	restrict certificate type for builtin SSH server (#26789)
- While doing some sanity checks over OpenSSH's code for how they handle certificates authentication. I stumbled on an condition that checks the certificate type is really an user certificate on the server-side authentication. This checks seems to be a formality and just for the sake of good domain seperation, because an user and host certificate don't differ in their generation, verification or flags that can be included. - Add this check to the builtin SSH server to stay close to the unwritten SSH specification. - This is an breaking change for setups where the builtin SSH server is being used and for some reason host certificates were being used for authentication. - (cherry picked from commit de35b141b79a3d6efe2127ed2c73fd481515e481) Refs: https://codeberg.org/forgejo/forgejo/pulls/1172 ## ⚠️ BREAKING ⚠️ Like OpenSSH, the built-in SSH server will now only accept SSH user certificates, not server certificates. Co-authored-by: Gusted <postmaster@gusted.xyz> Co-authored-by: Giteabot <teabot@gitea.io>
This commit is contained in:
		| @@ -191,6 +191,12 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool { | |||||||
| 			return false | 			return false | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
|  | 		if cert.CertType != gossh.UserCert { | ||||||
|  | 			log.Warn("Certificate Rejected: Not a user certificate") | ||||||
|  | 			log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr()) | ||||||
|  | 			return false | ||||||
|  | 		} | ||||||
|  |  | ||||||
| 		// look for the exact principal | 		// look for the exact principal | ||||||
| 	principalLoop: | 	principalLoop: | ||||||
| 		for _, principal := range cert.ValidPrincipals { | 		for _, principal := range cert.ValidPrincipals { | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user