mirror of
https://github.com/openbsd/src.git
synced 2026-05-01 17:46:35 +00:00
In ssh(1), don't try to match certificates held in an agent to
private keys. This matching is done to support certificates that were loaded without their private key material, but is unnecessary for agent-hosted certificate which always have private key material loaded in the agent. Worse, this matching would mess up the request sent to the agent in such a way as to break usage of these keys when the key usage was restricted in the agent. Patch from Thibault Cools via bz3752, ok dtucker@
This commit is contained in:
djm
@@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshconnect2.c,v 1.378 2025/09/15 04:51:35 djm Exp $ */
|
||||
/* $OpenBSD: sshconnect2.c,v 1.379 2026/01/21 23:58:20 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Damien Miller. All rights reserved.
|
||||
@@ -1334,7 +1334,7 @@ sign_and_send_pubkey(struct ssh *ssh, Identity *id)
|
||||
* This will try to set sign_id to the private key that will perform
|
||||
* the signature.
|
||||
*/
|
||||
if (sshkey_is_cert(id->key)) {
|
||||
if (id->agent_fd == -1 && sshkey_is_cert(id->key)) {
|
||||
TAILQ_FOREACH(private_id, &authctxt->keys, next) {
|
||||
if (sshkey_equal_public(id->key, private_id->key) &&
|
||||
id->key->type != private_id->key->type) {
|
||||
|
||||
Reference in New Issue
Block a user