From: djm@openbsd.org <djm@openbsd.org>
Date: Sun, 15 Sep 2024 00:41:18 +0000 (+0000)
Subject: upstream: Do not apply authorized_keys options when signature
X-Git-Tag: V_9_9_P1~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62bbf8f825cc390ecb0523752ddac1435006f206;p=thirdparty%2Fopenssh-portable.git

upstream: Do not apply authorized_keys options when signature

verification fails. Prevents restrictive key options being incorrectly
applied to subsequent keys in authorized_keys. bz3733, ok markus@

OpenBSD-Commit-ID: ba3776d9da4642443c19dbc015a1333622eb5a4e
---

diff --git a/monitor.c b/monitor.c
index f4a835eee..4e68c4f80 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.242 2024/09/09 02:39:57 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.243 2024/09/15 00:41:18 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1496,7 +1496,7 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m)
 	}
 	auth2_record_key(authctxt, ret == 0, key);
 
-	if (key_blobtype == MM_USERKEY)
+	if (key_blobtype == MM_USERKEY && ret == 0)
 		auth_activate_options(ssh, key_opts);
 	monitor_reset_key_state();