Mercurial > kallithea
diff Apache-License-2.0.txt @ 8640:12824a48192d
ssh: verify SSH keys haven't been truncated
Ed Wong reported problems with a SSH key that accidentally was copy-pasted with
extra newlines. This truncation wasn't detected, so the truncated key was added
to authorized_keys where it obviously didn't work for sshd.
The base64 decoding would sometimes catch truncated keys - but not always. We
seem to have to look inside the key, parse it according to the RFCs, and verify
they contain the right amount of data for the key type.
It is an additional burden to have to parse SSH key internals just to validate
them. We could consider using some external method for validation. But the
explicit validation introduced here might be more spot-on for our needs.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Sat, 03 Oct 2020 23:17:48 +0200 |
parents | fd2dff0588bc |
children |