Skip to content

Commit

Permalink
Connection: authorized_keys must be a regular file
Browse files Browse the repository at this point in the history 
An additional security measure against DoS attempts with a FIFO.
  • Loading branch information
@MaxKellermann
MaxKellermann committed Nov 19, 2024
1 parent 1155e92 commit dc06241
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions src/Connection.cxx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@

#include <fcntl.h> // for O_*
#include <pwd.h>
#include <sys/stat.h>

using std::string_view_literals::operator""sv;

Expand Down Expand Up @@ -373,9 +374,13 @@ Connection::IsAcceptedPublicKey(std::span<const std::byte> public_key_blob) noex

if (ShouldLoadHomeAuthorizedKeys()) {
if (auto fd = co_await OpenInHome(".ssh/authorized_keys"); fd.IsDefined()) {
if (auto options = PublicKeysTextFileContains(fd, public_key_blob)) {
authorized_key_options = std::move(*options);
co_return true;
if (struct stat st;
fstat(fd.Get(), &st) == 0 &&
S_ISREG(st.st_mode) && st.st_size < 1024 * 1024) {
if (auto options = PublicKeysTextFileContains(fd, public_key_blob)) {
authorized_key_options = std::move(*options);
co_return true;
}
}
}
}
Expand Down

0 comments on commit dc06241

Please sign in to comment.