Closed mwielgoszewski closed 6 years ago
Thank you for the find and the fix.
This was caused by the change here: https://github.com/golang/crypto/commit/7e9105388ebff089b3f99f0ef676ea55a6da3a7e
Any builds after that change was committed to golang's x/crypto package have this bug.
In a commit to upstream
x/crypto/ssh
, theCheckCert
function ofssh.CertChecker
interface no longer callsIsUserAuthority
function here.Not calling the function we assign to
IsUserAuthority
here results in a security vulnerability allowing any SSH key signature (other than that of the requester's) to sign a certificate request. A requester may bypass m-of-n controls by generating a new key and signing their own request with that key.This PR mitigates this vulnerability by explicitly calling the
IsUserAuthority
function.