From 4bd02cc8f39eeceb141428115c22327cf1b3a5ee Mon Sep 17 00:00:00 2001 From: Maria Matejka Date: Mon, 3 Oct 2022 13:55:14 +0200 Subject: [PATCH] Fixed SSH client key validation The strings.HasPrefix() call was used with flipped argument order, allowing incomplete rows in the authorized_keys file to any key matching that prefix. In worst case, a line like ecdsa-sha2-nistp256 with no key at all would match all keys of that type. On the other hand, when the key was followed by a comment as is common in authorized_keys files, it wasn't matched at all. --- cmd/stayrtr/stayrtr.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/stayrtr/stayrtr.go b/cmd/stayrtr/stayrtr.go index 0e49f8d..3d4c136 100644 --- a/cmd/stayrtr/stayrtr.go +++ b/cmd/stayrtr/stayrtr.go @@ -684,7 +684,7 @@ func run() error { if k == "" { continue } - if strings.HasPrefix(fmt.Sprintf("%v %v", key.Type(), keyBase64), k) { + if strings.HasPrefix(k, fmt.Sprintf("%v %v", key.Type(), keyBase64)) { log.Infof("Connected (ssh-key): %v/%v with key %v %v (matched with line %v)", conn.User(), conn.RemoteAddr(), key.Type(), keyBase64, i+1) noKeys = true