ssh: enforce source-address critical option for all auth methods#354
Open
al4an444 wants to merge 1 commit into
Open
ssh: enforce source-address critical option for all auth methods#354al4an444 wants to merge 1 commit into
al4an444 wants to merge 1 commit into
Conversation
CVE-2026-46595 added the source-address critical-option check to the publickey path's VerifiedPublicKeyCallback branch. The other auth methods that return *Permissions — "none", "password", "keyboard-interactive" and "gssapi-with-mic" — still returned their Permissions to the caller without validating the remote address, so a server that set Permissions.CriticalOptions["source-address"] from any of those callbacks got no enforcement, contrary to the documented behavior of the Permissions struct. Move the enforcement to a single check after the auth-method switch in userAuthLoop so it applies uniformly. The existing publickey-path checks are left in place as defense in depth.
Contributor
|
This PR (HEAD: 798f67c) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/crypto/+/787860. Important tips:
|
Contributor
|
Message from Gopher Robot: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/787860. |
Contributor
|
Message from Nicola Murino: Patch Set 3: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/787860. |
Contributor
|
Message from Alan: Patch Set 3: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/787860. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CVE-2026-46595 (CL 781642) added the source-address critical-option check
to the publickey path's VerifiedPublicKeyCallback branch in userAuthLoop.
The other auth methods that return *Permissions ("none" via
NoClientAuthCallback, "password" via PasswordCallback,
"keyboard-interactive" via KeyboardInteractiveCallback, and
"gssapi-with-mic") still return their Permissions to the caller without
validating the remote address against CriticalOptions["source-address"].
The Permissions struct documentation states the package enforces the
source-address critical option, with no caveat that this is limited to
publickey. A server that sets the restriction from any non-publickey
callback (password auth scoped to a corporate range, keyboard-interactive
2FA, GSSAPI SSO, or break-glass none auth) currently gets no enforcement
and no warning to the operator.
This moves the enforcement to a single check after the auth-method switch
so it applies uniformly to every method. The existing publickey-path
checks are left in place as defense in depth.
A regression test (TestSourceAddressCriticalOptionNonPublicKey) covers the
none/password/keyboard-interactive methods; it fails on master and passes
with this change. The existing publickey control
(TestVerifiedPubKeyCallbackSourceAddress) continues to pass.
Updates golang/go#79570