From 12eb64de73f56ea68feb73d699e4cc8cfeb2e7cd Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Tue, 1 Aug 2023 00:29:34 +0200
Subject: [PATCH] restrict certificate type for builtin SSH server

- While doing some sanity checks over OpenSSH's code for how they
handle certificates authentication. I stumbled on an condition that
checks the certificate type is really an user certificate on the
server-side authentication. This checks seems to be a formality and just
for the sake of good domain seperation, because an user and host
certificate don't differ in their generation, verification or flags that
can be included.
- Add this check to the builtin SSH server to stay close to the
unwritten SSH specification.
- This is an breaking change for setups where the builtin SSH server is
being used and for some reason host certificates were being used for
authentication.

(cherry picked from commit de35b141b79a3d6efe2127ed2c73fd481515e481)

Refs: https://codeberg.org/forgejo/forgejo/pulls/1172
---
 modules/ssh/ssh.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go
index a5af5c129b8b8..37624ab679c86 100644
--- a/modules/ssh/ssh.go
+++ b/modules/ssh/ssh.go
@@ -191,6 +191,12 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
 			return false
 		}
 
+		if cert.CertType != gossh.UserCert {
+			log.Warn("Certificate Rejected: Not a user certificate")
+			log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
+			return false
+		}
+
 		// look for the exact principal
 	principalLoop:
 		for _, principal := range cert.ValidPrincipals {