From 74c88c321722caafc39cfadad3e7ff88bf391c0f Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Tue, 1 Aug 2023 00:29:34 +0200
Subject: [PATCH] [GITEA] Restrict certificate type for builtin SSH server

- While doing some sanity checks over OpenSSH's code for how they
handle certificates authentication. I stumbled on an condition that
checks the certificate type is really an user certificate on the
server-side authentication. This checks seems to be a formality and just
for the sake of good domain seperation, because an user and host
certificate don't differ in their generation, verification or flags that
can be included.
- Add this check to the builtin SSH server to stay close to the
unwritten SSH specification.
- This is an breaking change for setups where the builtin SSH server is
being used and for some reason host certificates were being used for
authentication.
---
 modules/ssh/ssh.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go
index 923fa51d22..f8e4f569b8 100644
--- a/modules/ssh/ssh.go
+++ b/modules/ssh/ssh.go
@@ -186,6 +186,12 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
 			return false
 		}
 
+		if cert.CertType != gossh.UserCert {
+			log.Warn("Certificate Rejected: Not a user certificate")
+			log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
+			return false
+		}
+
 		// look for the exact principal
 	principalLoop:
 		for _, principal := range cert.ValidPrincipals {