Merge pull request '[GITEA] Restrict certificate type for builtin SSH server' (#1172) from Gusted/forgejo:forgejo-cert-user into forgejo-dependency

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1172

modules/ssh/ssh.go

@@ -186,6 +186,12 @@ func publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
 			return false
 		}
 
+		if cert.CertType != gossh.UserCert {
+			log.Warn("Certificate Rejected: Not a user certificate")
+			log.Warn("Failed authentication attempt from %s", ctx.RemoteAddr())
+			return false
+		}
+
 		// look for the exact principal
 	principalLoop:
 		for _, principal := range cert.ValidPrincipals {