From d2bb1ba889e7111fb0c80080afb7683ddfd6be2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
Date: Tue, 9 Dec 2025 13:11:06 +0100
Subject: [PATCH] auth: do not prefer hostbound auth if there is no host key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If there is no host key (e.g., because we are doing
gssapi-keyex with "null" host key algorithm), it does not
make sense to use host bound authentication.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/auth.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/auth.c b/src/auth.c
index 574d0343..1e92fe12 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -548,7 +548,8 @@ static int build_pubkey_auth_request(ssh_session session,
     int rc;
     const char *auth_method = "publickey";
 
-    if (session->extensions & SSH_EXT_PUBLICKEY_HOSTBOUND) {
+    if (session->extensions & SSH_EXT_PUBLICKEY_HOSTBOUND &&
+        session->current_crypto->server_pubkey != NULL) {
         auth_method = "publickey-hostbound-v00@openssh.com";
     }
 
@@ -567,7 +568,8 @@ static int build_pubkey_auth_request(ssh_session session,
         return SSH_ERROR;
     }
 
-    if (session->extensions & SSH_EXT_PUBLICKEY_HOSTBOUND) {
+    if (session->extensions & SSH_EXT_PUBLICKEY_HOSTBOUND &&
+        session->current_crypto->server_pubkey != NULL) {
         rc = add_hostbound_pubkey(session);
         if (rc < 0) {
             return SSH_ERROR;