===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth2-pubkey.c,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- src/usr.bin/ssh/auth2-pubkey.c	2017/12/18 02:25:15	1.72
+++ src/usr.bin/ssh/auth2-pubkey.c	2017/12/19 00:24:34	1.73
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.72 2017/12/18 02:25:15 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.73 2017/12/19 00:24:34 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -70,13 +70,24 @@
 extern u_char *session_id2;
 extern u_int session_id2_len;
 
+static char *
+format_key(const struct sshkey *key)
+{
+	char *ret, *fp = sshkey_fingerprint(key,
+	    options.fingerprint_hash, SSH_FP_DEFAULT);
+
+	xasprintf(&ret, "%s %s", sshkey_type(key), fp);
+	free(fp);
+	return ret;
+}
+
 static int
 userauth_pubkey(struct ssh *ssh)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	struct sshbuf *b;
 	struct sshkey *key = NULL;
-	char *pkalg, *userstyle = NULL, *fp = NULL;
+	char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
 	u_char *pkblob, *sig, have_sig;
 	size_t blen, slen;
 	int r, pktype;
@@ -132,7 +143,6 @@
 		    "signature scheme");
 		goto done;
 	}
-	fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
 	if (auth2_key_already_used(authctxt, key)) {
 		logit("refusing previously-used %s key", sshkey_type(key));
 		goto done;
@@ -144,9 +154,15 @@
 		goto done;
 	}
 
+	key_s = format_key(key);
+	if (sshkey_is_cert(key))
+		ca_s = format_key(key->cert->signature_key);
+
 	if (have_sig) {
-		debug3("%s: have signature for %s %s",
-		    __func__, sshkey_type(key), fp);
+		debug3("%s: have %s signature for %s%s%s",
+		    __func__, pkalg, key_s,
+		    ca_s == NULL ? "" : " CA ",
+		    ca_s == NULL ? "" : ca_s);
 		if ((r = sshpkt_get_string(ssh, &sig, &slen)) != 0 ||
 		    (r = sshpkt_get_end(ssh)) != 0)
 			fatal("%s: %s", __func__, ssh_err(r));
@@ -202,8 +218,11 @@
 		free(sig);
 		auth2_record_key(authctxt, authenticated, key);
 	} else {
-		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
-		    __func__, sshkey_type(key), fp);
+		debug("%s: test pkalg %s pkblob %s%s%s",
+		    __func__, pkalg, key_s,
+		    ca_s == NULL ? "" : " CA ",
+		    ca_s == NULL ? "" : ca_s);
+
 		if ((r = sshpkt_get_end(ssh)) != 0)
 			fatal("%s: %s", __func__, ssh_err(r));
 
@@ -234,7 +253,8 @@
 	free(userstyle);
 	free(pkalg);
 	free(pkblob);
-	free(fp);
+	free(key_s);
+	free(ca_s);
 	return authenticated;
 }