===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth2-pubkey.c,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -r1.85 -r1.86
--- src/usr.bin/ssh/auth2-pubkey.c	2018/08/28 12:25:53	1.85
+++ src/usr.bin/ssh/auth2-pubkey.c	2018/09/20 03:28:06	1.86
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.85 2018/08/28 12:25:53 mestre Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.86 2018/09/20 03:28:06 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -134,7 +134,13 @@
 		    __func__, sshkey_ssh_name(key));
 		goto done;
 	}
-
+	if ((r = sshkey_check_cert_sigtype(key,
+	    options.ca_sign_algorithms)) != 0) {
+		logit("%s: certificate signature algorithm %s: %s", __func__,
+		    (key->cert == NULL || key->cert->signature_type == NULL) ?
+		    "(null)" : key->cert->signature_type, ssh_err(r));
+		goto done;
+	}
 	key_s = format_key(key);
 	if (sshkey_is_cert(key))
 		ca_s = format_key(key->cert->signature_key);