From 713374b7abb397bf8be58acd05e303b2da39ed86 Mon Sep 17 00:00:00 2001
From: Daniel Wallace <danielwallace@gtmanfred.com>
Date: Tue, 20 Feb 2018 17:43:53 -0700
Subject: [PATCH] If no pubkey is passed in openmode fail

If the pub entry in the load is empty, we should fail authentication in open
mode.  This is usually caught elsewhere for the other modes, because we would
just write it to a file, but in this case, we only write it to a file if it
actually exists, and if it is different from disk_key, so we would catch all
other options when trying to load the public key.

Fixes #46085
---
 salt/transport/mixins/auth.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/transport/mixins/auth.py b/salt/transport/mixins/auth.py
index df4c3b57d4..4a4669ce83 100644
--- a/salt/transport/mixins/auth.py
+++ b/salt/transport/mixins/auth.py
@@ -420,6 +420,10 @@ class AESReqServerMixin(object):
                 log.debug('Host key change detected in open mode.')
                 with salt.utils.files.fopen(pubfn, 'w+') as fp_:
                     fp_.write(load['pub'])
+            elif not load['pub']:
+                log.error('Public key is empty: {0}'.format(load['id']))
+                return {'enc': 'clear',
+                        'load': {'ret': False}}
 
         pub = None