diff options
author | Colin Watson <cjwatson@debian.org> | 2008-05-25 23:24:33 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2008-05-25 23:24:33 +0000 |
commit | d61c655626e74e65dba34e4e9d5aa6616cc72f93 (patch) | |
tree | 039e0946fb19b073b13605142e5737875107dba9 | |
parent | fe3af0a26497234bbae83a25fadf81a78cf2cf66 (diff) |
Log IP addresses of hosts attempting to use blacklisted keys (closes:
#481721).
-rw-r--r-- | auth-rh-rsa.c | 10 | ||||
-rw-r--r-- | auth-rsa.c | 11 | ||||
-rw-r--r-- | auth2-hostbased.c | 10 | ||||
-rw-r--r-- | auth2-pubkey.c | 10 | ||||
-rw-r--r-- | debian/changelog | 2 |
5 files changed, 27 insertions, 16 deletions
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 77a043998..cd272e4ca 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c | |||
@@ -50,11 +50,13 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, | |||
50 | if (blacklisted_key(client_host_key) == 1) { | 50 | if (blacklisted_key(client_host_key) == 1) { |
51 | fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX); | 51 | fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX); |
52 | if (options.permit_blacklisted_keys) | 52 | if (options.permit_blacklisted_keys) |
53 | logit("Public key %s blacklisted (see " | 53 | logit("Public key %s from %s blacklisted (see " |
54 | "ssh-vulnkey(1)); continuing anyway", fp); | 54 | "ssh-vulnkey(1)); continuing anyway", |
55 | fp, get_remote_ipaddr()); | ||
55 | else | 56 | else |
56 | logit("Public key %s blacklisted (see " | 57 | logit("Public key %s from %s blacklisted (see " |
57 | "ssh-vulnkey(1))", fp); | 58 | "ssh-vulnkey(1))", |
59 | fp, get_remote_ipaddr()); | ||
58 | xfree(fp); | 60 | xfree(fp); |
59 | if (!options.permit_blacklisted_keys) | 61 | if (!options.permit_blacklisted_keys) |
60 | return 0; | 62 | return 0; |
diff --git a/auth-rsa.c b/auth-rsa.c index 87e1fbf59..898e9eb50 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
@@ -42,6 +42,7 @@ | |||
42 | #include "hostfile.h" | 42 | #include "hostfile.h" |
43 | #include "authfile.h" | 43 | #include "authfile.h" |
44 | #include "auth.h" | 44 | #include "auth.h" |
45 | #include "canohost.h" | ||
45 | #ifdef GSSAPI | 46 | #ifdef GSSAPI |
46 | #include "ssh-gss.h" | 47 | #include "ssh-gss.h" |
47 | #endif | 48 | #endif |
@@ -270,11 +271,13 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) | |||
270 | if (blacklisted_key(key) == 1) { | 271 | if (blacklisted_key(key) == 1) { |
271 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 272 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
272 | if (options.permit_blacklisted_keys) | 273 | if (options.permit_blacklisted_keys) |
273 | logit("Public key %s blacklisted (see " | 274 | logit("Public key %s from %s blacklisted (see " |
274 | "ssh-vulnkey(1)); continuing anyway", fp); | 275 | "ssh-vulnkey(1)); continuing anyway", |
276 | fp, get_remote_ipaddr()); | ||
275 | else | 277 | else |
276 | logit("Public key %s blacklisted (see " | 278 | logit("Public key %s from %s blacklisted (see " |
277 | "ssh-vulnkey(1))", fp); | 279 | "ssh-vulnkey(1))", |
280 | fp, get_remote_ipaddr()); | ||
278 | xfree(fp); | 281 | xfree(fp); |
279 | if (!options.permit_blacklisted_keys) | 282 | if (!options.permit_blacklisted_keys) |
280 | continue; | 283 | continue; |
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 8e3d5f530..d7009eeb0 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c | |||
@@ -150,11 +150,13 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | |||
150 | if (blacklisted_key(key) == 1) { | 150 | if (blacklisted_key(key) == 1) { |
151 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 151 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
152 | if (options.permit_blacklisted_keys) | 152 | if (options.permit_blacklisted_keys) |
153 | logit("Public key %s blacklisted (see " | 153 | logit("Public key %s from %s blacklisted (see " |
154 | "ssh-vulnkey(1)); continuing anyway", fp); | 154 | "ssh-vulnkey(1)); continuing anyway", |
155 | fp, get_remote_ipaddr()); | ||
155 | else | 156 | else |
156 | logit("Public key %s blacklisted (see " | 157 | logit("Public key %s from %s blacklisted (see " |
157 | "ssh-vulnkey(1))", fp); | 158 | "ssh-vulnkey(1))", |
159 | fp, get_remote_ipaddr()); | ||
158 | xfree(fp); | 160 | xfree(fp); |
159 | if (!options.permit_blacklisted_keys) | 161 | if (!options.permit_blacklisted_keys) |
160 | return 0; | 162 | return 0; |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 4976a5a8a..0870d64f6 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -277,11 +277,13 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
277 | if (blacklisted_key(key) == 1) { | 277 | if (blacklisted_key(key) == 1) { |
278 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 278 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
279 | if (options.permit_blacklisted_keys) | 279 | if (options.permit_blacklisted_keys) |
280 | logit("Public key %s blacklisted (see " | 280 | logit("Public key %s from %s blacklisted (see " |
281 | "ssh-vulnkey(1)); continuing anyway", fp); | 281 | "ssh-vulnkey(1)); continuing anyway", |
282 | fp, get_remote_ipaddr()); | ||
282 | else | 283 | else |
283 | logit("Public key %s blacklisted (see " | 284 | logit("Public key %s from %s blacklisted (see " |
284 | "ssh-vulnkey(1))", fp); | 285 | "ssh-vulnkey(1))", |
286 | fp, get_remote_ipaddr()); | ||
285 | xfree(fp); | 287 | xfree(fp); |
286 | if (!options.permit_blacklisted_keys) | 288 | if (!options.permit_blacklisted_keys) |
287 | return 0; | 289 | return 0; |
diff --git a/debian/changelog b/debian/changelog index 1f6ed76fb..6d61f5c62 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -37,6 +37,8 @@ openssh (1:4.7p1-11) UNRELEASED; urgency=low | |||
37 | closes: #481151). | 37 | closes: #481151). |
38 | * Restore OOM killer adjustment for child processes (thanks, Vaclav Ovsik; | 38 | * Restore OOM killer adjustment for child processes (thanks, Vaclav Ovsik; |
39 | closes: #480020). | 39 | closes: #480020). |
40 | * Log IP addresses of hosts attempting to use blacklisted keys (closes: | ||
41 | #481721). | ||
40 | 42 | ||
41 | -- Colin Watson <cjwatson@debian.org> Sat, 17 May 2008 08:48:45 +0200 | 43 | -- Colin Watson <cjwatson@debian.org> Sat, 17 May 2008 08:48:45 +0200 |
42 | 44 | ||