summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2008-05-25 23:24:33 +0000
committerColin Watson <cjwatson@debian.org>2008-05-25 23:24:33 +0000
commitd61c655626e74e65dba34e4e9d5aa6616cc72f93 (patch)
tree039e0946fb19b073b13605142e5737875107dba9
parentfe3af0a26497234bbae83a25fadf81a78cf2cf66 (diff)
Log IP addresses of hosts attempting to use blacklisted keys (closes:
#481721).
Diffstat
-rw-r--r--auth-rh-rsa.c10
-rw-r--r--auth-rsa.c11
-rw-r--r--auth2-hostbased.c10
-rw-r--r--auth2-pubkey.c10
-rw-r--r--debian/changelog2
5 files changed, 27 insertions, 16 deletions
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index 77a043998..cd272e4ca 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -50,11 +50,13 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
50 if (blacklisted_key(client_host_key) == 1) { 50 if (blacklisted_key(client_host_key) == 1) {
51 fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX); 51 fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX);
52 if (options.permit_blacklisted_keys) 52 if (options.permit_blacklisted_keys)
53 logit("Public key %s blacklisted (see " 53 logit("Public key %s from %s blacklisted (see "
54 "ssh-vulnkey(1)); continuing anyway", fp); 54 "ssh-vulnkey(1)); continuing anyway",
55 fp, get_remote_ipaddr());
55 else 56 else
56 logit("Public key %s blacklisted (see " 57 logit("Public key %s from %s blacklisted (see "
57 "ssh-vulnkey(1))", fp); 58 "ssh-vulnkey(1))",
59 fp, get_remote_ipaddr());
58 xfree(fp); 60 xfree(fp);
59 if (!options.permit_blacklisted_keys) 61 if (!options.permit_blacklisted_keys)
60 return 0; 62 return 0;
diff --git a/auth-rsa.c b/auth-rsa.c
index 87e1fbf59..898e9eb50 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -42,6 +42,7 @@
42#include "hostfile.h" 42#include "hostfile.h"
43#include "authfile.h" 43#include "authfile.h"
44#include "auth.h" 44#include "auth.h"
45#include "canohost.h"
45#ifdef GSSAPI 46#ifdef GSSAPI
46#include "ssh-gss.h" 47#include "ssh-gss.h"
47#endif 48#endif
@@ -270,11 +271,13 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
270 if (blacklisted_key(key) == 1) { 271 if (blacklisted_key(key) == 1) {
271 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 272 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
272 if (options.permit_blacklisted_keys) 273 if (options.permit_blacklisted_keys)
273 logit("Public key %s blacklisted (see " 274 logit("Public key %s from %s blacklisted (see "
274 "ssh-vulnkey(1)); continuing anyway", fp); 275 "ssh-vulnkey(1)); continuing anyway",
276 fp, get_remote_ipaddr());
275 else 277 else
276 logit("Public key %s blacklisted (see " 278 logit("Public key %s from %s blacklisted (see "
277 "ssh-vulnkey(1))", fp); 279 "ssh-vulnkey(1))",
280 fp, get_remote_ipaddr());
278 xfree(fp); 281 xfree(fp);
279 if (!options.permit_blacklisted_keys) 282 if (!options.permit_blacklisted_keys)
280 continue; 283 continue;
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 8e3d5f530..d7009eeb0 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -150,11 +150,13 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
150 if (blacklisted_key(key) == 1) { 150 if (blacklisted_key(key) == 1) {
151 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 151 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
152 if (options.permit_blacklisted_keys) 152 if (options.permit_blacklisted_keys)
153 logit("Public key %s blacklisted (see " 153 logit("Public key %s from %s blacklisted (see "
154 "ssh-vulnkey(1)); continuing anyway", fp); 154 "ssh-vulnkey(1)); continuing anyway",
155 fp, get_remote_ipaddr());
155 else 156 else
156 logit("Public key %s blacklisted (see " 157 logit("Public key %s from %s blacklisted (see "
157 "ssh-vulnkey(1))", fp); 158 "ssh-vulnkey(1))",
159 fp, get_remote_ipaddr());
158 xfree(fp); 160 xfree(fp);
159 if (!options.permit_blacklisted_keys) 161 if (!options.permit_blacklisted_keys)
160 return 0; 162 return 0;
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 4976a5a8a..0870d64f6 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -277,11 +277,13 @@ user_key_allowed(struct passwd *pw, Key *key)
277 if (blacklisted_key(key) == 1) { 277 if (blacklisted_key(key) == 1) {
278 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 278 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
279 if (options.permit_blacklisted_keys) 279 if (options.permit_blacklisted_keys)
280 logit("Public key %s blacklisted (see " 280 logit("Public key %s from %s blacklisted (see "
281 "ssh-vulnkey(1)); continuing anyway", fp); 281 "ssh-vulnkey(1)); continuing anyway",
282 fp, get_remote_ipaddr());
282 else 283 else
283 logit("Public key %s blacklisted (see " 284 logit("Public key %s from %s blacklisted (see "
284 "ssh-vulnkey(1))", fp); 285 "ssh-vulnkey(1))",
286 fp, get_remote_ipaddr());
285 xfree(fp); 287 xfree(fp);
286 if (!options.permit_blacklisted_keys) 288 if (!options.permit_blacklisted_keys)
287 return 0; 289 return 0;
diff --git a/debian/changelog b/debian/changelog
index 1f6ed76fb..6d61f5c62 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -37,6 +37,8 @@ openssh (1:4.7p1-11) UNRELEASED; urgency=low
37 closes: #481151). 37 closes: #481151).
38 * Restore OOM killer adjustment for child processes (thanks, Vaclav Ovsik; 38 * Restore OOM killer adjustment for child processes (thanks, Vaclav Ovsik;
39 closes: #480020). 39 closes: #480020).
40 * Log IP addresses of hosts attempting to use blacklisted keys (closes:
41 #481721).
40 42
41 -- Colin Watson <cjwatson@debian.org> Sat, 17 May 2008 08:48:45 +0200 43 -- Colin Watson <cjwatson@debian.org> Sat, 17 May 2008 08:48:45 +0200
42 44
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 16:27:18 +0000