Check compromised key blacklist in ssh or ssh-add, as well as in the

server (LP: #232391). To override the blacklist check in ssh
temporarily, use 'ssh -o UseBlacklistedKeys=yes'; there is no override
for the blacklist check in ssh-add.

7 files changed, 60 insertions, 3 deletions

diff --git a/debian/changelog b/debian/changelog
index d3651d9c0..cb05066eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ openssh (1:4.7p1-13) UNRELEASED; urgency=low
 
   * Add some helpful advice to the end of ssh-vulnkey's output if there are
     unknown or compromised keys (thanks, Dan Jacobson; closes: #483756).
+  * Check compromised key blacklist in ssh or ssh-add, as well as in the
+    server (LP: #232391). To override the blacklist check in ssh
+    temporarily, use 'ssh -o UseBlacklistedKeys=yes'; there is no override
+    for the blacklist check in ssh-add.
 
  -- Colin Watson <cjwatson@debian.org>  Fri, 30 May 2008 23:26:25 +0100
 
diff --git a/readconf.c b/readconf.c
index 0999f28e3..07f5775d5 100644
--- a/readconf.c
+++ b/readconf.c
@@ -125,6 +125,7 @@ typedef enum {
         oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
         oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
         oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
+        oUseBlacklistedKeys,
         oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
         oClearAllForwardings, oNoHostAuthenticationForLocalhost,
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -155,6 +156,7 @@ static struct {
         { "passwordauthentication", oPasswordAuthentication },
         { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
         { "kbdinteractivedevices", oKbdInteractiveDevices },
+        { "useblacklistedkeys", oUseBlacklistedKeys },
         { "rsaauthentication", oRSAAuthentication },
         { "pubkeyauthentication", oPubkeyAuthentication },
         { "dsaauthentication", oPubkeyAuthentication },             /* alias */
@@ -448,6 +450,10 @@ parse_flag:
                 intptr = &options->challenge_response_authentication;
                 goto parse_flag;
 
+        case oUseBlacklistedKeys:
+                intptr = &options->use_blacklisted_keys;
+                goto parse_flag;
+
         case oGssAuthentication:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
@@ -1061,6 +1067,7 @@ initialize_options(Options * options)
         options->kbd_interactive_devices = NULL;
         options->rhosts_rsa_authentication = -1;
         options->hostbased_authentication = -1;
+        options->use_blacklisted_keys = -1;
         options->batch_mode = -1;
         options->check_host_ip = -1;
         options->strict_host_key_checking = -1;
@@ -1159,6 +1166,8 @@ fill_default_options(Options * options)
                 options->rhosts_rsa_authentication = 0;
         if (options->hostbased_authentication == -1)
                 options->hostbased_authentication = 0;
+        if (options->use_blacklisted_keys == -1)
+                options->use_blacklisted_keys = 0;
         if (options->batch_mode == -1)
                 options->batch_mode = 0;
         if (options->check_host_ip == -1)
diff --git a/readconf.h b/readconf.h
index a7d9200b5..eb236fc5c 100644
--- a/readconf.h
+++ b/readconf.h
@@ -51,6 +51,7 @@ typedef struct {
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
         char    *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
+        int     use_blacklisted_keys;   /* If true, send */
         int     batch_mode;     /* Batch mode: do not ask for passwords. */
         int     check_host_ip;  /* Also keep track of keys for IP address */
         int     strict_host_key_checking;       /* Strict host key checking. */
diff --git a/ssh-add.c b/ssh-add.c
index 4dc46f6db..f3e30a24d 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -138,7 +138,7 @@ static int
 add_file(AuthenticationConnection *ac, const char *filename)
 {
         Key *private;
-        char *comment = NULL;
+        char *comment = NULL, *fp;
         char msg[1024];
         int fd, perms_ok, ret = -1;
 
@@ -183,6 +183,14 @@ add_file(AuthenticationConnection *ac, const char *filename)
                             "Bad passphrase, try again for %.200s: ", comment);
                 }
         }
+        if (blacklisted_key(private, &fp) == 1) {
+                fprintf(stderr, "Public key %s blacklisted (see "
+                    "ssh-vulnkey(1)); refusing to add it\n", fp);
+                xfree(fp);
+                key_free(private);
+                xfree(comment);
+                return -1;
+        }
 
         if (ssh_add_identity_constrained(ac, private, comment, lifetime,
             confirm)) {
diff --git a/ssh.c b/ssh.c
index a7f448bb6..0f4756ef2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1218,7 +1218,7 @@ ssh_session2(void)
 static void
 load_public_identity_files(void)
 {
-        char *filename, *cp, thishost[NI_MAXHOST];
+        char *filename, *cp, thishost[NI_MAXHOST], *fp;
         int i = 0;
         Key *public;
         struct passwd *pw;
@@ -1260,6 +1260,22 @@ load_public_identity_files(void)
                 public = key_load_public(filename, NULL);
                 debug("identity file %s type %d", filename,
                     public ? public->type : -1);
+                if (blacklisted_key(public, &fp) == 1) {
+                        if (options.use_blacklisted_keys)
+                                logit("Public key %s blacklisted (see "
+                                    "ssh-vulnkey(1)); continuing anyway", fp);
+                        else
+                                logit("Public key %s blacklisted (see "
+                                    "ssh-vulnkey(1)); refusing to send it",
+                                    fp);
+                        xfree(fp);
+                        if (!options.use_blacklisted_keys) {
+                                key_free(public);
+                                xfree(filename);
+                                filename = NULL;
+                                public = NULL;
+                        }
+                }
                 xfree(options.identity_files[i]);
                 options.identity_files[i] = filename;
                 options.identity_keys[i] = public;
diff --git a/ssh_config.5 b/ssh_config.5
index b048a54f5..411e9fd34 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1056,6 +1056,23 @@ is not specified, it defaults to
 .Dq any .
 The default is
 .Dq any:any .
+.It Cm UseBlacklistedKeys
+Specifies whether
+.Xr ssh 1
+should use keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 )
+for authentication.
+If
+.Dq yes ,
+then attempts to use compromised keys for authentication will be logged but
+accepted.
+It is strongly recommended that this be used only to install new authorized
+keys on the remote system, and even then only with the utmost care.
+If
+.Dq no ,
+then attempts to use compromised keys for authentication will be prevented.
+The default is
+.Dq no .
 .It Cm UsePrivilegedPort
 Specifies whether to use a privileged port for outgoing connections.
 The argument must be
diff --git a/sshconnect2.c b/sshconnect2.c
index e11cfaa00..97073e401 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1156,6 +1156,8 @@ pubkey_prepare(Authctxt *authctxt)
 
         /* list of keys stored in the filesystem */
         for (i = 0; i < options.num_identity_files; i++) {
+                if (options.identity_files[i] == NULL)
+                        continue;
                 key = options.identity_keys[i];
                 if (key && key->type == KEY_RSA1)
                         continue;
@@ -1246,7 +1248,7 @@ userauth_pubkey(Authctxt *authctxt)
                 if (id->key && id->key->type != KEY_RSA1) {
                         debug("Offering public key: %s", id->filename);
                         sent = send_pubkey_test(authctxt, id);
-                } else if (id->key == NULL) {
+                } else if (id->key == NULL && id->filename) {
                         debug("Trying private key: %s", id->filename);
                         id->key = load_identity_file(id->filename);
                         if (id->key != NULL) {