summaryrefslogtreecommitdiff
path: root/auth2-hostbased.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@ubuntu.com>2014-02-09 16:09:50 +0000
committerColin Watson <cjwatson@debian.org>2014-02-09 16:17:31 +0000
commit8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 (patch)
treeebee4092f1411059e34da6f66b4ebd64f4411020 /auth2-hostbased.c
parent07f2a771c490bd68cd5c5ea9c535705e93bd94f3 (diff)
Reject vulnerable keys to mitigate Debian OpenSSL flaw
In 2008, Debian (and derived distributions such as Ubuntu) shipped an OpenSSL package with a flawed random number generator, causing OpenSSH to generate only a very limited set of keys which were subject to private half precomputation. To mitigate this, this patch checks key authentications against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey program which can be used to explicitly check keys against that blacklist. See CVE-2008-0166. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 Last-Update: 2013-09-14 Patch-Name: ssh-vulnkey.patch
Diffstat (limited to 'auth2-hostbased.c')
-rw-r--r--auth2-hostbased.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index a344dcc1f..3a17f1bf2 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -150,7 +150,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
150 int len; 150 int len;
151 char *fp; 151 char *fp;
152 152
153 if (auth_key_is_revoked(key)) 153 if (auth_key_is_revoked(key, 0))
154 return 0; 154 return 0;
155 155
156 resolvedname = get_canonical_hostname(options.use_dns); 156 resolvedname = get_canonical_hostname(options.use_dns);