diff options
author | Colin Watson <cjwatson@debian.org> | 2008-05-12 23:33:01 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2008-05-12 23:33:01 +0000 |
commit | 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch) | |
tree | 92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /auth2-pubkey.c | |
parent | 19ccea525446d5a3c2a176d813c505be81b91cbf (diff) |
* Mitigate OpenSSL security vulnerability:
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8g-9.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
Diffstat (limited to 'auth2-pubkey.c')
-rw-r--r-- | auth2-pubkey.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 9863cd9e6..cf911968a 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
@@ -42,6 +42,7 @@ | |||
42 | #include "compat.h" | 42 | #include "compat.h" |
43 | #include "key.h" | 43 | #include "key.h" |
44 | #include "hostfile.h" | 44 | #include "hostfile.h" |
45 | #include "authfile.h" | ||
45 | #include "auth.h" | 46 | #include "auth.h" |
46 | #include "pathnames.h" | 47 | #include "pathnames.h" |
47 | #include "uidswap.h" | 48 | #include "uidswap.h" |
@@ -269,9 +270,23 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
269 | int | 270 | int |
270 | user_key_allowed(struct passwd *pw, Key *key) | 271 | user_key_allowed(struct passwd *pw, Key *key) |
271 | { | 272 | { |
273 | char *fp; | ||
272 | int success; | 274 | int success; |
273 | char *file; | 275 | char *file; |
274 | 276 | ||
277 | if (blacklisted_key(key)) { | ||
278 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
279 | if (options.permit_blacklisted_keys) | ||
280 | logit("Public key %s blacklisted (see " | ||
281 | "ssh-vulnkey(1)); continuing anyway", fp); | ||
282 | else | ||
283 | logit("Public key %s blacklisted (see " | ||
284 | "ssh-vulnkey(1))", fp); | ||
285 | xfree(fp); | ||
286 | if (!options.permit_blacklisted_keys) | ||
287 | return 0; | ||
288 | } | ||
289 | |||
275 | file = authorized_keys_file(pw); | 290 | file = authorized_keys_file(pw); |
276 | success = user_key_allowed2(pw, key, file); | 291 | success = user_key_allowed2(pw, key, file); |
277 | xfree(file); | 292 | xfree(file); |