diff options
| author | Colin Watson <cjwatson@debian.org> | 2008-05-12 23:33:01 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2008-05-12 23:33:01 +0000 |
| commit | 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch) | |
| tree | 92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /debian/openssh-server.postinst | |
| parent | 19ccea525446d5a3c2a176d813c505be81b91cbf (diff) | |
* Mitigate OpenSSL security vulnerability:
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8g-9.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
Diffstat (limited to 'debian/openssh-server.postinst')
| -rw-r--r-- | debian/openssh-server.postinst | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst index 1d26a7b55..b7ea210c4 100644 --- a/debian/openssh-server.postinst +++ b/debian/openssh-server.postinst | |||
| @@ -183,6 +183,35 @@ create_keys() { | |||
| 183 | } | 183 | } |
| 184 | 184 | ||
| 185 | 185 | ||
| 186 | vulnerable_host_keys() { | ||
| 187 | # If the admin has explicitly put the vulnerable keys back, we | ||
| 188 | # assume they can look after themselves. | ||
| 189 | db_fget ssh/vulnerable_host_keys seen | ||
| 190 | if [ "$RET" = true ]; then | ||
| 191 | return 0 | ||
| 192 | fi | ||
| 193 | |||
| 194 | hostkeys="$(host_keys_required)" | ||
| 195 | vulnerable= | ||
| 196 | for hostkey in $hostkeys; do | ||
| 197 | [ -f "$hostkey" ] || continue | ||
| 198 | if ssh-vulnkey -q "$hostkey"; then | ||
| 199 | vulnerable="${vulnerable:+$vulnerable }$hostkey" | ||
| 200 | fi | ||
| 201 | done | ||
| 202 | if [ "$vulnerable" ]; then | ||
| 203 | db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable" | ||
| 204 | db_input critical ssh/vulnerable_host_keys || true | ||
| 205 | db_go | ||
| 206 | for hostkey in $vulnerable; do | ||
| 207 | mv "$hostkey" "$hostkey.broken" || true | ||
| 208 | mv "$hostkey.pub" "$hostkey.pub.broken" || true | ||
| 209 | done | ||
| 210 | create_keys | ||
| 211 | fi | ||
| 212 | } | ||
| 213 | |||
| 214 | |||
| 186 | check_password_auth() { | 215 | check_password_auth() { |
| 187 | passwordauth="$(get_config_option PasswordAuthentication)" | 216 | passwordauth="$(get_config_option PasswordAuthentication)" |
| 188 | crauth="$(get_config_option ChallengeResponseAuthentication)" | 217 | crauth="$(get_config_option ChallengeResponseAuthentication)" |
| @@ -422,6 +451,7 @@ fix_doc_symlink | |||
| 422 | create_sshdconfig | 451 | create_sshdconfig |
| 423 | check_idea_key | 452 | check_idea_key |
| 424 | create_keys | 453 | create_keys |
| 454 | vulnerable_host_keys | ||
| 425 | fix_statoverride | 455 | fix_statoverride |
| 426 | if dpkg --compare-versions "$2" lt 1:4.3p2-3; then | 456 | if dpkg --compare-versions "$2" lt 1:4.3p2-3; then |
| 427 | fix_sshd_shell | 457 | fix_sshd_shell |