diff options
author | Colin Watson <cjwatson@debian.org> | 2008-05-12 23:33:01 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2008-05-12 23:33:01 +0000 |
commit | 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch) | |
tree | 92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /debian/openssh-server.templates | |
parent | 19ccea525446d5a3c2a176d813c505be81b91cbf (diff) |
* Mitigate OpenSSL security vulnerability:
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8g-9.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
Diffstat (limited to 'debian/openssh-server.templates')
-rw-r--r-- | debian/openssh-server.templates | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates index 2cc62f8f1..6c1187e7f 100644 --- a/debian/openssh-server.templates +++ b/debian/openssh-server.templates | |||
@@ -62,3 +62,23 @@ _Description: Disable challenge-response authentication? | |||
62 | able to log in using passwords. If you leave it enabled (the default | 62 | able to log in using passwords. If you leave it enabled (the default |
63 | answer), then the 'PasswordAuthentication no' option will have no useful | 63 | answer), then the 'PasswordAuthentication no' option will have no useful |
64 | effect unless you also adjust your PAM configuration in /etc/pam.d/ssh. | 64 | effect unless you also adjust your PAM configuration in /etc/pam.d/ssh. |
65 | |||
66 | Template: ssh/vulnerable_host_keys | ||
67 | Type: note | ||
68 | _Description: Vulnerable host keys will be regenerated | ||
69 | Some of the OpenSSH server host keys on this system were generated with a | ||
70 | version of OpenSSL that had a broken random number generator. As a result, | ||
71 | these host keys are from a well-known set, are subject to brute-force | ||
72 | attacks, and must be regenerated. | ||
73 | . | ||
74 | Users of this system should be informed of this change, as they will be | ||
75 | prompted about the host key change the next time they log in. Use | ||
76 | 'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade has changed to print the | ||
77 | fingerprints of the new host keys. | ||
78 | . | ||
79 | The affected host keys are: | ||
80 | . | ||
81 | ${HOST_KEYS} | ||
82 | . | ||
83 | User keys may also be affected by this problem. The 'ssh-vulnkey' command | ||
84 | may be used as a partial test for this. | ||