summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2008-05-12 23:33:01 +0000
committerColin Watson <cjwatson@debian.org>2008-05-12 23:33:01 +0000
commit47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch)
tree92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /debian
parent19ccea525446d5a3c2a176d813c505be81b91cbf (diff)
* Mitigate OpenSSL security vulnerability:
- Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.)
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog15
-rw-r--r--debian/control8
-rw-r--r--debian/openssh-server.postinst30
-rw-r--r--debian/openssh-server.templates20
4 files changed, 68 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog
index 9a9095189..95ab72caf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,19 @@
1openssh (1:4.7p1-9) UNRELEASED; urgency=low 1openssh (1:4.7p1-9) UNRELEASED; urgency=critical
2 2
3 * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-8. 3 * Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-8.
4 * Mitigate OpenSSL security vulnerability:
5 - Add key blacklisting support. Keys listed in
6 /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
7 sshd, unless "PermitBlacklistedKeys yes" is set in
8 /etc/ssh/sshd_config.
9 - Add a new program, ssh-vulnkey, which can be used to check keys
10 against these blacklists.
11 - Depend on openssh-blacklist.
12 - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
13 0.9.8g-9.
14 - Automatically regenerate known-compromised host keys, with a
15 critical-priority debconf note. (I regret that there was no time to
16 gather translations.)
4 17
5 -- Colin Watson <cjwatson@debian.org> Wed, 09 Apr 2008 14:57:43 +0100 18 -- Colin Watson <cjwatson@debian.org> Wed, 09 Apr 2008 14:57:43 +0100
6 19
diff --git a/debian/control b/debian/control
index 290799998..c2bf961eb 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.or
8 8
9Package: openssh-client 9Package: openssh-client
10Architecture: any 10Architecture: any
11Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, adduser (>= 3.10), dpkg (>= 1.7.0), passwd 11Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, adduser (>= 3.10), dpkg (>= 1.7.0), passwd, libssl0.9.8 (>= 0.9.8g-9)
12Recommends: xauth 12Recommends: xauth
13Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) 13Conflicts: ssh (<< 1:3.8.1p1-9), sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7)
14Replaces: ssh, ssh-krb5 14Replaces: ssh, ssh-krb5
@@ -37,7 +37,7 @@ Description: secure shell client, an rlogin/rsh/rcp replacement
37Package: openssh-server 37Package: openssh-server
38Priority: optional 38Priority: optional
39Architecture: any 39Architecture: any
40Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${binary:Version}), lsb-base (>= 3.0-6) 40Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0, libpam-runtime (>= 0.76-14), libpam-modules (>= 0.72-9), adduser (>= 3.9), dpkg (>= 1.9.0), openssh-client (= ${binary:Version}), lsb-base (>= 3.0-6), libssl0.9.8 (>= 0.9.8g-9), openssh-blacklist
41Recommends: xauth 41Recommends: xauth
42Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7) 42Conflicts: ssh (<< 1:3.8.1p1-9), ssh-nonfree (<<2), ssh-socks, ssh2, sftp, rsh-client (<<0.16.1-1), ssh-krb5 (<< 1:4.3p2-7)
43Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5 43Replaces: ssh, openssh-client (<< 1:3.8.1p1-11), ssh-krb5
@@ -99,7 +99,7 @@ XC-Package-Type: udeb
99Section: debian-installer 99Section: debian-installer
100Priority: optional 100Priority: optional
101Architecture: any 101Architecture: any
102Depends: ${shlibs:Depends}, libnss-files-udeb 102Depends: ${shlibs:Depends}, libnss-files-udeb, libcrypto0.9.8-udeb (>= 0.9.8g-9)
103XB-Installer-Menu-Item: 99900 103XB-Installer-Menu-Item: 99900
104Description: secure shell client for the Debian installer 104Description: secure shell client for the Debian installer
105 This is the portable version of OpenSSH, a free implementation of 105 This is the portable version of OpenSSH, a free implementation of
@@ -113,7 +113,7 @@ XC-Package-Type: udeb
113Section: debian-installer 113Section: debian-installer
114Priority: optional 114Priority: optional
115Architecture: any 115Architecture: any
116Depends: ${shlibs:Depends}, libnss-files-udeb 116Depends: ${shlibs:Depends}, libnss-files-udeb, libcrypto0.9.8-udeb (>= 0.9.8g-9)
117Description: secure shell server for the Debian installer 117Description: secure shell server for the Debian installer
118 This is the portable version of OpenSSH, a free implementation of 118 This is the portable version of OpenSSH, a free implementation of
119 the Secure Shell protocol as specified by the IETF secsh working 119 the Secure Shell protocol as specified by the IETF secsh working
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 1d26a7b55..b7ea210c4 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -183,6 +183,35 @@ create_keys() {
183} 183}
184 184
185 185
186vulnerable_host_keys() {
187 # If the admin has explicitly put the vulnerable keys back, we
188 # assume they can look after themselves.
189 db_fget ssh/vulnerable_host_keys seen
190 if [ "$RET" = true ]; then
191 return 0
192 fi
193
194 hostkeys="$(host_keys_required)"
195 vulnerable=
196 for hostkey in $hostkeys; do
197 [ -f "$hostkey" ] || continue
198 if ssh-vulnkey -q "$hostkey"; then
199 vulnerable="${vulnerable:+$vulnerable }$hostkey"
200 fi
201 done
202 if [ "$vulnerable" ]; then
203 db_subst ssh/vulnerable_host_keys HOST_KEYS "$vulnerable"
204 db_input critical ssh/vulnerable_host_keys || true
205 db_go
206 for hostkey in $vulnerable; do
207 mv "$hostkey" "$hostkey.broken" || true
208 mv "$hostkey.pub" "$hostkey.pub.broken" || true
209 done
210 create_keys
211 fi
212}
213
214
186check_password_auth() { 215check_password_auth() {
187 passwordauth="$(get_config_option PasswordAuthentication)" 216 passwordauth="$(get_config_option PasswordAuthentication)"
188 crauth="$(get_config_option ChallengeResponseAuthentication)" 217 crauth="$(get_config_option ChallengeResponseAuthentication)"
@@ -422,6 +451,7 @@ fix_doc_symlink
422create_sshdconfig 451create_sshdconfig
423check_idea_key 452check_idea_key
424create_keys 453create_keys
454vulnerable_host_keys
425fix_statoverride 455fix_statoverride
426if dpkg --compare-versions "$2" lt 1:4.3p2-3; then 456if dpkg --compare-versions "$2" lt 1:4.3p2-3; then
427 fix_sshd_shell 457 fix_sshd_shell
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
index 2cc62f8f1..6c1187e7f 100644
--- a/debian/openssh-server.templates
+++ b/debian/openssh-server.templates
@@ -62,3 +62,23 @@ _Description: Disable challenge-response authentication?
62 able to log in using passwords. If you leave it enabled (the default 62 able to log in using passwords. If you leave it enabled (the default
63 answer), then the 'PasswordAuthentication no' option will have no useful 63 answer), then the 'PasswordAuthentication no' option will have no useful
64 effect unless you also adjust your PAM configuration in /etc/pam.d/ssh. 64 effect unless you also adjust your PAM configuration in /etc/pam.d/ssh.
65
66Template: ssh/vulnerable_host_keys
67Type: note
68_Description: Vulnerable host keys will be regenerated
69 Some of the OpenSSH server host keys on this system were generated with a
70 version of OpenSSL that had a broken random number generator. As a result,
71 these host keys are from a well-known set, are subject to brute-force
72 attacks, and must be regenerated.
73 .
74 Users of this system should be informed of this change, as they will be
75 prompted about the host key change the next time they log in. Use
76 'ssh-keygen -l -f HOST_KEY_FILE' after the upgrade has changed to print the
77 fingerprints of the new host keys.
78 .
79 The affected host keys are:
80 .
81 ${HOST_KEYS}
82 .
83 User keys may also be affected by this problem. The 'ssh-vulnkey' command
84 may be used as a partial test for this.