diff options
author | Colin Watson <cjwatson@ubuntu.com> | 2014-02-09 16:09:50 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:17:31 +0000 |
commit | 8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 (patch) | |
tree | ebee4092f1411059e34da6f66b4ebd64f4411020 /pathnames.h | |
parent | 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 (diff) |
Reject vulnerable keys to mitigate Debian OpenSSL flaw
In 2008, Debian (and derived distributions such as Ubuntu) shipped an
OpenSSL package with a flawed random number generator, causing OpenSSH to
generate only a very limited set of keys which were subject to private half
precomputation. To mitigate this, this patch checks key authentications
against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
program which can be used to explicitly check keys against that blacklist.
See CVE-2008-0166.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Last-Update: 2013-09-14
Patch-Name: ssh-vulnkey.patch
Diffstat (limited to 'pathnames.h')
-rw-r--r-- | pathnames.h | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/pathnames.h b/pathnames.h index 5027fbaed..47f7867d5 100644 --- a/pathnames.h +++ b/pathnames.h | |||
@@ -18,6 +18,10 @@ | |||
18 | #define SSHDIR ETCDIR "/ssh" | 18 | #define SSHDIR ETCDIR "/ssh" |
19 | #endif | 19 | #endif |
20 | 20 | ||
21 | #ifndef _PATH_SSH_DATADIR | ||
22 | #define _PATH_SSH_DATADIR "/usr/share/ssh" | ||
23 | #endif | ||
24 | |||
21 | #ifndef _PATH_SSH_PIDDIR | 25 | #ifndef _PATH_SSH_PIDDIR |
22 | #define _PATH_SSH_PIDDIR "/var/run" | 26 | #define _PATH_SSH_PIDDIR "/var/run" |
23 | #endif | 27 | #endif |
@@ -44,6 +48,9 @@ | |||
44 | /* Backwards compatibility */ | 48 | /* Backwards compatibility */ |
45 | #define _PATH_DH_PRIMES SSHDIR "/primes" | 49 | #define _PATH_DH_PRIMES SSHDIR "/primes" |
46 | 50 | ||
51 | #define _PATH_BLACKLIST _PATH_SSH_DATADIR "/blacklist" | ||
52 | #define _PATH_BLACKLIST_CONFIG SSHDIR "/blacklist" | ||
53 | |||
47 | #ifndef _PATH_SSH_PROGRAM | 54 | #ifndef _PATH_SSH_PROGRAM |
48 | #define _PATH_SSH_PROGRAM "/usr/bin/ssh" | 55 | #define _PATH_SSH_PROGRAM "/usr/bin/ssh" |
49 | #endif | 56 | #endif |