diff options
author | Colin Watson <cjwatson@debian.org> | 2008-05-12 23:33:01 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2008-05-12 23:33:01 +0000 |
commit | 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch) | |
tree | 92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /servconf.c | |
parent | 19ccea525446d5a3c2a176d813c505be81b91cbf (diff) |
* Mitigate OpenSSL security vulnerability:
- Add key blacklisting support. Keys listed in
/etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
sshd, unless "PermitBlacklistedKeys yes" is set in
/etc/ssh/sshd_config.
- Add a new program, ssh-vulnkey, which can be used to check keys
against these blacklists.
- Depend on openssh-blacklist.
- Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least
0.9.8g-9.
- Automatically regenerate known-compromised host keys, with a
critical-priority debconf note. (I regret that there was no time to
gather translations.)
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c index 14a9dde3d..c5688912d 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -96,6 +96,7 @@ initialize_server_options(ServerOptions *options) | |||
96 | options->password_authentication = -1; | 96 | options->password_authentication = -1; |
97 | options->kbd_interactive_authentication = -1; | 97 | options->kbd_interactive_authentication = -1; |
98 | options->challenge_response_authentication = -1; | 98 | options->challenge_response_authentication = -1; |
99 | options->permit_blacklisted_keys = -1; | ||
99 | options->permit_empty_passwd = -1; | 100 | options->permit_empty_passwd = -1; |
100 | options->permit_user_env = -1; | 101 | options->permit_user_env = -1; |
101 | options->use_login = -1; | 102 | options->use_login = -1; |
@@ -218,6 +219,8 @@ fill_default_server_options(ServerOptions *options) | |||
218 | options->kbd_interactive_authentication = 0; | 219 | options->kbd_interactive_authentication = 0; |
219 | if (options->challenge_response_authentication == -1) | 220 | if (options->challenge_response_authentication == -1) |
220 | options->challenge_response_authentication = 1; | 221 | options->challenge_response_authentication = 1; |
222 | if (options->permit_blacklisted_keys == -1) | ||
223 | options->permit_blacklisted_keys = 0; | ||
221 | if (options->permit_empty_passwd == -1) | 224 | if (options->permit_empty_passwd == -1) |
222 | options->permit_empty_passwd = 0; | 225 | options->permit_empty_passwd = 0; |
223 | if (options->permit_user_env == -1) | 226 | if (options->permit_user_env == -1) |
@@ -287,7 +290,7 @@ typedef enum { | |||
287 | sListenAddress, sAddressFamily, | 290 | sListenAddress, sAddressFamily, |
288 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 291 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
289 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 292 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
290 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 293 | sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, |
291 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 294 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
292 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 295 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
293 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 296 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
@@ -387,6 +390,7 @@ static struct { | |||
387 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 390 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
388 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 391 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
389 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 392 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
393 | { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL }, | ||
390 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, | 394 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, |
391 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 395 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
392 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 396 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
@@ -943,6 +947,10 @@ parse_flag: | |||
943 | intptr = &options->tcp_keep_alive; | 947 | intptr = &options->tcp_keep_alive; |
944 | goto parse_flag; | 948 | goto parse_flag; |
945 | 949 | ||
950 | case sPermitBlacklistedKeys: | ||
951 | intptr = &options->permit_blacklisted_keys; | ||
952 | goto parse_flag; | ||
953 | |||
946 | case sEmptyPasswd: | 954 | case sEmptyPasswd: |
947 | intptr = &options->permit_empty_passwd; | 955 | intptr = &options->permit_empty_passwd; |
948 | goto parse_flag; | 956 | goto parse_flag; |