* Mitigate OpenSSL security vulnerability:

- Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.)
author: Colin Watson <cjwatson@debian.org> 2008-05-12 23:33:01 +0000
committer: Colin Watson <cjwatson@debian.org> 2008-05-12 23:33:01 +0000
commit: 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch)
tree: 92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /servconf.c
parent: 19ccea525446d5a3c2a176d813c505be81b91cbf (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 14a9dde3d..c5688912d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -96,6 +96,7 @@ initialize_server_options(ServerOptions *options)
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
+        options->permit_blacklisted_keys = -1;
        options->permit_empty_passwd = -1;
        options->permit_user_env = -1;
        options->use_login = -1;
@@ -218,6 +219,8 @@ fill_default_server_options(ServerOptions *options)
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)
                options->challenge_response_authentication = 1;
+        if (options->permit_blacklisted_keys == -1)
+                options->permit_blacklisted_keys = 0;
        if (options->permit_empty_passwd == -1)
                options->permit_empty_passwd = 0;
        if (options->permit_user_env == -1)
@@ -287,7 +290,7 @@ typedef enum {
        sListenAddress, sAddressFamily,
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
-        sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+        sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
        sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -387,6 +390,7 @@ static struct {
        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
+        { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
        { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
        { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
@@ -943,6 +947,10 @@ parse_flag:
                intptr = &options->tcp_keep_alive;
                goto parse_flag;
+        case sPermitBlacklistedKeys:
+                intptr = &options->permit_blacklisted_keys;
+                goto parse_flag;
        case sEmptyPasswd:
                intptr = &options->permit_empty_passwd;
                goto parse_flag;
author	Colin Watson <cjwatson@debian.org>	2008-05-12 23:33:01 +0000
committer	Colin Watson <cjwatson@debian.org>	2008-05-12 23:33:01 +0000
commit	47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch)
tree	92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /servconf.c
parent	19ccea525446d5a3c2a176d813c505be81b91cbf (diff)