diff options
| author | Colin Watson <cjwatson@ubuntu.com> | 2014-02-09 16:09:50 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:17:31 +0000 |
| commit | 8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 (patch) | |
| tree | ebee4092f1411059e34da6f66b4ebd64f4411020 /servconf.h | |
| parent | 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 (diff) | |
Reject vulnerable keys to mitigate Debian OpenSSL flaw
In 2008, Debian (and derived distributions such as Ubuntu) shipped an
OpenSSL package with a flawed random number generator, causing OpenSSH to
generate only a very limited set of keys which were subject to private half
precomputation. To mitigate this, this patch checks key authentications
against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
program which can be used to explicitly check keys against that blacklist.
See CVE-2008-0166.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Last-Update: 2013-09-14
Patch-Name: ssh-vulnkey.patch
Diffstat (limited to 'servconf.h')
| -rw-r--r-- | servconf.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/servconf.h b/servconf.h index ab6e34669..f655c5bf7 100644 --- a/servconf.h +++ b/servconf.h | |||
| @@ -121,6 +121,7 @@ typedef struct { | |||
| 121 | int challenge_response_authentication; | 121 | int challenge_response_authentication; |
| 122 | int zero_knowledge_password_authentication; | 122 | int zero_knowledge_password_authentication; |
| 123 | /* If true, permit jpake auth */ | 123 | /* If true, permit jpake auth */ |
| 124 | int permit_blacklisted_keys; /* If true, permit */ | ||
| 124 | int permit_empty_passwd; /* If false, do not permit empty | 125 | int permit_empty_passwd; /* If false, do not permit empty |
| 125 | * passwords. */ | 126 | * passwords. */ |
| 126 | int permit_user_env; /* If true, read ~/.ssh/environment */ | 127 | int permit_user_env; /* If true, read ~/.ssh/environment */ |