Reject vulnerable keys to mitigate Debian OpenSSL flaw

In 2008, Debian (and derived distributions such as Ubuntu) shipped an
OpenSSL package with a flawed random number generator, causing OpenSSH to
generate only a very limited set of keys which were subject to private half
precomputation.  To mitigate this, this patch checks key authentications
against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
program which can be used to explicitly check keys against that blacklist.
See CVE-2008-0166.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Last-Update: 2013-09-14

Patch-Name: ssh-vulnkey.patch

1 files changed, 9 insertions, 1 deletions

diff --git a/ssh-add.c b/ssh-add.c
index 5e8166f66..b309582f5 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -167,7 +167,7 @@ static int
 add_file(AuthenticationConnection *ac, const char *filename, int key_only)
 {
         Key *private, *cert;
-        char *comment = NULL;
+        char *comment = NULL, *fp;
         char msg[1024], *certpath = NULL;
         int fd, perms_ok, ret = -1;
         Buffer keyblob;
@@ -243,6 +243,14 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
         } else {
                 fprintf(stderr, "Could not add identity: %s\n", filename);
         }
+        if (blacklisted_key(private, &fp) == 1) {
+                fprintf(stderr, "Public key %s blacklisted (see "
+                    "ssh-vulnkey(1)); refusing to add it\n", fp);
+                free(fp);
+                key_free(private);
+                free(comment);
+                return -1;
+        }
 
         /* Skip trying to load the cert if requested */
         if (key_only)