diff options
author | Colin Watson <cjwatson@ubuntu.com> | 2014-02-09 16:09:50 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-02-09 16:17:31 +0000 |
commit | 8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 (patch) | |
tree | ebee4092f1411059e34da6f66b4ebd64f4411020 /ssh_config.5 | |
parent | 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 (diff) |
Reject vulnerable keys to mitigate Debian OpenSSL flaw
In 2008, Debian (and derived distributions such as Ubuntu) shipped an
OpenSSL package with a flawed random number generator, causing OpenSSH to
generate only a very limited set of keys which were subject to private half
precomputation. To mitigate this, this patch checks key authentications
against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
program which can be used to explicitly check keys against that blacklist.
See CVE-2008-0166.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Last-Update: 2013-09-14
Patch-Name: ssh-vulnkey.patch
Diffstat (limited to 'ssh_config.5')
-rw-r--r-- | ssh_config.5 | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index e72919a89..8d806c701 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -1229,6 +1229,23 @@ is not specified, it defaults to | |||
1229 | .Dq any . | 1229 | .Dq any . |
1230 | The default is | 1230 | The default is |
1231 | .Dq any:any . | 1231 | .Dq any:any . |
1232 | .It Cm UseBlacklistedKeys | ||
1233 | Specifies whether | ||
1234 | .Xr ssh 1 | ||
1235 | should use keys recorded in its blacklist of known-compromised keys (see | ||
1236 | .Xr ssh-vulnkey 1 ) | ||
1237 | for authentication. | ||
1238 | If | ||
1239 | .Dq yes , | ||
1240 | then attempts to use compromised keys for authentication will be logged but | ||
1241 | accepted. | ||
1242 | It is strongly recommended that this be used only to install new authorized | ||
1243 | keys on the remote system, and even then only with the utmost care. | ||
1244 | If | ||
1245 | .Dq no , | ||
1246 | then attempts to use compromised keys for authentication will be prevented. | ||
1247 | The default is | ||
1248 | .Dq no . | ||
1232 | .It Cm UsePrivilegedPort | 1249 | .It Cm UsePrivilegedPort |
1233 | Specifies whether to use a privileged port for outgoing connections. | 1250 | Specifies whether to use a privileged port for outgoing connections. |
1234 | The argument must be | 1251 | The argument must be |