summaryrefslogtreecommitdiff
path: root/ssh_config.5
diff options
context:
space:
mode:
authorColin Watson <cjwatson@ubuntu.com>2014-02-09 16:09:50 +0000
committerColin Watson <cjwatson@debian.org>2014-02-09 16:17:31 +0000
commit8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 (patch)
treeebee4092f1411059e34da6f66b4ebd64f4411020 /ssh_config.5
parent07f2a771c490bd68cd5c5ea9c535705e93bd94f3 (diff)
Reject vulnerable keys to mitigate Debian OpenSSL flaw
In 2008, Debian (and derived distributions such as Ubuntu) shipped an OpenSSL package with a flawed random number generator, causing OpenSSH to generate only a very limited set of keys which were subject to private half precomputation. To mitigate this, this patch checks key authentications against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey program which can be used to explicitly check keys against that blacklist. See CVE-2008-0166. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 Last-Update: 2013-09-14 Patch-Name: ssh-vulnkey.patch
Diffstat (limited to 'ssh_config.5')
-rw-r--r--ssh_config.517
1 files changed, 17 insertions, 0 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index e72919a89..8d806c701 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1229,6 +1229,23 @@ is not specified, it defaults to
1229.Dq any . 1229.Dq any .
1230The default is 1230The default is
1231.Dq any:any . 1231.Dq any:any .
1232.It Cm UseBlacklistedKeys
1233Specifies whether
1234.Xr ssh 1
1235should use keys recorded in its blacklist of known-compromised keys (see
1236.Xr ssh-vulnkey 1 )
1237for authentication.
1238If
1239.Dq yes ,
1240then attempts to use compromised keys for authentication will be logged but
1241accepted.
1242It is strongly recommended that this be used only to install new authorized
1243keys on the remote system, and even then only with the utmost care.
1244If
1245.Dq no ,
1246then attempts to use compromised keys for authentication will be prevented.
1247The default is
1248.Dq no .
1232.It Cm UsePrivilegedPort 1249.It Cm UsePrivilegedPort
1233Specifies whether to use a privileged port for outgoing connections. 1250Specifies whether to use a privileged port for outgoing connections.
1234The argument must be 1251The argument must be