diff options
| author | Damien Miller <djm@mindrot.org> | 2013-12-31 12:25:40 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-12-31 12:25:40 +1100 |
| commit | 324541e5264e1489ca0babfaf2b39612eb80dfb3 (patch) | |
| tree | 3adbfd162c3704e6aeb36f30ca09e4c04fbd25e2 /sshd.c | |
| parent | 9f4c8e797ea002a883307ca906f1f1f815010e78 (diff) | |
- djm@cvs.openbsd.org 2013/12/30 23:52:28
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
refuse RSA keys from old proprietary clients/servers that use the
obsolete RSA+MD5 signature scheme. it will still be possible to connect
with these clients/servers but only DSA keys will be accepted, and we'll
deprecate them entirely in a future release. ok markus@
Diffstat (limited to 'sshd.c')
| -rw-r--r-- | sshd.c | 13 |
1 files changed, 8 insertions, 5 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshd.c,v 1.412 2013/12/06 13:39:49 markus Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.413 2013/12/30 23:52:28 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -492,17 +492,19 @@ sshd_exchange_identification(int sock_in, int sock_out) | |||
| 492 | 492 | ||
| 493 | compat_datafellows(remote_version); | 493 | compat_datafellows(remote_version); |
| 494 | 494 | ||
| 495 | if (datafellows & SSH_BUG_PROBE) { | 495 | if ((datafellows & SSH_BUG_PROBE) != 0) { |
| 496 | logit("probed from %s with %s. Don't panic.", | 496 | logit("probed from %s with %s. Don't panic.", |
| 497 | get_remote_ipaddr(), client_version_string); | 497 | get_remote_ipaddr(), client_version_string); |
| 498 | cleanup_exit(255); | 498 | cleanup_exit(255); |
| 499 | } | 499 | } |
| 500 | 500 | if ((datafellows & SSH_BUG_SCANNER) != 0) { | |
| 501 | if (datafellows & SSH_BUG_SCANNER) { | ||
| 502 | logit("scanned from %s with %s. Don't panic.", | 501 | logit("scanned from %s with %s. Don't panic.", |
| 503 | get_remote_ipaddr(), client_version_string); | 502 | get_remote_ipaddr(), client_version_string); |
| 504 | cleanup_exit(255); | 503 | cleanup_exit(255); |
| 505 | } | 504 | } |
| 505 | if ((datafellows & SSH_BUG_RSASIGMD5) != 0) | ||
| 506 | logit("Client version \"%.100s\" uses unsafe RSA signature " | ||
| 507 | "scheme; disabling use of RSA keys", remote_version); | ||
| 506 | 508 | ||
| 507 | mismatch = 0; | 509 | mismatch = 0; |
| 508 | switch (remote_major) { | 510 | switch (remote_major) { |
| @@ -2446,7 +2448,8 @@ do_ssh2_kex(void) | |||
| 2446 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2448 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
| 2447 | (time_t)options.rekey_interval); | 2449 | (time_t)options.rekey_interval); |
| 2448 | 2450 | ||
| 2449 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2451 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
| 2452 | list_hostkey_types()); | ||
| 2450 | 2453 | ||
| 2451 | /* start key exchange */ | 2454 | /* start key exchange */ |
| 2452 | kex = kex_setup(myproposal); | 2455 | kex = kex_setup(myproposal); |