* Mitigate OpenSSL security vulnerability:

- Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.)
author: Colin Watson <cjwatson@debian.org> 2008-05-12 23:33:01 +0000
committer: Colin Watson <cjwatson@debian.org> 2008-05-12 23:33:01 +0000
commit: 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch)
tree: 92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /sshd.c
parent: 19ccea525446d5a3c2a176d813c505be81b91cbf (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index add61cc5f..2d428967c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1466,6 +1466,21 @@ main(int ac, char **av)
        for (i = 0; i < options.num_host_key_files; i++) {
                key = key_load_private(options.host_key_files[i], "", NULL);
+                if (key && blacklisted_key(key)) {
+                        char *fp;
+                        fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+                        if (options.permit_blacklisted_keys)
+                                error("Host key %s blacklisted (see "
+                                    "ssh-vulnkey(1)); continuing anyway", fp);
+                        else
+                                error("Host key %s blacklisted (see "
+                                    "ssh-vulnkey(1))", fp);
+                        xfree(fp);
+                        if (!options.permit_blacklisted_keys) {
+                                sensitive_data.host_keys[i] = NULL;
+                                continue;
+                        }
+                }
                sensitive_data.host_keys[i] = key;
                if (key == NULL) {
                        error("Could not load host key: %s",
author	Colin Watson <cjwatson@debian.org>	2008-05-12 23:33:01 +0000
committer	Colin Watson <cjwatson@debian.org>	2008-05-12 23:33:01 +0000
commit	47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch)
tree	92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /sshd.c
parent	19ccea525446d5a3c2a176d813c505be81b91cbf (diff)

diff --git a/sshd.c b/sshd.c index add61cc5f..2d428967c 100644 --- a/sshd.c +++ b/sshd.c
@@ -1466,6 +1466,21 @@ main(int ac, char **av)
1466		1466
1467	for (i = 0; i < options.num_host_key_files; i++) {	1467	for (i = 0; i < options.num_host_key_files; i++) {
1468	key = key_load_private(options.host_key_files[i], "", NULL);	1468	key = key_load_private(options.host_key_files[i], "", NULL);
		1469	if (key && blacklisted_key(key)) {
		1470	char *fp;
		1471	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		1472	if (options.permit_blacklisted_keys)
		1473	error("Host key %s blacklisted (see "
		1474	"ssh-vulnkey(1)); continuing anyway", fp);
		1475	else
		1476	error("Host key %s blacklisted (see "
		1477	"ssh-vulnkey(1))", fp);
		1478	xfree(fp);
		1479	if (!options.permit_blacklisted_keys) {
		1480	sensitive_data.host_keys[i] = NULL;
		1481	continue;
		1482	}
		1483	}
1469	sensitive_data.host_keys[i] = key;	1484	sensitive_data.host_keys[i] = key;
1470	if (key == NULL) {	1485	if (key == NULL) {
1471	error("Could not load host key: %s",	1486	error("Could not load host key: %s",