* Mitigate OpenSSL security vulnerability:

- Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.)
author: Colin Watson <cjwatson@debian.org> 2008-05-12 23:33:01 +0000
committer: Colin Watson <cjwatson@debian.org> 2008-05-12 23:33:01 +0000
commit: 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch)
tree: 92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /sshd_config.5
parent: 19ccea525446d5a3c2a176d813c505be81b91cbf (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index a7a7227b2..dab26e079 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -615,6 +615,20 @@ are refused if the number of unauthenticated connections reaches
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
+.It Cm PermitBlacklistedKeys
+Specifies whether
+.Xr sshd 8
+should allow keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 ) .
+If
+.Dq yes ,
+then attempts to authenticate with compromised keys will be logged but
+accepted.
+If
+.Dq no ,
+then attempts to authenticate with compromised keys will be rejected.
+The default is
+.Dq no .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
author	Colin Watson <cjwatson@debian.org>	2008-05-12 23:33:01 +0000
committer	Colin Watson <cjwatson@debian.org>	2008-05-12 23:33:01 +0000
commit	47608c17e64138f8d16aa2bdc49a0eb00e1c3549 (patch)
tree	92572d90b9aa8f45c0d9e6dbb185065667fdcea0 /sshd_config.5
parent	19ccea525446d5a3c2a176d813c505be81b91cbf (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index a7a7227b2..dab26e079 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -615,6 +615,20 @@ are refused if the number of unauthenticated connections reaches
615	Specifies whether password authentication is allowed.	615	Specifies whether password authentication is allowed.
616	The default is	616	The default is
617	.Dq yes .	617	.Dq yes .
		618	.It Cm PermitBlacklistedKeys
		619	Specifies whether
		620	.Xr sshd 8
		621	should allow keys recorded in its blacklist of known-compromised keys (see
		622	.Xr ssh-vulnkey 1 ) .
		623	If
		624	.Dq yes ,
		625	then attempts to authenticate with compromised keys will be logged but
		626	accepted.
		627	If
		628	.Dq no ,
		629	then attempts to authenticate with compromised keys will be rejected.
		630	The default is
		631	.Dq no .
618	.It Cm PermitEmptyPasswords	632	.It Cm PermitEmptyPasswords
619	When password authentication is allowed, it specifies whether the	633	When password authentication is allowed, it specifies whether the
620	server allows login to accounts with empty password strings.	634	server allows login to accounts with empty password strings.