diff options
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | readconf.c | 9 | ||||
| -rw-r--r-- | readconf.h | 1 | ||||
| -rw-r--r-- | ssh-add.c | 10 | ||||
| -rw-r--r-- | ssh.c | 18 | ||||
| -rw-r--r-- | ssh_config.5 | 17 | ||||
| -rw-r--r-- | sshconnect2.c | 4 |
7 files changed, 60 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index d3651d9c0..cb05066eb 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -2,6 +2,10 @@ openssh (1:4.7p1-13) UNRELEASED; urgency=low | |||
| 2 | 2 | ||
| 3 | * Add some helpful advice to the end of ssh-vulnkey's output if there are | 3 | * Add some helpful advice to the end of ssh-vulnkey's output if there are |
| 4 | unknown or compromised keys (thanks, Dan Jacobson; closes: #483756). | 4 | unknown or compromised keys (thanks, Dan Jacobson; closes: #483756). |
| 5 | * Check compromised key blacklist in ssh or ssh-add, as well as in the | ||
| 6 | server (LP: #232391). To override the blacklist check in ssh | ||
| 7 | temporarily, use 'ssh -o UseBlacklistedKeys=yes'; there is no override | ||
| 8 | for the blacklist check in ssh-add. | ||
| 5 | 9 | ||
| 6 | -- Colin Watson <cjwatson@debian.org> Fri, 30 May 2008 23:26:25 +0100 | 10 | -- Colin Watson <cjwatson@debian.org> Fri, 30 May 2008 23:26:25 +0100 |
| 7 | 11 | ||
diff --git a/readconf.c b/readconf.c index 0999f28e3..07f5775d5 100644 --- a/readconf.c +++ b/readconf.c | |||
| @@ -125,6 +125,7 @@ typedef enum { | |||
| 125 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | 125 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, |
| 126 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | 126 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, |
| 127 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | 127 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, |
| 128 | oUseBlacklistedKeys, | ||
| 128 | oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, | 129 | oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, |
| 129 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 130 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
| 130 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 131 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
| @@ -155,6 +156,7 @@ static struct { | |||
| 155 | { "passwordauthentication", oPasswordAuthentication }, | 156 | { "passwordauthentication", oPasswordAuthentication }, |
| 156 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 157 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
| 157 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 158 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
| 159 | { "useblacklistedkeys", oUseBlacklistedKeys }, | ||
| 158 | { "rsaauthentication", oRSAAuthentication }, | 160 | { "rsaauthentication", oRSAAuthentication }, |
| 159 | { "pubkeyauthentication", oPubkeyAuthentication }, | 161 | { "pubkeyauthentication", oPubkeyAuthentication }, |
| 160 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 162 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
| @@ -448,6 +450,10 @@ parse_flag: | |||
| 448 | intptr = &options->challenge_response_authentication; | 450 | intptr = &options->challenge_response_authentication; |
| 449 | goto parse_flag; | 451 | goto parse_flag; |
| 450 | 452 | ||
| 453 | case oUseBlacklistedKeys: | ||
| 454 | intptr = &options->use_blacklisted_keys; | ||
| 455 | goto parse_flag; | ||
| 456 | |||
| 451 | case oGssAuthentication: | 457 | case oGssAuthentication: |
| 452 | intptr = &options->gss_authentication; | 458 | intptr = &options->gss_authentication; |
| 453 | goto parse_flag; | 459 | goto parse_flag; |
| @@ -1061,6 +1067,7 @@ initialize_options(Options * options) | |||
| 1061 | options->kbd_interactive_devices = NULL; | 1067 | options->kbd_interactive_devices = NULL; |
| 1062 | options->rhosts_rsa_authentication = -1; | 1068 | options->rhosts_rsa_authentication = -1; |
| 1063 | options->hostbased_authentication = -1; | 1069 | options->hostbased_authentication = -1; |
| 1070 | options->use_blacklisted_keys = -1; | ||
| 1064 | options->batch_mode = -1; | 1071 | options->batch_mode = -1; |
| 1065 | options->check_host_ip = -1; | 1072 | options->check_host_ip = -1; |
| 1066 | options->strict_host_key_checking = -1; | 1073 | options->strict_host_key_checking = -1; |
| @@ -1159,6 +1166,8 @@ fill_default_options(Options * options) | |||
| 1159 | options->rhosts_rsa_authentication = 0; | 1166 | options->rhosts_rsa_authentication = 0; |
| 1160 | if (options->hostbased_authentication == -1) | 1167 | if (options->hostbased_authentication == -1) |
| 1161 | options->hostbased_authentication = 0; | 1168 | options->hostbased_authentication = 0; |
| 1169 | if (options->use_blacklisted_keys == -1) | ||
| 1170 | options->use_blacklisted_keys = 0; | ||
| 1162 | if (options->batch_mode == -1) | 1171 | if (options->batch_mode == -1) |
| 1163 | options->batch_mode = 0; | 1172 | options->batch_mode = 0; |
| 1164 | if (options->check_host_ip == -1) | 1173 | if (options->check_host_ip == -1) |
diff --git a/readconf.h b/readconf.h index a7d9200b5..eb236fc5c 100644 --- a/readconf.h +++ b/readconf.h | |||
| @@ -51,6 +51,7 @@ typedef struct { | |||
| 51 | * authentication. */ | 51 | * authentication. */ |
| 52 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 52 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
| 53 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | 53 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ |
| 54 | int use_blacklisted_keys; /* If true, send */ | ||
| 54 | int batch_mode; /* Batch mode: do not ask for passwords. */ | 55 | int batch_mode; /* Batch mode: do not ask for passwords. */ |
| 55 | int check_host_ip; /* Also keep track of keys for IP address */ | 56 | int check_host_ip; /* Also keep track of keys for IP address */ |
| 56 | int strict_host_key_checking; /* Strict host key checking. */ | 57 | int strict_host_key_checking; /* Strict host key checking. */ |
| @@ -138,7 +138,7 @@ static int | |||
| 138 | add_file(AuthenticationConnection *ac, const char *filename) | 138 | add_file(AuthenticationConnection *ac, const char *filename) |
| 139 | { | 139 | { |
| 140 | Key *private; | 140 | Key *private; |
| 141 | char *comment = NULL; | 141 | char *comment = NULL, *fp; |
| 142 | char msg[1024]; | 142 | char msg[1024]; |
| 143 | int fd, perms_ok, ret = -1; | 143 | int fd, perms_ok, ret = -1; |
| 144 | 144 | ||
| @@ -183,6 +183,14 @@ add_file(AuthenticationConnection *ac, const char *filename) | |||
| 183 | "Bad passphrase, try again for %.200s: ", comment); | 183 | "Bad passphrase, try again for %.200s: ", comment); |
| 184 | } | 184 | } |
| 185 | } | 185 | } |
| 186 | if (blacklisted_key(private, &fp) == 1) { | ||
| 187 | fprintf(stderr, "Public key %s blacklisted (see " | ||
| 188 | "ssh-vulnkey(1)); refusing to add it\n", fp); | ||
| 189 | xfree(fp); | ||
| 190 | key_free(private); | ||
| 191 | xfree(comment); | ||
| 192 | return -1; | ||
| 193 | } | ||
| 186 | 194 | ||
| 187 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, | 195 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, |
| 188 | confirm)) { | 196 | confirm)) { |
| @@ -1218,7 +1218,7 @@ ssh_session2(void) | |||
| 1218 | static void | 1218 | static void |
| 1219 | load_public_identity_files(void) | 1219 | load_public_identity_files(void) |
| 1220 | { | 1220 | { |
| 1221 | char *filename, *cp, thishost[NI_MAXHOST]; | 1221 | char *filename, *cp, thishost[NI_MAXHOST], *fp; |
| 1222 | int i = 0; | 1222 | int i = 0; |
| 1223 | Key *public; | 1223 | Key *public; |
| 1224 | struct passwd *pw; | 1224 | struct passwd *pw; |
| @@ -1260,6 +1260,22 @@ load_public_identity_files(void) | |||
| 1260 | public = key_load_public(filename, NULL); | 1260 | public = key_load_public(filename, NULL); |
| 1261 | debug("identity file %s type %d", filename, | 1261 | debug("identity file %s type %d", filename, |
| 1262 | public ? public->type : -1); | 1262 | public ? public->type : -1); |
| 1263 | if (blacklisted_key(public, &fp) == 1) { | ||
| 1264 | if (options.use_blacklisted_keys) | ||
| 1265 | logit("Public key %s blacklisted (see " | ||
| 1266 | "ssh-vulnkey(1)); continuing anyway", fp); | ||
| 1267 | else | ||
| 1268 | logit("Public key %s blacklisted (see " | ||
| 1269 | "ssh-vulnkey(1)); refusing to send it", | ||
| 1270 | fp); | ||
| 1271 | xfree(fp); | ||
| 1272 | if (!options.use_blacklisted_keys) { | ||
| 1273 | key_free(public); | ||
| 1274 | xfree(filename); | ||
| 1275 | filename = NULL; | ||
| 1276 | public = NULL; | ||
| 1277 | } | ||
| 1278 | } | ||
| 1263 | xfree(options.identity_files[i]); | 1279 | xfree(options.identity_files[i]); |
| 1264 | options.identity_files[i] = filename; | 1280 | options.identity_files[i] = filename; |
| 1265 | options.identity_keys[i] = public; | 1281 | options.identity_keys[i] = public; |
diff --git a/ssh_config.5 b/ssh_config.5 index b048a54f5..411e9fd34 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -1056,6 +1056,23 @@ is not specified, it defaults to | |||
| 1056 | .Dq any . | 1056 | .Dq any . |
| 1057 | The default is | 1057 | The default is |
| 1058 | .Dq any:any . | 1058 | .Dq any:any . |
| 1059 | .It Cm UseBlacklistedKeys | ||
| 1060 | Specifies whether | ||
| 1061 | .Xr ssh 1 | ||
| 1062 | should use keys recorded in its blacklist of known-compromised keys (see | ||
| 1063 | .Xr ssh-vulnkey 1 ) | ||
| 1064 | for authentication. | ||
| 1065 | If | ||
| 1066 | .Dq yes , | ||
| 1067 | then attempts to use compromised keys for authentication will be logged but | ||
| 1068 | accepted. | ||
| 1069 | It is strongly recommended that this be used only to install new authorized | ||
| 1070 | keys on the remote system, and even then only with the utmost care. | ||
| 1071 | If | ||
| 1072 | .Dq no , | ||
| 1073 | then attempts to use compromised keys for authentication will be prevented. | ||
| 1074 | The default is | ||
| 1075 | .Dq no . | ||
| 1059 | .It Cm UsePrivilegedPort | 1076 | .It Cm UsePrivilegedPort |
| 1060 | Specifies whether to use a privileged port for outgoing connections. | 1077 | Specifies whether to use a privileged port for outgoing connections. |
| 1061 | The argument must be | 1078 | The argument must be |
diff --git a/sshconnect2.c b/sshconnect2.c index e11cfaa00..97073e401 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1156,6 +1156,8 @@ pubkey_prepare(Authctxt *authctxt) | |||
| 1156 | 1156 | ||
| 1157 | /* list of keys stored in the filesystem */ | 1157 | /* list of keys stored in the filesystem */ |
| 1158 | for (i = 0; i < options.num_identity_files; i++) { | 1158 | for (i = 0; i < options.num_identity_files; i++) { |
| 1159 | if (options.identity_files[i] == NULL) | ||
| 1160 | continue; | ||
| 1159 | key = options.identity_keys[i]; | 1161 | key = options.identity_keys[i]; |
| 1160 | if (key && key->type == KEY_RSA1) | 1162 | if (key && key->type == KEY_RSA1) |
| 1161 | continue; | 1163 | continue; |
| @@ -1246,7 +1248,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 1246 | if (id->key && id->key->type != KEY_RSA1) { | 1248 | if (id->key && id->key->type != KEY_RSA1) { |
| 1247 | debug("Offering public key: %s", id->filename); | 1249 | debug("Offering public key: %s", id->filename); |
| 1248 | sent = send_pubkey_test(authctxt, id); | 1250 | sent = send_pubkey_test(authctxt, id); |
| 1249 | } else if (id->key == NULL) { | 1251 | } else if (id->key == NULL && id->filename) { |
| 1250 | debug("Trying private key: %s", id->filename); | 1252 | debug("Trying private key: %s", id->filename); |
| 1251 | id->key = load_identity_file(id->filename); | 1253 | id->key = load_identity_file(id->filename); |
| 1252 | if (id->key != NULL) { | 1254 | if (id->key != NULL) { |