summaryrefslogtreecommitdiff
path: root/debian/patches/ssh-vulnkey.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/ssh-vulnkey.patch')
-rw-r--r--debian/patches/ssh-vulnkey.patch245
1 files changed, 119 insertions, 126 deletions
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index a0396a6eb..c2842a4cf 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -14,16 +14,16 @@ Index: b/Makefile.in
14=================================================================== 14===================================================================
15--- a/Makefile.in 15--- a/Makefile.in
16+++ b/Makefile.in 16+++ b/Makefile.in
17@@ -26,6 +26,7 @@ 17@@ -27,6 +27,7 @@
18 SFTP_SERVER=$(libexecdir)/sftp-server
19 SSH_KEYSIGN=$(libexecdir)/ssh-keysign 18 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
19 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
20 RAND_HELPER=$(libexecdir)/ssh-rand-helper 20 RAND_HELPER=$(libexecdir)/ssh-rand-helper
21+SSH_DATADIR=$(datadir)/ssh 21+SSH_DATADIR=$(datadir)/ssh
22 PRIVSEP_PATH=@PRIVSEP_PATH@ 22 PRIVSEP_PATH=@PRIVSEP_PATH@
23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ 23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
24 STRIP_OPT=@STRIP_OPT@ 24 STRIP_OPT=@STRIP_OPT@
25@@ -37,7 +38,8 @@ 25@@ -39,7 +40,8 @@
26 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ 26 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
27 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ 27 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
28 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ 28 -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
29- -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" 29- -DSSH_RAND_HELPER=\"$(RAND_HELPER)\"
@@ -32,27 +32,27 @@ Index: b/Makefile.in
32 32
33 CC=@CC@ 33 CC=@CC@
34 LD=@LD@ 34 LD=@LD@
35@@ -60,7 +62,7 @@ 35@@ -62,7 +64,7 @@
36 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ 36 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
37 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ 37 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
38 38
39-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) 39-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
40+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) 40+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
41 41
42 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 42 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
43 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ 43 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
44@@ -91,8 +93,8 @@ 44@@ -93,8 +95,8 @@
45 audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ 45 audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
46 roaming_common.o 46 roaming_common.o roaming_serv.o
47 47
48-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out 48-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
49-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 49-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
50+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out 50+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
51+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 51+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
52 MANTYPE = @MANTYPE@ 52 MANTYPE = @MANTYPE@
53 53
54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
55@@ -169,6 +171,9 @@ 55@@ -174,6 +176,9 @@
56 ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o 56 ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
57 $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 57 $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
58 58
@@ -62,23 +62,23 @@ Index: b/Makefile.in
62 # test driver for the loginrec code - not built by default 62 # test driver for the loginrec code - not built by default
63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
65@@ -268,6 +273,7 @@ 65@@ -269,6 +274,7 @@
66 $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) 66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper $(DESTDIR)$(SSH_PKCS11_HELPER)
67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp 67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) 68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
69+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey 69+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
73@@ -284,6 +290,7 @@ 73@@ -286,6 +292,7 @@
74 $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
75 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
76 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
77+ $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 77+ $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
78 -rm -f $(DESTDIR)$(bindir)/slogin 78 -rm -f $(DESTDIR)$(bindir)/slogin
79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
81@@ -365,6 +372,7 @@ 81@@ -367,6 +374,7 @@
82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
89@@ -377,6 +385,7 @@ 89@@ -380,6 +388,7 @@
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -98,30 +98,28 @@ Index: b/auth-rh-rsa.c
98=================================================================== 98===================================================================
99--- a/auth-rh-rsa.c 99--- a/auth-rh-rsa.c
100+++ b/auth-rh-rsa.c 100+++ b/auth-rh-rsa.c
101@@ -44,6 +44,9 @@ 101@@ -44,7 +44,7 @@
102 { 102 {
103 HostStatus host_status; 103 HostStatus host_status;
104 104
105+ if (reject_blacklisted_key(client_host_key, 0) == 1) 105- if (auth_key_is_revoked(client_host_key))
106+ return 0; 106+ if (auth_key_is_revoked(client_host_key, 0))
107+
108 /* Check if we would accept it using rhosts authentication. */
109 if (!auth_rhosts(pw, cuser))
110 return 0; 107 return 0;
108
109 /* Check if we would accept it using rhosts authentication. */
111Index: b/auth-rsa.c 110Index: b/auth-rsa.c
112=================================================================== 111===================================================================
113--- a/auth-rsa.c 112--- a/auth-rsa.c
114+++ b/auth-rsa.c 113+++ b/auth-rsa.c
115@@ -246,6 +246,9 @@ 114@@ -94,7 +94,7 @@
116 "actual %d vs. announced %d.", 115 MD5_CTX md;
117 file, linenum, BN_num_bits(key->rsa->n), bits); 116 int len;
118 117
119+ if (reject_blacklisted_key(key, 0) == 1) 118- if (auth_key_is_revoked(key))
120+ continue; 119+ if (auth_key_is_revoked(key, 0))
121+ 120 return 0;
122 /* We have found the desired key. */ 121
123 /* 122 /* don't allow short keys */
124 * If our options do not allow this key to be used,
125Index: b/auth.c 123Index: b/auth.c
126=================================================================== 124===================================================================
127--- a/auth.c 125--- a/auth.c
@@ -134,91 +132,86 @@ Index: b/auth.c
134 #include "auth.h" 132 #include "auth.h"
135 #include "auth-options.h" 133 #include "auth-options.h"
136 #include "canohost.h" 134 #include "canohost.h"
137@@ -398,6 +399,38 @@ 135@@ -593,10 +594,34 @@
138 return host_status;
139 }
140 136
141+int 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
142+reject_blacklisted_key(Key *key, int hostkey) 138 int
143+{ 139-auth_key_is_revoked(Key *key)
144+ char *fp; 140+auth_key_is_revoked(Key *key, int hostkey)
145+ 141 {
146+ if (blacklisted_key(key, &fp) != 1) 142 char *key_fp;
147+ return 0; 143
148+ 144+ if (blacklisted_key(key, &key_fp) == 1) {
149+ if (options.permit_blacklisted_keys) { 145+ if (options.permit_blacklisted_keys) {
150+ if (hostkey) 146+ if (hostkey)
151+ error("Host key %s blacklisted (see " 147+ error("Host key %s blacklisted (see "
152+ "ssh-vulnkey(1)); continuing anyway", fp); 148+ "ssh-vulnkey(1)); continuing anyway",
153+ else 149+ key_fp);
154+ logit("Public key %s from %s blacklisted (see " 150+ else
155+ "ssh-vulnkey(1)); continuing anyway", 151+ logit("Public key %s from %s blacklisted (see "
156+ fp, get_remote_ipaddr()); 152+ "ssh-vulnkey(1)); continuing anyway",
157+ xfree(fp); 153+ key_fp, get_remote_ipaddr());
158+ } else { 154+ xfree(key_fp);
159+ if (hostkey) 155+ } else {
160+ error("Host key %s blacklisted (see " 156+ if (hostkey)
161+ "ssh-vulnkey(1))", fp); 157+ error("Host key %s blacklisted (see "
162+ else 158+ "ssh-vulnkey(1))", key_fp);
163+ logit("Public key %s from %s blacklisted (see " 159+ else
164+ "ssh-vulnkey(1))", 160+ logit("Public key %s from %s blacklisted (see "
165+ fp, get_remote_ipaddr()); 161+ "ssh-vulnkey(1))",
166+ xfree(fp); 162+ key_fp, get_remote_ipaddr());
167+ return 1; 163+ xfree(key_fp);
164+ return 1;
165+ }
168+ } 166+ }
169+ 167+
170+ return 0; 168 if (options.revoked_keys_file == NULL)
171+} 169 return 0;
172+
173 170
174 /*
175 * Check a given file for security. This is defined as all components
176Index: b/auth.h 171Index: b/auth.h
177=================================================================== 172===================================================================
178--- a/auth.h 173--- a/auth.h
179+++ b/auth.h 174+++ b/auth.h
180@@ -178,6 +178,8 @@ 175@@ -173,7 +173,7 @@
181 check_key_in_hostfiles(struct passwd *, Key *, const char *, 176 char *authorized_keys_file2(struct passwd *);
182 const char *, const char *);
183 177
184+int reject_blacklisted_key(Key *, int); 178 FILE *auth_openkeyfile(const char *, struct passwd *, int);
185+ 179-int auth_key_is_revoked(Key *);
186 /* hostkey handling */ 180+int auth_key_is_revoked(Key *, int);
187 Key *get_hostkey_by_index(int); 181
188 Key *get_hostkey_by_type(int); 182 HostStatus
183 check_key_in_hostfiles(struct passwd *, Key *, const char *,
189Index: b/auth2-hostbased.c 184Index: b/auth2-hostbased.c
190=================================================================== 185===================================================================
191--- a/auth2-hostbased.c 186--- a/auth2-hostbased.c
192+++ b/auth2-hostbased.c 187+++ b/auth2-hostbased.c
193@@ -145,6 +145,9 @@ 188@@ -145,7 +145,7 @@
194 HostStatus host_status; 189 HostStatus host_status;
195 int len; 190 int len;
196 191
197+ if (reject_blacklisted_key(key, 0) == 1) 192- if (auth_key_is_revoked(key))
198+ return 0; 193+ if (auth_key_is_revoked(key, 0))
199+ 194 return 0;
200 resolvedname = get_canonical_hostname(options.use_dns);
201 ipaddr = get_remote_ipaddr();
202 195
196 resolvedname = get_canonical_hostname(options.use_dns);
203Index: b/auth2-pubkey.c 197Index: b/auth2-pubkey.c
204=================================================================== 198===================================================================
205--- a/auth2-pubkey.c 199--- a/auth2-pubkey.c
206+++ b/auth2-pubkey.c 200+++ b/auth2-pubkey.c
207@@ -254,6 +254,9 @@ 201@@ -325,7 +325,7 @@
208 int success; 202 int success;
209 char *file; 203 char *file;
210 204
211+ if (reject_blacklisted_key(key, 0) == 1) 205- if (auth_key_is_revoked(key))
212+ return 0; 206+ if (auth_key_is_revoked(key, 0))
213+ 207 return 0;
214 file = authorized_keys_file(pw); 208 if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
215 success = user_key_allowed2(pw, key, file); 209 return 0;
216 xfree(file);
217Index: b/authfile.c 210Index: b/authfile.c
218=================================================================== 211===================================================================
219--- a/authfile.c 212--- a/authfile.c
220+++ b/authfile.c 213+++ b/authfile.c
221@@ -65,6 +65,7 @@ 214@@ -68,6 +68,7 @@
222 #include "rsa.h" 215 #include "rsa.h"
223 #include "misc.h" 216 #include "misc.h"
224 #include "atomicio.h" 217 #include "atomicio.h"
@@ -226,11 +219,10 @@ Index: b/authfile.c
226 219
227 /* Version identification string for SSH v1 identity files. */ 220 /* Version identification string for SSH v1 identity files. */
228 static const char authfile_id_string[] = 221 static const char authfile_id_string[] =
229@@ -677,3 +678,140 @@ 222@@ -754,3 +755,140 @@
230 key_free(pub); 223 return ret;
231 return NULL;
232 } 224 }
233+ 225
234+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */ 226+/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
235+static int 227+static int
236+blacklisted_key_in_file(const Key *key, const char *blacklist_file, char **fp) 228+blacklisted_key_in_file(const Key *key, const char *blacklist_file, char **fp)
@@ -367,13 +359,14 @@ Index: b/authfile.c
367+ key_free(public); 359+ key_free(public);
368+ return ret; 360+ return ret;
369+} 361+}
362+
370Index: b/authfile.h 363Index: b/authfile.h
371=================================================================== 364===================================================================
372--- a/authfile.h 365--- a/authfile.h
373+++ b/authfile.h 366+++ b/authfile.h
374@@ -23,4 +23,6 @@ 367@@ -24,4 +24,6 @@
375 Key *key_load_private_pem(int, int, const char *, char **);
376 int key_perm_ok(int, const char *); 368 int key_perm_ok(int, const char *);
369 int key_in_file(Key *, const char *, int);
377 370
378+int blacklisted_key(const Key *key, char **fp); 371+int blacklisted_key(const Key *key, char **fp);
379+ 372+
@@ -412,7 +405,7 @@ Index: b/readconf.c
412 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 405 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
413 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 406 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
414+ oUseBlacklistedKeys, 407+ oUseBlacklistedKeys,
415 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, 408 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
416 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 409 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
417 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 410 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
418@@ -152,6 +153,7 @@ 411@@ -152,6 +153,7 @@
@@ -423,7 +416,7 @@ Index: b/readconf.c
423 { "rsaauthentication", oRSAAuthentication }, 416 { "rsaauthentication", oRSAAuthentication },
424 { "pubkeyauthentication", oPubkeyAuthentication }, 417 { "pubkeyauthentication", oPubkeyAuthentication },
425 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 418 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
426@@ -459,6 +461,10 @@ 419@@ -461,6 +463,10 @@
427 intptr = &options->challenge_response_authentication; 420 intptr = &options->challenge_response_authentication;
428 goto parse_flag; 421 goto parse_flag;
429 422
@@ -434,7 +427,7 @@ Index: b/readconf.c
434 case oGssAuthentication: 427 case oGssAuthentication:
435 intptr = &options->gss_authentication; 428 intptr = &options->gss_authentication;
436 goto parse_flag; 429 goto parse_flag;
437@@ -1048,6 +1054,7 @@ 430@@ -1050,6 +1056,7 @@
438 options->kbd_interactive_devices = NULL; 431 options->kbd_interactive_devices = NULL;
439 options->rhosts_rsa_authentication = -1; 432 options->rhosts_rsa_authentication = -1;
440 options->hostbased_authentication = -1; 433 options->hostbased_authentication = -1;
@@ -442,7 +435,7 @@ Index: b/readconf.c
442 options->batch_mode = -1; 435 options->batch_mode = -1;
443 options->check_host_ip = -1; 436 options->check_host_ip = -1;
444 options->strict_host_key_checking = -1; 437 options->strict_host_key_checking = -1;
445@@ -1150,6 +1157,8 @@ 438@@ -1152,6 +1159,8 @@
446 options->rhosts_rsa_authentication = 0; 439 options->rhosts_rsa_authentication = 0;
447 if (options->hostbased_authentication == -1) 440 if (options->hostbased_authentication == -1)
448 options->hostbased_authentication = 0; 441 options->hostbased_authentication = 0;
@@ -467,7 +460,7 @@ Index: b/servconf.c
467=================================================================== 460===================================================================
468--- a/servconf.c 461--- a/servconf.c
469+++ b/servconf.c 462+++ b/servconf.c
470@@ -99,6 +99,7 @@ 463@@ -100,6 +100,7 @@
471 options->password_authentication = -1; 464 options->password_authentication = -1;
472 options->kbd_interactive_authentication = -1; 465 options->kbd_interactive_authentication = -1;
473 options->challenge_response_authentication = -1; 466 options->challenge_response_authentication = -1;
@@ -475,7 +468,7 @@ Index: b/servconf.c
475 options->permit_empty_passwd = -1; 468 options->permit_empty_passwd = -1;
476 options->permit_user_env = -1; 469 options->permit_user_env = -1;
477 options->use_login = -1; 470 options->use_login = -1;
478@@ -227,6 +228,8 @@ 471@@ -231,6 +232,8 @@
479 options->kbd_interactive_authentication = 0; 472 options->kbd_interactive_authentication = 0;
480 if (options->challenge_response_authentication == -1) 473 if (options->challenge_response_authentication == -1)
481 options->challenge_response_authentication = 1; 474 options->challenge_response_authentication = 1;
@@ -484,7 +477,7 @@ Index: b/servconf.c
484 if (options->permit_empty_passwd == -1) 477 if (options->permit_empty_passwd == -1)
485 options->permit_empty_passwd = 0; 478 options->permit_empty_passwd = 0;
486 if (options->permit_user_env == -1) 479 if (options->permit_user_env == -1)
487@@ -302,7 +305,7 @@ 480@@ -306,7 +309,7 @@
488 sListenAddress, sAddressFamily, 481 sListenAddress, sAddressFamily,
489 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 482 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
490 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 483 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -493,7 +486,7 @@ Index: b/servconf.c
493 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 486 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
494 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 487 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
495 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 488 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
496@@ -410,6 +413,7 @@ 489@@ -415,6 +418,7 @@
497 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 490 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
498 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 491 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
499 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 492 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -501,7 +494,7 @@ Index: b/servconf.c
501 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 494 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
502 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 495 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
503 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 496 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
504@@ -976,6 +980,10 @@ 497@@ -1010,6 +1014,10 @@
505 intptr = &options->tcp_keep_alive; 498 intptr = &options->tcp_keep_alive;
506 goto parse_flag; 499 goto parse_flag;
507 500
@@ -512,7 +505,7 @@ Index: b/servconf.c
512 case sEmptyPasswd: 505 case sEmptyPasswd:
513 intptr = &options->permit_empty_passwd; 506 intptr = &options->permit_empty_passwd;
514 goto parse_flag; 507 goto parse_flag;
515@@ -1644,6 +1652,7 @@ 508@@ -1688,6 +1696,7 @@
516 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 509 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
517 dump_cfg_fmtint(sStrictModes, o->strict_modes); 510 dump_cfg_fmtint(sStrictModes, o->strict_modes);
518 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 511 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -524,7 +517,7 @@ Index: b/servconf.h
524=================================================================== 517===================================================================
525--- a/servconf.h 518--- a/servconf.h
526+++ b/servconf.h 519+++ b/servconf.h
527@@ -101,6 +101,7 @@ 520@@ -104,6 +104,7 @@
528 int challenge_response_authentication; 521 int challenge_response_authentication;
529 int zero_knowledge_password_authentication; 522 int zero_knowledge_password_authentication;
530 /* If true, permit jpake auth */ 523 /* If true, permit jpake auth */
@@ -536,7 +529,7 @@ Index: b/ssh-add.1
536=================================================================== 529===================================================================
537--- a/ssh-add.1 530--- a/ssh-add.1
538+++ b/ssh-add.1 531+++ b/ssh-add.1
539@@ -75,6 +75,10 @@ 532@@ -82,6 +82,10 @@
540 .Nm 533 .Nm
541 to work. 534 to work.
542 .Pp 535 .Pp
@@ -547,7 +540,7 @@ Index: b/ssh-add.1
547 The options are as follows: 540 The options are as follows:
548 .Bl -tag -width Ds 541 .Bl -tag -width Ds
549 .It Fl c 542 .It Fl c
550@@ -174,6 +178,7 @@ 543@@ -182,6 +186,7 @@
551 .Xr ssh 1 , 544 .Xr ssh 1 ,
552 .Xr ssh-agent 1 , 545 .Xr ssh-agent 1 ,
553 .Xr ssh-keygen 1 , 546 .Xr ssh-keygen 1 ,
@@ -562,10 +555,10 @@ Index: b/ssh-add.c
562@@ -139,7 +139,7 @@ 555@@ -139,7 +139,7 @@
563 add_file(AuthenticationConnection *ac, const char *filename) 556 add_file(AuthenticationConnection *ac, const char *filename)
564 { 557 {
565 Key *private; 558 Key *private, *cert;
566- char *comment = NULL; 559- char *comment = NULL;
567+ char *comment = NULL, *fp; 560+ char *comment = NULL, *fp;
568 char msg[1024]; 561 char msg[1024], *certpath;
569 int fd, perms_ok, ret = -1; 562 int fd, perms_ok, ret = -1;
570 563
571@@ -184,6 +184,14 @@ 564@@ -184,6 +184,14 @@
@@ -587,7 +580,7 @@ Index: b/ssh-keygen.1
587=================================================================== 580===================================================================
588--- a/ssh-keygen.1 581--- a/ssh-keygen.1
589+++ b/ssh-keygen.1 582+++ b/ssh-keygen.1
590@@ -451,6 +451,7 @@ 583@@ -629,6 +629,7 @@
591 .Xr ssh 1 , 584 .Xr ssh 1 ,
592 .Xr ssh-add 1 , 585 .Xr ssh-add 1 ,
593 .Xr ssh-agent 1 , 586 .Xr ssh-agent 1 ,
@@ -1239,7 +1232,7 @@ Index: b/ssh.1
1239=================================================================== 1232===================================================================
1240--- a/ssh.1 1233--- a/ssh.1
1241+++ b/ssh.1 1234+++ b/ssh.1
1242@@ -1396,6 +1396,7 @@ 1235@@ -1423,6 +1423,7 @@
1243 .Xr ssh-agent 1 , 1236 .Xr ssh-agent 1 ,
1244 .Xr ssh-keygen 1 , 1237 .Xr ssh-keygen 1 ,
1245 .Xr ssh-keyscan 1 , 1238 .Xr ssh-keyscan 1 ,
@@ -1251,7 +1244,7 @@ Index: b/ssh.c
1251=================================================================== 1244===================================================================
1252--- a/ssh.c 1245--- a/ssh.c
1253+++ b/ssh.c 1246+++ b/ssh.c
1254@@ -1229,7 +1229,7 @@ 1247@@ -1301,7 +1301,7 @@
1255 static void 1248 static void
1256 load_public_identity_files(void) 1249 load_public_identity_files(void)
1257 { 1250 {
@@ -1260,7 +1253,7 @@ Index: b/ssh.c
1260 char *pwdir = NULL, *pwname = NULL; 1253 char *pwdir = NULL, *pwname = NULL;
1261 int i = 0; 1254 int i = 0;
1262 Key *public; 1255 Key *public;
1263@@ -1276,6 +1276,22 @@ 1256@@ -1358,6 +1358,22 @@
1264 public = key_load_public(filename, NULL); 1257 public = key_load_public(filename, NULL);
1265 debug("identity file %s type %d", filename, 1258 debug("identity file %s type %d", filename,
1266 public ? public->type : -1); 1259 public ? public->type : -1);
@@ -1281,13 +1274,13 @@ Index: b/ssh.c
1281+ } 1274+ }
1282+ } 1275+ }
1283 xfree(options.identity_files[i]); 1276 xfree(options.identity_files[i]);
1284 options.identity_files[i] = filename; 1277 identity_files[n_ids] = filename;
1285 options.identity_keys[i] = public; 1278 identity_keys[n_ids] = public;
1286Index: b/ssh_config.5 1279Index: b/ssh_config.5
1287=================================================================== 1280===================================================================
1288--- a/ssh_config.5 1281--- a/ssh_config.5
1289+++ b/ssh_config.5 1282+++ b/ssh_config.5
1290@@ -1041,6 +1041,23 @@ 1283@@ -1055,6 +1055,23 @@
1291 .Dq any . 1284 .Dq any .
1292 The default is 1285 The default is
1293 .Dq any:any . 1286 .Dq any:any .
@@ -1315,7 +1308,7 @@ Index: b/sshconnect2.c
1315=================================================================== 1308===================================================================
1316--- a/sshconnect2.c 1309--- a/sshconnect2.c
1317+++ b/sshconnect2.c 1310+++ b/sshconnect2.c
1318@@ -1392,6 +1392,8 @@ 1311@@ -1418,6 +1418,8 @@
1319 1312
1320 /* list of keys stored in the filesystem */ 1313 /* list of keys stored in the filesystem */
1321 for (i = 0; i < options.num_identity_files; i++) { 1314 for (i = 0; i < options.num_identity_files; i++) {
@@ -1324,7 +1317,7 @@ Index: b/sshconnect2.c
1324 key = options.identity_keys[i]; 1317 key = options.identity_keys[i];
1325 if (key && key->type == KEY_RSA1) 1318 if (key && key->type == KEY_RSA1)
1326 continue; 1319 continue;
1327@@ -1482,7 +1484,7 @@ 1320@@ -1510,7 +1512,7 @@
1328 if (id->key && id->key->type != KEY_RSA1) { 1321 if (id->key && id->key->type != KEY_RSA1) {
1329 debug("Offering public key: %s", id->filename); 1322 debug("Offering public key: %s", id->filename);
1330 sent = send_pubkey_test(authctxt, id); 1323 sent = send_pubkey_test(authctxt, id);
@@ -1337,7 +1330,7 @@ Index: b/sshd.8
1337=================================================================== 1330===================================================================
1338--- a/sshd.8 1331--- a/sshd.8
1339+++ b/sshd.8 1332+++ b/sshd.8
1340@@ -871,6 +871,7 @@ 1333@@ -928,6 +928,7 @@
1341 .Xr ssh-agent 1 , 1334 .Xr ssh-agent 1 ,
1342 .Xr ssh-keygen 1 , 1335 .Xr ssh-keygen 1 ,
1343 .Xr ssh-keyscan 1 , 1336 .Xr ssh-keyscan 1 ,
@@ -1349,11 +1342,11 @@ Index: b/sshd.c
1349=================================================================== 1342===================================================================
1350--- a/sshd.c 1343--- a/sshd.c
1351+++ b/sshd.c 1344+++ b/sshd.c
1352@@ -1518,6 +1518,11 @@ 1345@@ -1564,6 +1564,11 @@
1353 sensitive_data.host_keys[i] = NULL; 1346 sensitive_data.host_keys[i] = NULL;
1354 continue; 1347 continue;
1355 } 1348 }
1356+ if (reject_blacklisted_key(key, 1) == 1) { 1349+ if (auth_key_is_revoked(key, 1)) {
1357+ key_free(key); 1350+ key_free(key);
1358+ sensitive_data.host_keys[i] = NULL; 1351+ sensitive_data.host_keys[i] = NULL;
1359+ continue; 1352+ continue;
@@ -1365,7 +1358,7 @@ Index: b/sshd_config.5
1365=================================================================== 1358===================================================================
1366--- a/sshd_config.5 1359--- a/sshd_config.5
1367+++ b/sshd_config.5 1360+++ b/sshd_config.5
1368@@ -685,6 +685,20 @@ 1361@@ -694,6 +694,20 @@
1369 Specifies whether password authentication is allowed. 1362 Specifies whether password authentication is allowed.
1370 The default is 1363 The default is
1371 .Dq yes . 1364 .Dq yes .
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-11 07:09:21 +0000