diff options
Diffstat (limited to 'debian/patches/ssh-vulnkey.patch')
-rw-r--r-- | debian/patches/ssh-vulnkey.patch | 248 |
1 files changed, 143 insertions, 105 deletions
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index a1e8c20f9..ae262083d 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch | |||
@@ -1,20 +1,56 @@ | |||
1 | Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw | 1 | From 8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 Mon Sep 17 00:00:00 2001 |
2 | In 2008, Debian (and derived distributions such as Ubuntu) shipped an | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | OpenSSL package with a flawed random number generator, causing OpenSSH to | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | generate only a very limited set of keys which were subject to private half | 4 | Subject: Reject vulnerable keys to mitigate Debian OpenSSL flaw |
5 | precomputation. To mitigate this, this patch checks key authentications | 5 | |
6 | against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey | 6 | In 2008, Debian (and derived distributions such as Ubuntu) shipped an |
7 | program which can be used to explicitly check keys against that blacklist. | 7 | OpenSSL package with a flawed random number generator, causing OpenSSH to |
8 | See CVE-2008-0166. | 8 | generate only a very limited set of keys which were subject to private half |
9 | Author: Colin Watson <cjwatson@ubuntu.com> | 9 | precomputation. To mitigate this, this patch checks key authentications |
10 | against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey | ||
11 | program which can be used to explicitly check keys against that blacklist. | ||
12 | See CVE-2008-0166. | ||
13 | |||
10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 | 14 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 |
11 | Last-Update: 2013-09-14 | 15 | Last-Update: 2013-09-14 |
12 | 16 | ||
13 | Index: b/Makefile.in | 17 | Patch-Name: ssh-vulnkey.patch |
14 | =================================================================== | 18 | --- |
19 | Makefile.in | 17 ++- | ||
20 | auth-rh-rsa.c | 2 +- | ||
21 | auth-rsa.c | 2 +- | ||
22 | auth.c | 27 +++- | ||
23 | auth.h | 2 +- | ||
24 | auth2-hostbased.c | 2 +- | ||
25 | auth2-pubkey.c | 5 +- | ||
26 | authfile.c | 136 +++++++++++++++++++ | ||
27 | authfile.h | 2 + | ||
28 | pathnames.h | 7 + | ||
29 | readconf.c | 9 ++ | ||
30 | readconf.h | 1 + | ||
31 | servconf.c | 11 +- | ||
32 | servconf.h | 1 + | ||
33 | ssh-add.1 | 5 + | ||
34 | ssh-add.c | 10 +- | ||
35 | ssh-keygen.1 | 1 + | ||
36 | ssh-vulnkey.1 | 242 ++++++++++++++++++++++++++++++++++ | ||
37 | ssh-vulnkey.c | 386 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
38 | ssh.1 | 1 + | ||
39 | ssh.c | 18 ++- | ||
40 | ssh_config.5 | 17 +++ | ||
41 | sshconnect2.c | 4 +- | ||
42 | sshd.8 | 1 + | ||
43 | sshd.c | 5 + | ||
44 | sshd_config.5 | 14 ++ | ||
45 | 26 files changed, 913 insertions(+), 15 deletions(-) | ||
46 | create mode 100644 ssh-vulnkey.1 | ||
47 | create mode 100644 ssh-vulnkey.c | ||
48 | |||
49 | diff --git a/Makefile.in b/Makefile.in | ||
50 | index f979926..b8f5099 100644 | ||
15 | --- a/Makefile.in | 51 | --- a/Makefile.in |
16 | +++ b/Makefile.in | 52 | +++ b/Makefile.in |
17 | @@ -26,6 +26,7 @@ | 53 | @@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass |
18 | SFTP_SERVER=$(libexecdir)/sftp-server | 54 | SFTP_SERVER=$(libexecdir)/sftp-server |
19 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | 55 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign |
20 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | 56 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |
@@ -22,7 +58,7 @@ Index: b/Makefile.in | |||
22 | PRIVSEP_PATH=@PRIVSEP_PATH@ | 58 | PRIVSEP_PATH=@PRIVSEP_PATH@ |
23 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | 59 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |
24 | STRIP_OPT=@STRIP_OPT@ | 60 | STRIP_OPT=@STRIP_OPT@ |
25 | @@ -37,7 +38,8 @@ | 61 | @@ -37,7 +38,8 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ |
26 | -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ | 62 | -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ |
27 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ | 63 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ |
28 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ | 64 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ |
@@ -32,7 +68,7 @@ Index: b/Makefile.in | |||
32 | 68 | ||
33 | CC=@CC@ | 69 | CC=@CC@ |
34 | LD=@LD@ | 70 | LD=@LD@ |
35 | @@ -61,7 +63,7 @@ | 71 | @@ -61,7 +63,7 @@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ |
36 | EXEEXT=@EXEEXT@ | 72 | EXEEXT=@EXEEXT@ |
37 | MANFMT=@MANFMT@ | 73 | MANFMT=@MANFMT@ |
38 | 74 | ||
@@ -41,7 +77,7 @@ Index: b/Makefile.in | |||
41 | 77 | ||
42 | LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 78 | LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
43 | canohost.o channels.o cipher.o cipher-aes.o \ | 79 | canohost.o channels.o cipher.o cipher-aes.o \ |
44 | @@ -96,8 +98,8 @@ | 80 | @@ -96,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
45 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 81 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
46 | sandbox-seccomp-filter.o | 82 | sandbox-seccomp-filter.o |
47 | 83 | ||
@@ -52,7 +88,7 @@ Index: b/Makefile.in | |||
52 | MANTYPE = @MANTYPE@ | 88 | MANTYPE = @MANTYPE@ |
53 | 89 | ||
54 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out | 90 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out |
55 | @@ -176,6 +178,9 @@ | 91 | @@ -176,6 +178,9 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s |
56 | sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o | 92 | sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o |
57 | $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) | 93 | $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) |
58 | 94 | ||
@@ -62,7 +98,7 @@ Index: b/Makefile.in | |||
62 | # test driver for the loginrec code - not built by default | 98 | # test driver for the loginrec code - not built by default |
63 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o | 99 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o |
64 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) | 100 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) |
65 | @@ -272,6 +277,7 @@ | 101 | @@ -272,6 +277,7 @@ install-files: |
66 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | 102 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) |
67 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 103 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
68 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 104 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
@@ -70,7 +106,7 @@ Index: b/Makefile.in | |||
70 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | 106 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
71 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 | 107 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |
72 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 | 108 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |
73 | @@ -286,6 +292,7 @@ | 109 | @@ -286,6 +292,7 @@ install-files: |
74 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 110 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
75 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 111 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
76 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 112 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
@@ -78,7 +114,7 @@ Index: b/Makefile.in | |||
78 | -rm -f $(DESTDIR)$(bindir)/slogin | 114 | -rm -f $(DESTDIR)$(bindir)/slogin |
79 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | 115 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin |
80 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | 116 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 |
81 | @@ -367,6 +374,7 @@ | 117 | @@ -367,6 +374,7 @@ uninstall: |
82 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) | 118 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) |
83 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) | 119 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) |
84 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) | 120 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) |
@@ -86,7 +122,7 @@ Index: b/Makefile.in | |||
86 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 122 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
87 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) | 123 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |
88 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 124 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
89 | @@ -379,6 +387,7 @@ | 125 | @@ -379,6 +387,7 @@ uninstall: |
90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 | 126 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 |
91 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 | 127 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 |
92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 | 128 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 |
@@ -94,11 +130,11 @@ Index: b/Makefile.in | |||
94 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 130 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
95 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 131 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
96 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 132 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
97 | Index: b/auth-rh-rsa.c | 133 | diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c |
98 | =================================================================== | 134 | index b21a0f4..891ec32 100644 |
99 | --- a/auth-rh-rsa.c | 135 | --- a/auth-rh-rsa.c |
100 | +++ b/auth-rh-rsa.c | 136 | +++ b/auth-rh-rsa.c |
101 | @@ -44,7 +44,7 @@ | 137 | @@ -44,7 +44,7 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, |
102 | { | 138 | { |
103 | HostStatus host_status; | 139 | HostStatus host_status; |
104 | 140 | ||
@@ -107,11 +143,11 @@ Index: b/auth-rh-rsa.c | |||
107 | return 0; | 143 | return 0; |
108 | 144 | ||
109 | /* Check if we would accept it using rhosts authentication. */ | 145 | /* Check if we would accept it using rhosts authentication. */ |
110 | Index: b/auth-rsa.c | 146 | diff --git a/auth-rsa.c b/auth-rsa.c |
111 | =================================================================== | 147 | index 545aa49..6ed152c 100644 |
112 | --- a/auth-rsa.c | 148 | --- a/auth-rsa.c |
113 | +++ b/auth-rsa.c | 149 | +++ b/auth-rsa.c |
114 | @@ -237,7 +237,7 @@ | 150 | @@ -237,7 +237,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, |
115 | free(fp); | 151 | free(fp); |
116 | 152 | ||
117 | /* Never accept a revoked key */ | 153 | /* Never accept a revoked key */ |
@@ -120,8 +156,8 @@ Index: b/auth-rsa.c | |||
120 | break; | 156 | break; |
121 | 157 | ||
122 | /* We have found the desired key. */ | 158 | /* We have found the desired key. */ |
123 | Index: b/auth.c | 159 | diff --git a/auth.c b/auth.c |
124 | =================================================================== | 160 | index 9a36f1d..6662e9a 100644 |
125 | --- a/auth.c | 161 | --- a/auth.c |
126 | +++ b/auth.c | 162 | +++ b/auth.c |
127 | @@ -59,6 +59,7 @@ | 163 | @@ -59,6 +59,7 @@ |
@@ -132,7 +168,7 @@ Index: b/auth.c | |||
132 | #include "auth.h" | 168 | #include "auth.h" |
133 | #include "auth-options.h" | 169 | #include "auth-options.h" |
134 | #include "canohost.h" | 170 | #include "canohost.h" |
135 | @@ -657,10 +658,34 @@ | 171 | @@ -657,10 +658,34 @@ getpwnamallow(const char *user) |
136 | 172 | ||
137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 173 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
138 | int | 174 | int |
@@ -168,11 +204,11 @@ Index: b/auth.c | |||
168 | if (options.revoked_keys_file == NULL) | 204 | if (options.revoked_keys_file == NULL) |
169 | return 0; | 205 | return 0; |
170 | switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { | 206 | switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { |
171 | Index: b/auth.h | 207 | diff --git a/auth.h b/auth.h |
172 | =================================================================== | 208 | index 5b6824f..ec95460 100644 |
173 | --- a/auth.h | 209 | --- a/auth.h |
174 | +++ b/auth.h | 210 | +++ b/auth.h |
175 | @@ -191,7 +191,7 @@ | 211 | @@ -191,7 +191,7 @@ char *authorized_principals_file(struct passwd *); |
176 | 212 | ||
177 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | 213 | FILE *auth_openkeyfile(const char *, struct passwd *, int); |
178 | FILE *auth_openprincipals(const char *, struct passwd *, int); | 214 | FILE *auth_openprincipals(const char *, struct passwd *, int); |
@@ -181,11 +217,11 @@ Index: b/auth.h | |||
181 | 217 | ||
182 | HostStatus | 218 | HostStatus |
183 | check_key_in_hostfiles(struct passwd *, Key *, const char *, | 219 | check_key_in_hostfiles(struct passwd *, Key *, const char *, |
184 | Index: b/auth2-hostbased.c | 220 | diff --git a/auth2-hostbased.c b/auth2-hostbased.c |
185 | =================================================================== | 221 | index a344dcc..3a17f1b 100644 |
186 | --- a/auth2-hostbased.c | 222 | --- a/auth2-hostbased.c |
187 | +++ b/auth2-hostbased.c | 223 | +++ b/auth2-hostbased.c |
188 | @@ -150,7 +150,7 @@ | 224 | @@ -150,7 +150,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, |
189 | int len; | 225 | int len; |
190 | char *fp; | 226 | char *fp; |
191 | 227 | ||
@@ -194,11 +230,11 @@ Index: b/auth2-hostbased.c | |||
194 | return 0; | 230 | return 0; |
195 | 231 | ||
196 | resolvedname = get_canonical_hostname(options.use_dns); | 232 | resolvedname = get_canonical_hostname(options.use_dns); |
197 | Index: b/auth2-pubkey.c | 233 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c |
198 | =================================================================== | 234 | index 2b3ecb1..12eb8a6 100644 |
199 | --- a/auth2-pubkey.c | 235 | --- a/auth2-pubkey.c |
200 | +++ b/auth2-pubkey.c | 236 | +++ b/auth2-pubkey.c |
201 | @@ -647,9 +647,10 @@ | 237 | @@ -647,9 +647,10 @@ user_key_allowed(struct passwd *pw, Key *key) |
202 | u_int success, i; | 238 | u_int success, i; |
203 | char *file; | 239 | char *file; |
204 | 240 | ||
@@ -211,8 +247,8 @@ Index: b/auth2-pubkey.c | |||
211 | return 0; | 247 | return 0; |
212 | 248 | ||
213 | success = user_cert_trusted_ca(pw, key); | 249 | success = user_cert_trusted_ca(pw, key); |
214 | Index: b/authfile.c | 250 | diff --git a/authfile.c b/authfile.c |
215 | =================================================================== | 251 | index 63ae16b..9833591 100644 |
216 | --- a/authfile.c | 252 | --- a/authfile.c |
217 | +++ b/authfile.c | 253 | +++ b/authfile.c |
218 | @@ -68,6 +68,7 @@ | 254 | @@ -68,6 +68,7 @@ |
@@ -223,7 +259,7 @@ Index: b/authfile.c | |||
223 | 259 | ||
224 | #define MAX_KEY_FILE_SIZE (1024 * 1024) | 260 | #define MAX_KEY_FILE_SIZE (1024 * 1024) |
225 | 261 | ||
226 | @@ -944,3 +945,138 @@ | 262 | @@ -944,3 +945,138 @@ key_in_file(Key *key, const char *filename, int strict_type) |
227 | return ret; | 263 | return ret; |
228 | } | 264 | } |
229 | 265 | ||
@@ -362,19 +398,19 @@ Index: b/authfile.c | |||
362 | + key_free(public); | 398 | + key_free(public); |
363 | + return ret; | 399 | + return ret; |
364 | +} | 400 | +} |
365 | Index: b/authfile.h | 401 | diff --git a/authfile.h b/authfile.h |
366 | =================================================================== | 402 | index 78349be..3f2bdcb 100644 |
367 | --- a/authfile.h | 403 | --- a/authfile.h |
368 | +++ b/authfile.h | 404 | +++ b/authfile.h |
369 | @@ -28,4 +28,6 @@ | 405 | @@ -28,4 +28,6 @@ Key *key_load_private_pem(int, int, const char *, char **); |
370 | int key_perm_ok(int, const char *); | 406 | int key_perm_ok(int, const char *); |
371 | int key_in_file(Key *, const char *, int); | 407 | int key_in_file(Key *, const char *, int); |
372 | 408 | ||
373 | +int blacklisted_key(Key *key, char **fp); | 409 | +int blacklisted_key(Key *key, char **fp); |
374 | + | 410 | + |
375 | #endif | 411 | #endif |
376 | Index: b/pathnames.h | 412 | diff --git a/pathnames.h b/pathnames.h |
377 | =================================================================== | 413 | index 5027fba..47f7867 100644 |
378 | --- a/pathnames.h | 414 | --- a/pathnames.h |
379 | +++ b/pathnames.h | 415 | +++ b/pathnames.h |
380 | @@ -18,6 +18,10 @@ | 416 | @@ -18,6 +18,10 @@ |
@@ -398,11 +434,11 @@ Index: b/pathnames.h | |||
398 | #ifndef _PATH_SSH_PROGRAM | 434 | #ifndef _PATH_SSH_PROGRAM |
399 | #define _PATH_SSH_PROGRAM "/usr/bin/ssh" | 435 | #define _PATH_SSH_PROGRAM "/usr/bin/ssh" |
400 | #endif | 436 | #endif |
401 | Index: b/readconf.c | 437 | diff --git a/readconf.c b/readconf.c |
402 | =================================================================== | 438 | index 2695fd6..22e5a3a 100644 |
403 | --- a/readconf.c | 439 | --- a/readconf.c |
404 | +++ b/readconf.c | 440 | +++ b/readconf.c |
405 | @@ -128,6 +128,7 @@ | 441 | @@ -128,6 +128,7 @@ typedef enum { |
406 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | 442 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, |
407 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | 443 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, |
408 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | 444 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, |
@@ -410,7 +446,7 @@ Index: b/readconf.c | |||
410 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, | 446 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, |
411 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 447 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
412 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 448 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
413 | @@ -161,6 +162,7 @@ | 449 | @@ -161,6 +162,7 @@ static struct { |
414 | { "passwordauthentication", oPasswordAuthentication }, | 450 | { "passwordauthentication", oPasswordAuthentication }, |
415 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 451 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
416 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 452 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
@@ -418,7 +454,7 @@ Index: b/readconf.c | |||
418 | { "rsaauthentication", oRSAAuthentication }, | 454 | { "rsaauthentication", oRSAAuthentication }, |
419 | { "pubkeyauthentication", oPubkeyAuthentication }, | 455 | { "pubkeyauthentication", oPubkeyAuthentication }, |
420 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 456 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
421 | @@ -523,6 +525,10 @@ | 457 | @@ -523,6 +525,10 @@ parse_flag: |
422 | intptr = &options->challenge_response_authentication; | 458 | intptr = &options->challenge_response_authentication; |
423 | goto parse_flag; | 459 | goto parse_flag; |
424 | 460 | ||
@@ -429,7 +465,7 @@ Index: b/readconf.c | |||
429 | case oGssAuthentication: | 465 | case oGssAuthentication: |
430 | intptr = &options->gss_authentication; | 466 | intptr = &options->gss_authentication; |
431 | goto parse_flag; | 467 | goto parse_flag; |
432 | @@ -1210,6 +1216,7 @@ | 468 | @@ -1210,6 +1216,7 @@ initialize_options(Options * options) |
433 | options->kbd_interactive_devices = NULL; | 469 | options->kbd_interactive_devices = NULL; |
434 | options->rhosts_rsa_authentication = -1; | 470 | options->rhosts_rsa_authentication = -1; |
435 | options->hostbased_authentication = -1; | 471 | options->hostbased_authentication = -1; |
@@ -437,7 +473,7 @@ Index: b/readconf.c | |||
437 | options->batch_mode = -1; | 473 | options->batch_mode = -1; |
438 | options->check_host_ip = -1; | 474 | options->check_host_ip = -1; |
439 | options->strict_host_key_checking = -1; | 475 | options->strict_host_key_checking = -1; |
440 | @@ -1320,6 +1327,8 @@ | 476 | @@ -1320,6 +1327,8 @@ fill_default_options(Options * options) |
441 | options->rhosts_rsa_authentication = 0; | 477 | options->rhosts_rsa_authentication = 0; |
442 | if (options->hostbased_authentication == -1) | 478 | if (options->hostbased_authentication == -1) |
443 | options->hostbased_authentication = 0; | 479 | options->hostbased_authentication = 0; |
@@ -446,11 +482,11 @@ Index: b/readconf.c | |||
446 | if (options->batch_mode == -1) | 482 | if (options->batch_mode == -1) |
447 | options->batch_mode = 0; | 483 | options->batch_mode = 0; |
448 | if (options->check_host_ip == -1) | 484 | if (options->check_host_ip == -1) |
449 | Index: b/readconf.h | 485 | diff --git a/readconf.h b/readconf.h |
450 | =================================================================== | 486 | index 675b35d..a508151 100644 |
451 | --- a/readconf.h | 487 | --- a/readconf.h |
452 | +++ b/readconf.h | 488 | +++ b/readconf.h |
453 | @@ -59,6 +59,7 @@ | 489 | @@ -59,6 +59,7 @@ typedef struct { |
454 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 490 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
455 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | 491 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ |
456 | int zero_knowledge_password_authentication; /* Try jpake */ | 492 | int zero_knowledge_password_authentication; /* Try jpake */ |
@@ -458,11 +494,11 @@ Index: b/readconf.h | |||
458 | int batch_mode; /* Batch mode: do not ask for passwords. */ | 494 | int batch_mode; /* Batch mode: do not ask for passwords. */ |
459 | int check_host_ip; /* Also keep track of keys for IP address */ | 495 | int check_host_ip; /* Also keep track of keys for IP address */ |
460 | int strict_host_key_checking; /* Strict host key checking. */ | 496 | int strict_host_key_checking; /* Strict host key checking. */ |
461 | Index: b/servconf.c | 497 | diff --git a/servconf.c b/servconf.c |
462 | =================================================================== | 498 | index c938ae3..9155a8b 100644 |
463 | --- a/servconf.c | 499 | --- a/servconf.c |
464 | +++ b/servconf.c | 500 | +++ b/servconf.c |
465 | @@ -114,6 +114,7 @@ | 501 | @@ -114,6 +114,7 @@ initialize_server_options(ServerOptions *options) |
466 | options->password_authentication = -1; | 502 | options->password_authentication = -1; |
467 | options->kbd_interactive_authentication = -1; | 503 | options->kbd_interactive_authentication = -1; |
468 | options->challenge_response_authentication = -1; | 504 | options->challenge_response_authentication = -1; |
@@ -470,7 +506,7 @@ Index: b/servconf.c | |||
470 | options->permit_empty_passwd = -1; | 506 | options->permit_empty_passwd = -1; |
471 | options->permit_user_env = -1; | 507 | options->permit_user_env = -1; |
472 | options->use_login = -1; | 508 | options->use_login = -1; |
473 | @@ -257,6 +258,8 @@ | 509 | @@ -257,6 +258,8 @@ fill_default_server_options(ServerOptions *options) |
474 | options->kbd_interactive_authentication = 0; | 510 | options->kbd_interactive_authentication = 0; |
475 | if (options->challenge_response_authentication == -1) | 511 | if (options->challenge_response_authentication == -1) |
476 | options->challenge_response_authentication = 1; | 512 | options->challenge_response_authentication = 1; |
@@ -479,7 +515,7 @@ Index: b/servconf.c | |||
479 | if (options->permit_empty_passwd == -1) | 515 | if (options->permit_empty_passwd == -1) |
480 | options->permit_empty_passwd = 0; | 516 | options->permit_empty_passwd = 0; |
481 | if (options->permit_user_env == -1) | 517 | if (options->permit_user_env == -1) |
482 | @@ -338,7 +341,7 @@ | 518 | @@ -338,7 +341,7 @@ typedef enum { |
483 | sListenAddress, sAddressFamily, | 519 | sListenAddress, sAddressFamily, |
484 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 520 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
485 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 521 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
@@ -488,7 +524,7 @@ Index: b/servconf.c | |||
488 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 524 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
489 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 525 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
490 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 526 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
491 | @@ -451,6 +454,7 @@ | 527 | @@ -451,6 +454,7 @@ static struct { |
492 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 528 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
493 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 529 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
494 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 530 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
@@ -496,7 +532,7 @@ Index: b/servconf.c | |||
496 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 532 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
497 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 533 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
498 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 534 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
499 | @@ -1158,6 +1162,10 @@ | 535 | @@ -1158,6 +1162,10 @@ process_server_config_line(ServerOptions *options, char *line, |
500 | intptr = &options->tcp_keep_alive; | 536 | intptr = &options->tcp_keep_alive; |
501 | goto parse_flag; | 537 | goto parse_flag; |
502 | 538 | ||
@@ -507,7 +543,7 @@ Index: b/servconf.c | |||
507 | case sEmptyPasswd: | 543 | case sEmptyPasswd: |
508 | intptr = &options->permit_empty_passwd; | 544 | intptr = &options->permit_empty_passwd; |
509 | goto parse_flag; | 545 | goto parse_flag; |
510 | @@ -2036,6 +2044,7 @@ | 546 | @@ -2036,6 +2044,7 @@ dump_config(ServerOptions *o) |
511 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 547 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
512 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 548 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
513 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 549 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
@@ -515,11 +551,11 @@ Index: b/servconf.c | |||
515 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | 551 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); |
516 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | 552 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); |
517 | dump_cfg_fmtint(sUseLogin, o->use_login); | 553 | dump_cfg_fmtint(sUseLogin, o->use_login); |
518 | Index: b/servconf.h | 554 | diff --git a/servconf.h b/servconf.h |
519 | =================================================================== | 555 | index ab6e346..f655c5b 100644 |
520 | --- a/servconf.h | 556 | --- a/servconf.h |
521 | +++ b/servconf.h | 557 | +++ b/servconf.h |
522 | @@ -121,6 +121,7 @@ | 558 | @@ -121,6 +121,7 @@ typedef struct { |
523 | int challenge_response_authentication; | 559 | int challenge_response_authentication; |
524 | int zero_knowledge_password_authentication; | 560 | int zero_knowledge_password_authentication; |
525 | /* If true, permit jpake auth */ | 561 | /* If true, permit jpake auth */ |
@@ -527,11 +563,11 @@ Index: b/servconf.h | |||
527 | int permit_empty_passwd; /* If false, do not permit empty | 563 | int permit_empty_passwd; /* If false, do not permit empty |
528 | * passwords. */ | 564 | * passwords. */ |
529 | int permit_user_env; /* If true, read ~/.ssh/environment */ | 565 | int permit_user_env; /* If true, read ~/.ssh/environment */ |
530 | Index: b/ssh-add.1 | 566 | diff --git a/ssh-add.1 b/ssh-add.1 |
531 | =================================================================== | 567 | index 44846b6..d394b26 100644 |
532 | --- a/ssh-add.1 | 568 | --- a/ssh-add.1 |
533 | +++ b/ssh-add.1 | 569 | +++ b/ssh-add.1 |
534 | @@ -81,6 +81,10 @@ | 570 | @@ -81,6 +81,10 @@ environment variable must contain the name of its socket for |
535 | .Nm | 571 | .Nm |
536 | to work. | 572 | to work. |
537 | .Pp | 573 | .Pp |
@@ -542,7 +578,7 @@ Index: b/ssh-add.1 | |||
542 | The options are as follows: | 578 | The options are as follows: |
543 | .Bl -tag -width Ds | 579 | .Bl -tag -width Ds |
544 | .It Fl c | 580 | .It Fl c |
545 | @@ -186,6 +190,7 @@ | 581 | @@ -186,6 +190,7 @@ is unable to contact the authentication agent. |
546 | .Xr ssh 1 , | 582 | .Xr ssh 1 , |
547 | .Xr ssh-agent 1 , | 583 | .Xr ssh-agent 1 , |
548 | .Xr ssh-keygen 1 , | 584 | .Xr ssh-keygen 1 , |
@@ -550,11 +586,11 @@ Index: b/ssh-add.1 | |||
550 | .Xr sshd 8 | 586 | .Xr sshd 8 |
551 | .Sh AUTHORS | 587 | .Sh AUTHORS |
552 | OpenSSH is a derivative of the original and free | 588 | OpenSSH is a derivative of the original and free |
553 | Index: b/ssh-add.c | 589 | diff --git a/ssh-add.c b/ssh-add.c |
554 | =================================================================== | 590 | index 5e8166f..b309582 100644 |
555 | --- a/ssh-add.c | 591 | --- a/ssh-add.c |
556 | +++ b/ssh-add.c | 592 | +++ b/ssh-add.c |
557 | @@ -167,7 +167,7 @@ | 593 | @@ -167,7 +167,7 @@ static int |
558 | add_file(AuthenticationConnection *ac, const char *filename, int key_only) | 594 | add_file(AuthenticationConnection *ac, const char *filename, int key_only) |
559 | { | 595 | { |
560 | Key *private, *cert; | 596 | Key *private, *cert; |
@@ -563,7 +599,7 @@ Index: b/ssh-add.c | |||
563 | char msg[1024], *certpath = NULL; | 599 | char msg[1024], *certpath = NULL; |
564 | int fd, perms_ok, ret = -1; | 600 | int fd, perms_ok, ret = -1; |
565 | Buffer keyblob; | 601 | Buffer keyblob; |
566 | @@ -243,6 +243,14 @@ | 602 | @@ -243,6 +243,14 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only) |
567 | } else { | 603 | } else { |
568 | fprintf(stderr, "Could not add identity: %s\n", filename); | 604 | fprintf(stderr, "Could not add identity: %s\n", filename); |
569 | } | 605 | } |
@@ -578,11 +614,11 @@ Index: b/ssh-add.c | |||
578 | 614 | ||
579 | /* Skip trying to load the cert if requested */ | 615 | /* Skip trying to load the cert if requested */ |
580 | if (key_only) | 616 | if (key_only) |
581 | Index: b/ssh-keygen.1 | 617 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 |
582 | =================================================================== | 618 | index 0d55854..144be7d 100644 |
583 | --- a/ssh-keygen.1 | 619 | --- a/ssh-keygen.1 |
584 | +++ b/ssh-keygen.1 | 620 | +++ b/ssh-keygen.1 |
585 | @@ -809,6 +809,7 @@ | 621 | @@ -809,6 +809,7 @@ The file format is described in |
586 | .Xr ssh 1 , | 622 | .Xr ssh 1 , |
587 | .Xr ssh-add 1 , | 623 | .Xr ssh-add 1 , |
588 | .Xr ssh-agent 1 , | 624 | .Xr ssh-agent 1 , |
@@ -590,8 +626,9 @@ Index: b/ssh-keygen.1 | |||
590 | .Xr moduli 5 , | 626 | .Xr moduli 5 , |
591 | .Xr sshd 8 | 627 | .Xr sshd 8 |
592 | .Rs | 628 | .Rs |
593 | Index: b/ssh-vulnkey.1 | 629 | diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1 |
594 | =================================================================== | 630 | new file mode 100644 |
631 | index 0000000..bcb9d31 | ||
595 | --- /dev/null | 632 | --- /dev/null |
596 | +++ b/ssh-vulnkey.1 | 633 | +++ b/ssh-vulnkey.1 |
597 | @@ -0,0 +1,242 @@ | 634 | @@ -0,0 +1,242 @@ |
@@ -837,8 +874,9 @@ Index: b/ssh-vulnkey.1 | |||
837 | +of processing | 874 | +of processing |
838 | +.Xr ssh-keyscan 1 | 875 | +.Xr ssh-keyscan 1 |
839 | +output. | 876 | +output. |
840 | Index: b/ssh-vulnkey.c | 877 | diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c |
841 | =================================================================== | 878 | new file mode 100644 |
879 | index 0000000..ca1a5be | ||
842 | --- /dev/null | 880 | --- /dev/null |
843 | +++ b/ssh-vulnkey.c | 881 | +++ b/ssh-vulnkey.c |
844 | @@ -0,0 +1,386 @@ | 882 | @@ -0,0 +1,386 @@ |
@@ -1228,11 +1266,11 @@ Index: b/ssh-vulnkey.c | |||
1228 | + | 1266 | + |
1229 | + return ret; | 1267 | + return ret; |
1230 | +} | 1268 | +} |
1231 | Index: b/ssh.1 | 1269 | diff --git a/ssh.1 b/ssh.1 |
1232 | =================================================================== | 1270 | index 62292cc..66a7007 100644 |
1233 | --- a/ssh.1 | 1271 | --- a/ssh.1 |
1234 | +++ b/ssh.1 | 1272 | +++ b/ssh.1 |
1235 | @@ -1447,6 +1447,7 @@ | 1273 | @@ -1447,6 +1447,7 @@ if an error occurred. |
1236 | .Xr ssh-agent 1 , | 1274 | .Xr ssh-agent 1 , |
1237 | .Xr ssh-keygen 1 , | 1275 | .Xr ssh-keygen 1 , |
1238 | .Xr ssh-keyscan 1 , | 1276 | .Xr ssh-keyscan 1 , |
@@ -1240,11 +1278,11 @@ Index: b/ssh.1 | |||
1240 | .Xr tun 4 , | 1278 | .Xr tun 4 , |
1241 | .Xr hosts.equiv 5 , | 1279 | .Xr hosts.equiv 5 , |
1242 | .Xr ssh_config 5 , | 1280 | .Xr ssh_config 5 , |
1243 | Index: b/ssh.c | 1281 | diff --git a/ssh.c b/ssh.c |
1244 | =================================================================== | 1282 | index 87233bc..567248d 100644 |
1245 | --- a/ssh.c | 1283 | --- a/ssh.c |
1246 | +++ b/ssh.c | 1284 | +++ b/ssh.c |
1247 | @@ -1525,7 +1525,7 @@ | 1285 | @@ -1525,7 +1525,7 @@ ssh_session2(void) |
1248 | static void | 1286 | static void |
1249 | load_public_identity_files(void) | 1287 | load_public_identity_files(void) |
1250 | { | 1288 | { |
@@ -1253,7 +1291,7 @@ Index: b/ssh.c | |||
1253 | char *pwdir = NULL, *pwname = NULL; | 1291 | char *pwdir = NULL, *pwname = NULL; |
1254 | int i = 0; | 1292 | int i = 0; |
1255 | Key *public; | 1293 | Key *public; |
1256 | @@ -1583,6 +1583,22 @@ | 1294 | @@ -1583,6 +1583,22 @@ load_public_identity_files(void) |
1257 | public = key_load_public(filename, NULL); | 1295 | public = key_load_public(filename, NULL); |
1258 | debug("identity file %s type %d", filename, | 1296 | debug("identity file %s type %d", filename, |
1259 | public ? public->type : -1); | 1297 | public ? public->type : -1); |
@@ -1276,11 +1314,11 @@ Index: b/ssh.c | |||
1276 | free(options.identity_files[i]); | 1314 | free(options.identity_files[i]); |
1277 | identity_files[n_ids] = filename; | 1315 | identity_files[n_ids] = filename; |
1278 | identity_keys[n_ids] = public; | 1316 | identity_keys[n_ids] = public; |
1279 | Index: b/ssh_config.5 | 1317 | diff --git a/ssh_config.5 b/ssh_config.5 |
1280 | =================================================================== | 1318 | index e72919a..8d806c7 100644 |
1281 | --- a/ssh_config.5 | 1319 | --- a/ssh_config.5 |
1282 | +++ b/ssh_config.5 | 1320 | +++ b/ssh_config.5 |
1283 | @@ -1229,6 +1229,23 @@ | 1321 | @@ -1229,6 +1229,23 @@ is not specified, it defaults to |
1284 | .Dq any . | 1322 | .Dq any . |
1285 | The default is | 1323 | The default is |
1286 | .Dq any:any . | 1324 | .Dq any:any . |
@@ -1304,11 +1342,11 @@ Index: b/ssh_config.5 | |||
1304 | .It Cm UsePrivilegedPort | 1342 | .It Cm UsePrivilegedPort |
1305 | Specifies whether to use a privileged port for outgoing connections. | 1343 | Specifies whether to use a privileged port for outgoing connections. |
1306 | The argument must be | 1344 | The argument must be |
1307 | Index: b/sshconnect2.c | 1345 | diff --git a/sshconnect2.c b/sshconnect2.c |
1308 | =================================================================== | 1346 | index 0b13530..93818c9 100644 |
1309 | --- a/sshconnect2.c | 1347 | --- a/sshconnect2.c |
1310 | +++ b/sshconnect2.c | 1348 | +++ b/sshconnect2.c |
1311 | @@ -1491,6 +1491,8 @@ | 1349 | @@ -1491,6 +1491,8 @@ pubkey_prepare(Authctxt *authctxt) |
1312 | 1350 | ||
1313 | /* list of keys stored in the filesystem and PKCS#11 */ | 1351 | /* list of keys stored in the filesystem and PKCS#11 */ |
1314 | for (i = 0; i < options.num_identity_files; i++) { | 1352 | for (i = 0; i < options.num_identity_files; i++) { |
@@ -1317,7 +1355,7 @@ Index: b/sshconnect2.c | |||
1317 | key = options.identity_keys[i]; | 1355 | key = options.identity_keys[i]; |
1318 | if (key && key->type == KEY_RSA1) | 1356 | if (key && key->type == KEY_RSA1) |
1319 | continue; | 1357 | continue; |
1320 | @@ -1608,7 +1610,7 @@ | 1358 | @@ -1608,7 +1610,7 @@ userauth_pubkey(Authctxt *authctxt) |
1321 | debug("Offering %s public key: %s", key_type(id->key), | 1359 | debug("Offering %s public key: %s", key_type(id->key), |
1322 | id->filename); | 1360 | id->filename); |
1323 | sent = send_pubkey_test(authctxt, id); | 1361 | sent = send_pubkey_test(authctxt, id); |
@@ -1326,11 +1364,11 @@ Index: b/sshconnect2.c | |||
1326 | debug("Trying private key: %s", id->filename); | 1364 | debug("Trying private key: %s", id->filename); |
1327 | id->key = load_identity_file(id->filename, | 1365 | id->key = load_identity_file(id->filename, |
1328 | id->userprovided); | 1366 | id->userprovided); |
1329 | Index: b/sshd.8 | 1367 | diff --git a/sshd.8 b/sshd.8 |
1330 | =================================================================== | 1368 | index b0c7ab6..a604429 100644 |
1331 | --- a/sshd.8 | 1369 | --- a/sshd.8 |
1332 | +++ b/sshd.8 | 1370 | +++ b/sshd.8 |
1333 | @@ -954,6 +954,7 @@ | 1371 | @@ -954,6 +954,7 @@ The content of this file is not sensitive; it can be world-readable. |
1334 | .Xr ssh-agent 1 , | 1372 | .Xr ssh-agent 1 , |
1335 | .Xr ssh-keygen 1 , | 1373 | .Xr ssh-keygen 1 , |
1336 | .Xr ssh-keyscan 1 , | 1374 | .Xr ssh-keyscan 1 , |
@@ -1338,11 +1376,11 @@ Index: b/sshd.8 | |||
1338 | .Xr chroot 2 , | 1376 | .Xr chroot 2 , |
1339 | .Xr hosts_access 5 , | 1377 | .Xr hosts_access 5 , |
1340 | .Xr login.conf 5 , | 1378 | .Xr login.conf 5 , |
1341 | Index: b/sshd.c | 1379 | diff --git a/sshd.c b/sshd.c |
1342 | =================================================================== | 1380 | index e5c9835..fbe3284 100644 |
1343 | --- a/sshd.c | 1381 | --- a/sshd.c |
1344 | +++ b/sshd.c | 1382 | +++ b/sshd.c |
1345 | @@ -1688,6 +1688,11 @@ | 1383 | @@ -1688,6 +1688,11 @@ main(int ac, char **av) |
1346 | sensitive_data.host_pubkeys[i] = NULL; | 1384 | sensitive_data.host_pubkeys[i] = NULL; |
1347 | continue; | 1385 | continue; |
1348 | } | 1386 | } |
@@ -1354,11 +1392,11 @@ Index: b/sshd.c | |||
1354 | 1392 | ||
1355 | switch (keytype) { | 1393 | switch (keytype) { |
1356 | case KEY_RSA1: | 1394 | case KEY_RSA1: |
1357 | Index: b/sshd_config.5 | 1395 | diff --git a/sshd_config.5 b/sshd_config.5 |
1358 | =================================================================== | 1396 | index 525d9c8..18ec81f 100644 |
1359 | --- a/sshd_config.5 | 1397 | --- a/sshd_config.5 |
1360 | +++ b/sshd_config.5 | 1398 | +++ b/sshd_config.5 |
1361 | @@ -885,6 +885,20 @@ | 1399 | @@ -885,6 +885,20 @@ are refused if the number of unauthenticated connections reaches |
1362 | Specifies whether password authentication is allowed. | 1400 | Specifies whether password authentication is allowed. |
1363 | The default is | 1401 | The default is |
1364 | .Dq yes . | 1402 | .Dq yes . |