summaryrefslogtreecommitdiff
path: root/debian/patches/ssh-vulnkey.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/ssh-vulnkey.patch')
-rw-r--r--debian/patches/ssh-vulnkey.patch248
1 files changed, 143 insertions, 105 deletions
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index a1e8c20f9..ae262083d 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1,20 +1,56 @@
1Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw 1From 8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 Mon Sep 17 00:00:00 2001
2 In 2008, Debian (and derived distributions such as Ubuntu) shipped an 2From: Colin Watson <cjwatson@ubuntu.com>
3 OpenSSL package with a flawed random number generator, causing OpenSSH to 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4 generate only a very limited set of keys which were subject to private half 4Subject: Reject vulnerable keys to mitigate Debian OpenSSL flaw
5 precomputation. To mitigate this, this patch checks key authentications 5
6 against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey 6In 2008, Debian (and derived distributions such as Ubuntu) shipped an
7 program which can be used to explicitly check keys against that blacklist. 7OpenSSL package with a flawed random number generator, causing OpenSSH to
8 See CVE-2008-0166. 8generate only a very limited set of keys which were subject to private half
9Author: Colin Watson <cjwatson@ubuntu.com> 9precomputation. To mitigate this, this patch checks key authentications
10against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
11program which can be used to explicitly check keys against that blacklist.
12See CVE-2008-0166.
13
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 14Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
11Last-Update: 2013-09-14 15Last-Update: 2013-09-14
12 16
13Index: b/Makefile.in 17Patch-Name: ssh-vulnkey.patch
14=================================================================== 18---
19 Makefile.in | 17 ++-
20 auth-rh-rsa.c | 2 +-
21 auth-rsa.c | 2 +-
22 auth.c | 27 +++-
23 auth.h | 2 +-
24 auth2-hostbased.c | 2 +-
25 auth2-pubkey.c | 5 +-
26 authfile.c | 136 +++++++++++++++++++
27 authfile.h | 2 +
28 pathnames.h | 7 +
29 readconf.c | 9 ++
30 readconf.h | 1 +
31 servconf.c | 11 +-
32 servconf.h | 1 +
33 ssh-add.1 | 5 +
34 ssh-add.c | 10 +-
35 ssh-keygen.1 | 1 +
36 ssh-vulnkey.1 | 242 ++++++++++++++++++++++++++++++++++
37 ssh-vulnkey.c | 386 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
38 ssh.1 | 1 +
39 ssh.c | 18 ++-
40 ssh_config.5 | 17 +++
41 sshconnect2.c | 4 +-
42 sshd.8 | 1 +
43 sshd.c | 5 +
44 sshd_config.5 | 14 ++
45 26 files changed, 913 insertions(+), 15 deletions(-)
46 create mode 100644 ssh-vulnkey.1
47 create mode 100644 ssh-vulnkey.c
48
49diff --git a/Makefile.in b/Makefile.in
50index f979926..b8f5099 100644
15--- a/Makefile.in 51--- a/Makefile.in
16+++ b/Makefile.in 52+++ b/Makefile.in
17@@ -26,6 +26,7 @@ 53@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
18 SFTP_SERVER=$(libexecdir)/sftp-server 54 SFTP_SERVER=$(libexecdir)/sftp-server
19 SSH_KEYSIGN=$(libexecdir)/ssh-keysign 55 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
20 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper 56 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -22,7 +58,7 @@ Index: b/Makefile.in
22 PRIVSEP_PATH=@PRIVSEP_PATH@ 58 PRIVSEP_PATH=@PRIVSEP_PATH@
23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ 59 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
24 STRIP_OPT=@STRIP_OPT@ 60 STRIP_OPT=@STRIP_OPT@
25@@ -37,7 +38,8 @@ 61@@ -37,7 +38,8 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
26 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ 62 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
27 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ 63 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
28 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ 64 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
@@ -32,7 +68,7 @@ Index: b/Makefile.in
32 68
33 CC=@CC@ 69 CC=@CC@
34 LD=@LD@ 70 LD=@LD@
35@@ -61,7 +63,7 @@ 71@@ -61,7 +63,7 @@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
36 EXEEXT=@EXEEXT@ 72 EXEEXT=@EXEEXT@
37 MANFMT=@MANFMT@ 73 MANFMT=@MANFMT@
38 74
@@ -41,7 +77,7 @@ Index: b/Makefile.in
41 77
42 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 78 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
43 canohost.o channels.o cipher.o cipher-aes.o \ 79 canohost.o channels.o cipher.o cipher-aes.o \
44@@ -96,8 +98,8 @@ 80@@ -96,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
45 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 81 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
46 sandbox-seccomp-filter.o 82 sandbox-seccomp-filter.o
47 83
@@ -52,7 +88,7 @@ Index: b/Makefile.in
52 MANTYPE = @MANTYPE@ 88 MANTYPE = @MANTYPE@
53 89
54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 90 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
55@@ -176,6 +178,9 @@ 91@@ -176,6 +178,9 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s
56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o 92 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) 93 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
58 94
@@ -62,7 +98,7 @@ Index: b/Makefile.in
62 # test driver for the loginrec code - not built by default 98 # test driver for the loginrec code - not built by default
63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 99 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 100 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
65@@ -272,6 +277,7 @@ 101@@ -272,6 +277,7 @@ install-files:
66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 102 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 103 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 104 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +106,7 @@ Index: b/Makefile.in
70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 106 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 107 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 108 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
73@@ -286,6 +292,7 @@ 109@@ -286,6 +292,7 @@ install-files:
74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 110 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 111 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 112 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +114,7 @@ Index: b/Makefile.in
78 -rm -f $(DESTDIR)$(bindir)/slogin 114 -rm -f $(DESTDIR)$(bindir)/slogin
79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 115 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 116 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
81@@ -367,6 +374,7 @@ 117@@ -367,6 +374,7 @@ uninstall:
82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 118 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 119 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 120 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +122,7 @@ Index: b/Makefile.in
86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 122 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 123 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 124 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
89@@ -379,6 +387,7 @@ 125@@ -379,6 +387,7 @@ uninstall:
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 126 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 127 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 128 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -94,11 +130,11 @@ Index: b/Makefile.in
94 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 130 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
95 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 131 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
96 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 132 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
97Index: b/auth-rh-rsa.c 133diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
98=================================================================== 134index b21a0f4..891ec32 100644
99--- a/auth-rh-rsa.c 135--- a/auth-rh-rsa.c
100+++ b/auth-rh-rsa.c 136+++ b/auth-rh-rsa.c
101@@ -44,7 +44,7 @@ 137@@ -44,7 +44,7 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
102 { 138 {
103 HostStatus host_status; 139 HostStatus host_status;
104 140
@@ -107,11 +143,11 @@ Index: b/auth-rh-rsa.c
107 return 0; 143 return 0;
108 144
109 /* Check if we would accept it using rhosts authentication. */ 145 /* Check if we would accept it using rhosts authentication. */
110Index: b/auth-rsa.c 146diff --git a/auth-rsa.c b/auth-rsa.c
111=================================================================== 147index 545aa49..6ed152c 100644
112--- a/auth-rsa.c 148--- a/auth-rsa.c
113+++ b/auth-rsa.c 149+++ b/auth-rsa.c
114@@ -237,7 +237,7 @@ 150@@ -237,7 +237,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
115 free(fp); 151 free(fp);
116 152
117 /* Never accept a revoked key */ 153 /* Never accept a revoked key */
@@ -120,8 +156,8 @@ Index: b/auth-rsa.c
120 break; 156 break;
121 157
122 /* We have found the desired key. */ 158 /* We have found the desired key. */
123Index: b/auth.c 159diff --git a/auth.c b/auth.c
124=================================================================== 160index 9a36f1d..6662e9a 100644
125--- a/auth.c 161--- a/auth.c
126+++ b/auth.c 162+++ b/auth.c
127@@ -59,6 +59,7 @@ 163@@ -59,6 +59,7 @@
@@ -132,7 +168,7 @@ Index: b/auth.c
132 #include "auth.h" 168 #include "auth.h"
133 #include "auth-options.h" 169 #include "auth-options.h"
134 #include "canohost.h" 170 #include "canohost.h"
135@@ -657,10 +658,34 @@ 171@@ -657,10 +658,34 @@ getpwnamallow(const char *user)
136 172
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 173 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 174 int
@@ -168,11 +204,11 @@ Index: b/auth.c
168 if (options.revoked_keys_file == NULL) 204 if (options.revoked_keys_file == NULL)
169 return 0; 205 return 0;
170 switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { 206 switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
171Index: b/auth.h 207diff --git a/auth.h b/auth.h
172=================================================================== 208index 5b6824f..ec95460 100644
173--- a/auth.h 209--- a/auth.h
174+++ b/auth.h 210+++ b/auth.h
175@@ -191,7 +191,7 @@ 211@@ -191,7 +191,7 @@ char *authorized_principals_file(struct passwd *);
176 212
177 FILE *auth_openkeyfile(const char *, struct passwd *, int); 213 FILE *auth_openkeyfile(const char *, struct passwd *, int);
178 FILE *auth_openprincipals(const char *, struct passwd *, int); 214 FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -181,11 +217,11 @@ Index: b/auth.h
181 217
182 HostStatus 218 HostStatus
183 check_key_in_hostfiles(struct passwd *, Key *, const char *, 219 check_key_in_hostfiles(struct passwd *, Key *, const char *,
184Index: b/auth2-hostbased.c 220diff --git a/auth2-hostbased.c b/auth2-hostbased.c
185=================================================================== 221index a344dcc..3a17f1b 100644
186--- a/auth2-hostbased.c 222--- a/auth2-hostbased.c
187+++ b/auth2-hostbased.c 223+++ b/auth2-hostbased.c
188@@ -150,7 +150,7 @@ 224@@ -150,7 +150,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
189 int len; 225 int len;
190 char *fp; 226 char *fp;
191 227
@@ -194,11 +230,11 @@ Index: b/auth2-hostbased.c
194 return 0; 230 return 0;
195 231
196 resolvedname = get_canonical_hostname(options.use_dns); 232 resolvedname = get_canonical_hostname(options.use_dns);
197Index: b/auth2-pubkey.c 233diff --git a/auth2-pubkey.c b/auth2-pubkey.c
198=================================================================== 234index 2b3ecb1..12eb8a6 100644
199--- a/auth2-pubkey.c 235--- a/auth2-pubkey.c
200+++ b/auth2-pubkey.c 236+++ b/auth2-pubkey.c
201@@ -647,9 +647,10 @@ 237@@ -647,9 +647,10 @@ user_key_allowed(struct passwd *pw, Key *key)
202 u_int success, i; 238 u_int success, i;
203 char *file; 239 char *file;
204 240
@@ -211,8 +247,8 @@ Index: b/auth2-pubkey.c
211 return 0; 247 return 0;
212 248
213 success = user_cert_trusted_ca(pw, key); 249 success = user_cert_trusted_ca(pw, key);
214Index: b/authfile.c 250diff --git a/authfile.c b/authfile.c
215=================================================================== 251index 63ae16b..9833591 100644
216--- a/authfile.c 252--- a/authfile.c
217+++ b/authfile.c 253+++ b/authfile.c
218@@ -68,6 +68,7 @@ 254@@ -68,6 +68,7 @@
@@ -223,7 +259,7 @@ Index: b/authfile.c
223 259
224 #define MAX_KEY_FILE_SIZE (1024 * 1024) 260 #define MAX_KEY_FILE_SIZE (1024 * 1024)
225 261
226@@ -944,3 +945,138 @@ 262@@ -944,3 +945,138 @@ key_in_file(Key *key, const char *filename, int strict_type)
227 return ret; 263 return ret;
228 } 264 }
229 265
@@ -362,19 +398,19 @@ Index: b/authfile.c
362+ key_free(public); 398+ key_free(public);
363+ return ret; 399+ return ret;
364+} 400+}
365Index: b/authfile.h 401diff --git a/authfile.h b/authfile.h
366=================================================================== 402index 78349be..3f2bdcb 100644
367--- a/authfile.h 403--- a/authfile.h
368+++ b/authfile.h 404+++ b/authfile.h
369@@ -28,4 +28,6 @@ 405@@ -28,4 +28,6 @@ Key *key_load_private_pem(int, int, const char *, char **);
370 int key_perm_ok(int, const char *); 406 int key_perm_ok(int, const char *);
371 int key_in_file(Key *, const char *, int); 407 int key_in_file(Key *, const char *, int);
372 408
373+int blacklisted_key(Key *key, char **fp); 409+int blacklisted_key(Key *key, char **fp);
374+ 410+
375 #endif 411 #endif
376Index: b/pathnames.h 412diff --git a/pathnames.h b/pathnames.h
377=================================================================== 413index 5027fba..47f7867 100644
378--- a/pathnames.h 414--- a/pathnames.h
379+++ b/pathnames.h 415+++ b/pathnames.h
380@@ -18,6 +18,10 @@ 416@@ -18,6 +18,10 @@
@@ -398,11 +434,11 @@ Index: b/pathnames.h
398 #ifndef _PATH_SSH_PROGRAM 434 #ifndef _PATH_SSH_PROGRAM
399 #define _PATH_SSH_PROGRAM "/usr/bin/ssh" 435 #define _PATH_SSH_PROGRAM "/usr/bin/ssh"
400 #endif 436 #endif
401Index: b/readconf.c 437diff --git a/readconf.c b/readconf.c
402=================================================================== 438index 2695fd6..22e5a3a 100644
403--- a/readconf.c 439--- a/readconf.c
404+++ b/readconf.c 440+++ b/readconf.c
405@@ -128,6 +128,7 @@ 441@@ -128,6 +128,7 @@ typedef enum {
406 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 442 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
407 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 443 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
408 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 444 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -410,7 +446,7 @@ Index: b/readconf.c
410 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 446 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
411 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 447 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
412 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 448 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
413@@ -161,6 +162,7 @@ 449@@ -161,6 +162,7 @@ static struct {
414 { "passwordauthentication", oPasswordAuthentication }, 450 { "passwordauthentication", oPasswordAuthentication },
415 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 451 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
416 { "kbdinteractivedevices", oKbdInteractiveDevices }, 452 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -418,7 +454,7 @@ Index: b/readconf.c
418 { "rsaauthentication", oRSAAuthentication }, 454 { "rsaauthentication", oRSAAuthentication },
419 { "pubkeyauthentication", oPubkeyAuthentication }, 455 { "pubkeyauthentication", oPubkeyAuthentication },
420 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 456 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
421@@ -523,6 +525,10 @@ 457@@ -523,6 +525,10 @@ parse_flag:
422 intptr = &options->challenge_response_authentication; 458 intptr = &options->challenge_response_authentication;
423 goto parse_flag; 459 goto parse_flag;
424 460
@@ -429,7 +465,7 @@ Index: b/readconf.c
429 case oGssAuthentication: 465 case oGssAuthentication:
430 intptr = &options->gss_authentication; 466 intptr = &options->gss_authentication;
431 goto parse_flag; 467 goto parse_flag;
432@@ -1210,6 +1216,7 @@ 468@@ -1210,6 +1216,7 @@ initialize_options(Options * options)
433 options->kbd_interactive_devices = NULL; 469 options->kbd_interactive_devices = NULL;
434 options->rhosts_rsa_authentication = -1; 470 options->rhosts_rsa_authentication = -1;
435 options->hostbased_authentication = -1; 471 options->hostbased_authentication = -1;
@@ -437,7 +473,7 @@ Index: b/readconf.c
437 options->batch_mode = -1; 473 options->batch_mode = -1;
438 options->check_host_ip = -1; 474 options->check_host_ip = -1;
439 options->strict_host_key_checking = -1; 475 options->strict_host_key_checking = -1;
440@@ -1320,6 +1327,8 @@ 476@@ -1320,6 +1327,8 @@ fill_default_options(Options * options)
441 options->rhosts_rsa_authentication = 0; 477 options->rhosts_rsa_authentication = 0;
442 if (options->hostbased_authentication == -1) 478 if (options->hostbased_authentication == -1)
443 options->hostbased_authentication = 0; 479 options->hostbased_authentication = 0;
@@ -446,11 +482,11 @@ Index: b/readconf.c
446 if (options->batch_mode == -1) 482 if (options->batch_mode == -1)
447 options->batch_mode = 0; 483 options->batch_mode = 0;
448 if (options->check_host_ip == -1) 484 if (options->check_host_ip == -1)
449Index: b/readconf.h 485diff --git a/readconf.h b/readconf.h
450=================================================================== 486index 675b35d..a508151 100644
451--- a/readconf.h 487--- a/readconf.h
452+++ b/readconf.h 488+++ b/readconf.h
453@@ -59,6 +59,7 @@ 489@@ -59,6 +59,7 @@ typedef struct {
454 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 490 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
455 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ 491 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
456 int zero_knowledge_password_authentication; /* Try jpake */ 492 int zero_knowledge_password_authentication; /* Try jpake */
@@ -458,11 +494,11 @@ Index: b/readconf.h
458 int batch_mode; /* Batch mode: do not ask for passwords. */ 494 int batch_mode; /* Batch mode: do not ask for passwords. */
459 int check_host_ip; /* Also keep track of keys for IP address */ 495 int check_host_ip; /* Also keep track of keys for IP address */
460 int strict_host_key_checking; /* Strict host key checking. */ 496 int strict_host_key_checking; /* Strict host key checking. */
461Index: b/servconf.c 497diff --git a/servconf.c b/servconf.c
462=================================================================== 498index c938ae3..9155a8b 100644
463--- a/servconf.c 499--- a/servconf.c
464+++ b/servconf.c 500+++ b/servconf.c
465@@ -114,6 +114,7 @@ 501@@ -114,6 +114,7 @@ initialize_server_options(ServerOptions *options)
466 options->password_authentication = -1; 502 options->password_authentication = -1;
467 options->kbd_interactive_authentication = -1; 503 options->kbd_interactive_authentication = -1;
468 options->challenge_response_authentication = -1; 504 options->challenge_response_authentication = -1;
@@ -470,7 +506,7 @@ Index: b/servconf.c
470 options->permit_empty_passwd = -1; 506 options->permit_empty_passwd = -1;
471 options->permit_user_env = -1; 507 options->permit_user_env = -1;
472 options->use_login = -1; 508 options->use_login = -1;
473@@ -257,6 +258,8 @@ 509@@ -257,6 +258,8 @@ fill_default_server_options(ServerOptions *options)
474 options->kbd_interactive_authentication = 0; 510 options->kbd_interactive_authentication = 0;
475 if (options->challenge_response_authentication == -1) 511 if (options->challenge_response_authentication == -1)
476 options->challenge_response_authentication = 1; 512 options->challenge_response_authentication = 1;
@@ -479,7 +515,7 @@ Index: b/servconf.c
479 if (options->permit_empty_passwd == -1) 515 if (options->permit_empty_passwd == -1)
480 options->permit_empty_passwd = 0; 516 options->permit_empty_passwd = 0;
481 if (options->permit_user_env == -1) 517 if (options->permit_user_env == -1)
482@@ -338,7 +341,7 @@ 518@@ -338,7 +341,7 @@ typedef enum {
483 sListenAddress, sAddressFamily, 519 sListenAddress, sAddressFamily,
484 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 520 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
485 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 521 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -488,7 +524,7 @@ Index: b/servconf.c
488 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 524 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
489 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 525 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
490 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 526 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
491@@ -451,6 +454,7 @@ 527@@ -451,6 +454,7 @@ static struct {
492 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 528 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
493 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 529 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
494 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 530 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -496,7 +532,7 @@ Index: b/servconf.c
496 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 532 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
497 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 533 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
498 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 534 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
499@@ -1158,6 +1162,10 @@ 535@@ -1158,6 +1162,10 @@ process_server_config_line(ServerOptions *options, char *line,
500 intptr = &options->tcp_keep_alive; 536 intptr = &options->tcp_keep_alive;
501 goto parse_flag; 537 goto parse_flag;
502 538
@@ -507,7 +543,7 @@ Index: b/servconf.c
507 case sEmptyPasswd: 543 case sEmptyPasswd:
508 intptr = &options->permit_empty_passwd; 544 intptr = &options->permit_empty_passwd;
509 goto parse_flag; 545 goto parse_flag;
510@@ -2036,6 +2044,7 @@ 546@@ -2036,6 +2044,7 @@ dump_config(ServerOptions *o)
511 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 547 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
512 dump_cfg_fmtint(sStrictModes, o->strict_modes); 548 dump_cfg_fmtint(sStrictModes, o->strict_modes);
513 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 549 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -515,11 +551,11 @@ Index: b/servconf.c
515 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 551 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
516 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 552 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
517 dump_cfg_fmtint(sUseLogin, o->use_login); 553 dump_cfg_fmtint(sUseLogin, o->use_login);
518Index: b/servconf.h 554diff --git a/servconf.h b/servconf.h
519=================================================================== 555index ab6e346..f655c5b 100644
520--- a/servconf.h 556--- a/servconf.h
521+++ b/servconf.h 557+++ b/servconf.h
522@@ -121,6 +121,7 @@ 558@@ -121,6 +121,7 @@ typedef struct {
523 int challenge_response_authentication; 559 int challenge_response_authentication;
524 int zero_knowledge_password_authentication; 560 int zero_knowledge_password_authentication;
525 /* If true, permit jpake auth */ 561 /* If true, permit jpake auth */
@@ -527,11 +563,11 @@ Index: b/servconf.h
527 int permit_empty_passwd; /* If false, do not permit empty 563 int permit_empty_passwd; /* If false, do not permit empty
528 * passwords. */ 564 * passwords. */
529 int permit_user_env; /* If true, read ~/.ssh/environment */ 565 int permit_user_env; /* If true, read ~/.ssh/environment */
530Index: b/ssh-add.1 566diff --git a/ssh-add.1 b/ssh-add.1
531=================================================================== 567index 44846b6..d394b26 100644
532--- a/ssh-add.1 568--- a/ssh-add.1
533+++ b/ssh-add.1 569+++ b/ssh-add.1
534@@ -81,6 +81,10 @@ 570@@ -81,6 +81,10 @@ environment variable must contain the name of its socket for
535 .Nm 571 .Nm
536 to work. 572 to work.
537 .Pp 573 .Pp
@@ -542,7 +578,7 @@ Index: b/ssh-add.1
542 The options are as follows: 578 The options are as follows:
543 .Bl -tag -width Ds 579 .Bl -tag -width Ds
544 .It Fl c 580 .It Fl c
545@@ -186,6 +190,7 @@ 581@@ -186,6 +190,7 @@ is unable to contact the authentication agent.
546 .Xr ssh 1 , 582 .Xr ssh 1 ,
547 .Xr ssh-agent 1 , 583 .Xr ssh-agent 1 ,
548 .Xr ssh-keygen 1 , 584 .Xr ssh-keygen 1 ,
@@ -550,11 +586,11 @@ Index: b/ssh-add.1
550 .Xr sshd 8 586 .Xr sshd 8
551 .Sh AUTHORS 587 .Sh AUTHORS
552 OpenSSH is a derivative of the original and free 588 OpenSSH is a derivative of the original and free
553Index: b/ssh-add.c 589diff --git a/ssh-add.c b/ssh-add.c
554=================================================================== 590index 5e8166f..b309582 100644
555--- a/ssh-add.c 591--- a/ssh-add.c
556+++ b/ssh-add.c 592+++ b/ssh-add.c
557@@ -167,7 +167,7 @@ 593@@ -167,7 +167,7 @@ static int
558 add_file(AuthenticationConnection *ac, const char *filename, int key_only) 594 add_file(AuthenticationConnection *ac, const char *filename, int key_only)
559 { 595 {
560 Key *private, *cert; 596 Key *private, *cert;
@@ -563,7 +599,7 @@ Index: b/ssh-add.c
563 char msg[1024], *certpath = NULL; 599 char msg[1024], *certpath = NULL;
564 int fd, perms_ok, ret = -1; 600 int fd, perms_ok, ret = -1;
565 Buffer keyblob; 601 Buffer keyblob;
566@@ -243,6 +243,14 @@ 602@@ -243,6 +243,14 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
567 } else { 603 } else {
568 fprintf(stderr, "Could not add identity: %s\n", filename); 604 fprintf(stderr, "Could not add identity: %s\n", filename);
569 } 605 }
@@ -578,11 +614,11 @@ Index: b/ssh-add.c
578 614
579 /* Skip trying to load the cert if requested */ 615 /* Skip trying to load the cert if requested */
580 if (key_only) 616 if (key_only)
581Index: b/ssh-keygen.1 617diff --git a/ssh-keygen.1 b/ssh-keygen.1
582=================================================================== 618index 0d55854..144be7d 100644
583--- a/ssh-keygen.1 619--- a/ssh-keygen.1
584+++ b/ssh-keygen.1 620+++ b/ssh-keygen.1
585@@ -809,6 +809,7 @@ 621@@ -809,6 +809,7 @@ The file format is described in
586 .Xr ssh 1 , 622 .Xr ssh 1 ,
587 .Xr ssh-add 1 , 623 .Xr ssh-add 1 ,
588 .Xr ssh-agent 1 , 624 .Xr ssh-agent 1 ,
@@ -590,8 +626,9 @@ Index: b/ssh-keygen.1
590 .Xr moduli 5 , 626 .Xr moduli 5 ,
591 .Xr sshd 8 627 .Xr sshd 8
592 .Rs 628 .Rs
593Index: b/ssh-vulnkey.1 629diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1
594=================================================================== 630new file mode 100644
631index 0000000..bcb9d31
595--- /dev/null 632--- /dev/null
596+++ b/ssh-vulnkey.1 633+++ b/ssh-vulnkey.1
597@@ -0,0 +1,242 @@ 634@@ -0,0 +1,242 @@
@@ -837,8 +874,9 @@ Index: b/ssh-vulnkey.1
837+of processing 874+of processing
838+.Xr ssh-keyscan 1 875+.Xr ssh-keyscan 1
839+output. 876+output.
840Index: b/ssh-vulnkey.c 877diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c
841=================================================================== 878new file mode 100644
879index 0000000..ca1a5be
842--- /dev/null 880--- /dev/null
843+++ b/ssh-vulnkey.c 881+++ b/ssh-vulnkey.c
844@@ -0,0 +1,386 @@ 882@@ -0,0 +1,386 @@
@@ -1228,11 +1266,11 @@ Index: b/ssh-vulnkey.c
1228+ 1266+
1229+ return ret; 1267+ return ret;
1230+} 1268+}
1231Index: b/ssh.1 1269diff --git a/ssh.1 b/ssh.1
1232=================================================================== 1270index 62292cc..66a7007 100644
1233--- a/ssh.1 1271--- a/ssh.1
1234+++ b/ssh.1 1272+++ b/ssh.1
1235@@ -1447,6 +1447,7 @@ 1273@@ -1447,6 +1447,7 @@ if an error occurred.
1236 .Xr ssh-agent 1 , 1274 .Xr ssh-agent 1 ,
1237 .Xr ssh-keygen 1 , 1275 .Xr ssh-keygen 1 ,
1238 .Xr ssh-keyscan 1 , 1276 .Xr ssh-keyscan 1 ,
@@ -1240,11 +1278,11 @@ Index: b/ssh.1
1240 .Xr tun 4 , 1278 .Xr tun 4 ,
1241 .Xr hosts.equiv 5 , 1279 .Xr hosts.equiv 5 ,
1242 .Xr ssh_config 5 , 1280 .Xr ssh_config 5 ,
1243Index: b/ssh.c 1281diff --git a/ssh.c b/ssh.c
1244=================================================================== 1282index 87233bc..567248d 100644
1245--- a/ssh.c 1283--- a/ssh.c
1246+++ b/ssh.c 1284+++ b/ssh.c
1247@@ -1525,7 +1525,7 @@ 1285@@ -1525,7 +1525,7 @@ ssh_session2(void)
1248 static void 1286 static void
1249 load_public_identity_files(void) 1287 load_public_identity_files(void)
1250 { 1288 {
@@ -1253,7 +1291,7 @@ Index: b/ssh.c
1253 char *pwdir = NULL, *pwname = NULL; 1291 char *pwdir = NULL, *pwname = NULL;
1254 int i = 0; 1292 int i = 0;
1255 Key *public; 1293 Key *public;
1256@@ -1583,6 +1583,22 @@ 1294@@ -1583,6 +1583,22 @@ load_public_identity_files(void)
1257 public = key_load_public(filename, NULL); 1295 public = key_load_public(filename, NULL);
1258 debug("identity file %s type %d", filename, 1296 debug("identity file %s type %d", filename,
1259 public ? public->type : -1); 1297 public ? public->type : -1);
@@ -1276,11 +1314,11 @@ Index: b/ssh.c
1276 free(options.identity_files[i]); 1314 free(options.identity_files[i]);
1277 identity_files[n_ids] = filename; 1315 identity_files[n_ids] = filename;
1278 identity_keys[n_ids] = public; 1316 identity_keys[n_ids] = public;
1279Index: b/ssh_config.5 1317diff --git a/ssh_config.5 b/ssh_config.5
1280=================================================================== 1318index e72919a..8d806c7 100644
1281--- a/ssh_config.5 1319--- a/ssh_config.5
1282+++ b/ssh_config.5 1320+++ b/ssh_config.5
1283@@ -1229,6 +1229,23 @@ 1321@@ -1229,6 +1229,23 @@ is not specified, it defaults to
1284 .Dq any . 1322 .Dq any .
1285 The default is 1323 The default is
1286 .Dq any:any . 1324 .Dq any:any .
@@ -1304,11 +1342,11 @@ Index: b/ssh_config.5
1304 .It Cm UsePrivilegedPort 1342 .It Cm UsePrivilegedPort
1305 Specifies whether to use a privileged port for outgoing connections. 1343 Specifies whether to use a privileged port for outgoing connections.
1306 The argument must be 1344 The argument must be
1307Index: b/sshconnect2.c 1345diff --git a/sshconnect2.c b/sshconnect2.c
1308=================================================================== 1346index 0b13530..93818c9 100644
1309--- a/sshconnect2.c 1347--- a/sshconnect2.c
1310+++ b/sshconnect2.c 1348+++ b/sshconnect2.c
1311@@ -1491,6 +1491,8 @@ 1349@@ -1491,6 +1491,8 @@ pubkey_prepare(Authctxt *authctxt)
1312 1350
1313 /* list of keys stored in the filesystem and PKCS#11 */ 1351 /* list of keys stored in the filesystem and PKCS#11 */
1314 for (i = 0; i < options.num_identity_files; i++) { 1352 for (i = 0; i < options.num_identity_files; i++) {
@@ -1317,7 +1355,7 @@ Index: b/sshconnect2.c
1317 key = options.identity_keys[i]; 1355 key = options.identity_keys[i];
1318 if (key && key->type == KEY_RSA1) 1356 if (key && key->type == KEY_RSA1)
1319 continue; 1357 continue;
1320@@ -1608,7 +1610,7 @@ 1358@@ -1608,7 +1610,7 @@ userauth_pubkey(Authctxt *authctxt)
1321 debug("Offering %s public key: %s", key_type(id->key), 1359 debug("Offering %s public key: %s", key_type(id->key),
1322 id->filename); 1360 id->filename);
1323 sent = send_pubkey_test(authctxt, id); 1361 sent = send_pubkey_test(authctxt, id);
@@ -1326,11 +1364,11 @@ Index: b/sshconnect2.c
1326 debug("Trying private key: %s", id->filename); 1364 debug("Trying private key: %s", id->filename);
1327 id->key = load_identity_file(id->filename, 1365 id->key = load_identity_file(id->filename,
1328 id->userprovided); 1366 id->userprovided);
1329Index: b/sshd.8 1367diff --git a/sshd.8 b/sshd.8
1330=================================================================== 1368index b0c7ab6..a604429 100644
1331--- a/sshd.8 1369--- a/sshd.8
1332+++ b/sshd.8 1370+++ b/sshd.8
1333@@ -954,6 +954,7 @@ 1371@@ -954,6 +954,7 @@ The content of this file is not sensitive; it can be world-readable.
1334 .Xr ssh-agent 1 , 1372 .Xr ssh-agent 1 ,
1335 .Xr ssh-keygen 1 , 1373 .Xr ssh-keygen 1 ,
1336 .Xr ssh-keyscan 1 , 1374 .Xr ssh-keyscan 1 ,
@@ -1338,11 +1376,11 @@ Index: b/sshd.8
1338 .Xr chroot 2 , 1376 .Xr chroot 2 ,
1339 .Xr hosts_access 5 , 1377 .Xr hosts_access 5 ,
1340 .Xr login.conf 5 , 1378 .Xr login.conf 5 ,
1341Index: b/sshd.c 1379diff --git a/sshd.c b/sshd.c
1342=================================================================== 1380index e5c9835..fbe3284 100644
1343--- a/sshd.c 1381--- a/sshd.c
1344+++ b/sshd.c 1382+++ b/sshd.c
1345@@ -1688,6 +1688,11 @@ 1383@@ -1688,6 +1688,11 @@ main(int ac, char **av)
1346 sensitive_data.host_pubkeys[i] = NULL; 1384 sensitive_data.host_pubkeys[i] = NULL;
1347 continue; 1385 continue;
1348 } 1386 }
@@ -1354,11 +1392,11 @@ Index: b/sshd.c
1354 1392
1355 switch (keytype) { 1393 switch (keytype) {
1356 case KEY_RSA1: 1394 case KEY_RSA1:
1357Index: b/sshd_config.5 1395diff --git a/sshd_config.5 b/sshd_config.5
1358=================================================================== 1396index 525d9c8..18ec81f 100644
1359--- a/sshd_config.5 1397--- a/sshd_config.5
1360+++ b/sshd_config.5 1398+++ b/sshd_config.5
1361@@ -885,6 +885,20 @@ 1399@@ -885,6 +885,20 @@ are refused if the number of unauthenticated connections reaches
1362 Specifies whether password authentication is allowed. 1400 Specifies whether password authentication is allowed.
1363 The default is 1401 The default is
1364 .Dq yes . 1402 .Dq yes .
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 12:16:42 +0000