summaryrefslogtreecommitdiff
path: root/ssh-vulnkey.c
AgeCommit message (Collapse)Author
2011-09-06* New upstream release (http://www.openssh.org/txt/release-5.9).Colin Watson
- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
2010-08-24staticify most functions in ssh-vulnkey.cColin Watson
2010-08-24unconstify key argument to describe_key and do_keyColin Watson
2008-08-25only display "No blacklisted keys!" if there were any keys at allColin Watson
2008-08-25Remove unnecessary ssh-vulnkey output in non-verbose mode when noColin Watson
compromised or unknown keys were found (closes: #496495).
2008-05-30Add some helpful advice to the end of ssh-vulnkey's output if there areColin Watson
unknown or compromised keys (thanks, Dan Jacobson; closes: #483756).
2008-05-26Refactor rejection of blacklisted user keys into a singleColin Watson
reject_blacklisted_key function in auth.c (thanks, Dmitry V. Levin).
2008-05-26Reword "Unknown (no blacklist information)" to "Unknown (blacklistColin Watson
file not installed)".
2008-05-26add -v to short usage messageColin Watson
2008-05-26Use EUID rather than UID when run with no file names and without -a.Colin Watson
2008-05-26Drop to the user's UID when reading user keys with -a.Colin Watson
2008-05-26Use xasprintf to build user key file names in ssh-vulnkey, avoidingColin Watson
truncation problems (thanks, Solar Designer).
2008-05-26Handle leading IP addresses in ssh-vulnkey input (LP: #230497).Colin Watson
2008-05-26Make 'ssh-vulnkey -v' output each file name it examines (thanks, HughColin Watson
Daniel).
2008-05-26document -vColin Watson
2008-05-26Fix error output if ssh-vulnkey fails to read key files, with theColin Watson
exception of host keys unless -a was given (thanks, Hugh Daniel).
2008-05-26remove dead variableColin Watson
2008-05-26quote filename if it contains a colonColin Watson
2008-05-26Add key type to ssh-vulnkey output.Colin Watson
2008-05-25Add -v (verbose) option to ssh-vulnkey, and don't print output for keysColin Watson
that have a blacklist file but that are not listed unless in verbose mode (thanks, Hugh Daniel).
2008-05-25Check for blacklists in /usr/share/ssh/ as well as /etc/ssh/ (seeColin Watson
#481283).
2008-05-25Make ssh-vulnkey report the file name and line number for each keyColin Watson
(thanks, Heiko Schlittermann and Christopher Perry; closes: #481398).
2008-05-17Check RSA1 keys without the need for a separate blacklist. Thanks toColin Watson
Simon Tatham for the idea.
2008-05-14ssh-vulnkey handles options in authorized_keys (LP: #230029).Colin Watson
2008-05-12* Mitigate OpenSSL security vulnerability:Colin Watson
- Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.)
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-02 20:12:35 +0000