From 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 12 May 2008 23:33:01 +0000 Subject: * Mitigate OpenSSL security vulnerability: - Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.) --- servconf.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'servconf.c') diff --git a/servconf.c b/servconf.c index 14a9dde3d..c5688912d 100644 --- a/servconf.c +++ b/servconf.c @@ -96,6 +96,7 @@ initialize_server_options(ServerOptions *options) options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; + options->permit_blacklisted_keys = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; @@ -218,6 +219,8 @@ fill_default_server_options(ServerOptions *options) options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; + if (options->permit_blacklisted_keys == -1) + options->permit_blacklisted_keys = 0; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->permit_user_env == -1) @@ -287,7 +290,7 @@ typedef enum { sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, - sStrictModes, sEmptyPasswd, sTCPKeepAlive, + sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -387,6 +390,7 @@ static struct { { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, + { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL }, { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, { "uselogin", sUseLogin, SSHCFG_GLOBAL }, @@ -943,6 +947,10 @@ parse_flag: intptr = &options->tcp_keep_alive; goto parse_flag; + case sPermitBlacklistedKeys: + intptr = &options->permit_blacklisted_keys; + goto parse_flag; + case sEmptyPasswd: intptr = &options->permit_empty_passwd; goto parse_flag; -- cgit v1.2.3