From da162da0416abb367ea8a415eb90d072a01fa020 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 2 Jun 2008 13:04:55 +0000 Subject: Check compromised key blacklist in ssh or ssh-add, as well as in the server (LP: #232391). To override the blacklist check in ssh temporarily, use 'ssh -o UseBlacklistedKeys=yes'; there is no override for the blacklist check in ssh-add. --- ssh-add.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'ssh-add.c') diff --git a/ssh-add.c b/ssh-add.c index 4dc46f6db..f3e30a24d 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -138,7 +138,7 @@ static int add_file(AuthenticationConnection *ac, const char *filename) { Key *private; - char *comment = NULL; + char *comment = NULL, *fp; char msg[1024]; int fd, perms_ok, ret = -1; @@ -183,6 +183,14 @@ add_file(AuthenticationConnection *ac, const char *filename) "Bad passphrase, try again for %.200s: ", comment); } } + if (blacklisted_key(private, &fp) == 1) { + fprintf(stderr, "Public key %s blacklisted (see " + "ssh-vulnkey(1)); refusing to add it\n", fp); + xfree(fp); + key_free(private); + xfree(comment); + return -1; + } if (ssh_add_identity_constrained(ac, private, comment, lifetime, confirm)) { -- cgit v1.2.3