From 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 12 May 2008 23:33:01 +0000 Subject: * Mitigate OpenSSL security vulnerability: - Add key blacklisting support. Keys listed in /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config. - Add a new program, ssh-vulnkey, which can be used to check keys against these blacklists. - Depend on openssh-blacklist. - Force dependencies on libssl0.9.8 / libcrypto0.9.8-udeb to at least 0.9.8g-9. - Automatically regenerate known-compromised host keys, with a critical-priority debconf note. (I regret that there was no time to gather translations.) --- sshd.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'sshd.c') diff --git a/sshd.c b/sshd.c index add61cc5f..2d428967c 100644 --- a/sshd.c +++ b/sshd.c @@ -1466,6 +1466,21 @@ main(int ac, char **av) for (i = 0; i < options.num_host_key_files; i++) { key = key_load_private(options.host_key_files[i], "", NULL); + if (key && blacklisted_key(key)) { + char *fp; + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + if (options.permit_blacklisted_keys) + error("Host key %s blacklisted (see " + "ssh-vulnkey(1)); continuing anyway", fp); + else + error("Host key %s blacklisted (see " + "ssh-vulnkey(1))", fp); + xfree(fp); + if (!options.permit_blacklisted_keys) { + sensitive_data.host_keys[i] = NULL; + continue; + } + } sensitive_data.host_keys[i] = key; if (key == NULL) { error("Could not load host key: %s", -- cgit v1.2.3