From 47608c17e64138f8d16aa2bdc49a0eb00e1c3549 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 12 May 2008 23:33:01 +0000
Subject: * Mitigate OpenSSL security vulnerability:   - Add key blacklisting
 support. Keys listed in     /etc/ssh/blacklist.TYPE-LENGTH will be rejected
 for authentication by     sshd, unless "PermitBlacklistedKeys yes" is set in 
    /etc/ssh/sshd_config.   - Add a new program, ssh-vulnkey, which can be
 used to check keys     against these blacklists.   - Depend on
 openssh-blacklist.   - Force dependencies on libssl0.9.8 /
 libcrypto0.9.8-udeb to at least     0.9.8g-9.   - Automatically regenerate
 known-compromised host keys, with a     critical-priority debconf note. (I
 regret that there was no time to     gather translations.)

---
 sshd_config.5 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'sshd_config.5')

diff --git a/sshd_config.5 b/sshd_config.5
index a7a7227b2..dab26e079 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -615,6 +615,20 @@ are refused if the number of unauthenticated connections reaches
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
+.It Cm PermitBlacklistedKeys
+Specifies whether
+.Xr sshd 8
+should allow keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 ) .
+If
+.Dq yes ,
+then attempts to authenticate with compromised keys will be logged but
+accepted.
+If
+.Dq no ,
+then attempts to authenticate with compromised keys will be rejected.
+The default is
+.Dq no .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
-- 
cgit v1.2.3