[Midnightbsd-cvs] src: crypto/openssh: Add blacklist feature to OpenSSH to look for Debian

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Fri May 16 16:18:26 EDT 2008


Log Message:
-----------
Add blacklist feature to OpenSSH to look for Debian style keys

Modified Files:
--------------
    src/crypto/openssh:
        Makefile.in (r1.4 -> r1.5)
        auth-rh-rsa.c (r1.1.1.2 -> r1.2)
        auth-rsa.c (r1.1.1.3 -> r1.2)
        auth2-hostbased.c (r1.1.1.2 -> r1.2)
        auth2-pubkey.c (r1.1.1.2 -> r1.2)
        authfile.c (r1.1.1.2 -> r1.2)
        authfile.h (r1.1.1.2 -> r1.2)
        pathnames.h (r1.1.1.2 -> r1.2)
        servconf.c (r1.5 -> r1.6)
        servconf.h (r1.5 -> r1.6)
        ssh_namespace.h (r1.4 -> r1.5)
        sshd.c (r1.7 -> r1.8)
        sshd_config.5 (r1.5 -> r1.6)

-------------- next part --------------
Index: auth-rsa.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/auth-rsa.c,v
retrieving revision 1.1.1.3
retrieving revision 1.2
diff -L crypto/openssh/auth-rsa.c -L crypto/openssh/auth-rsa.c -u -r1.1.1.3 -r1.2
--- crypto/openssh/auth-rsa.c
+++ crypto/openssh/auth-rsa.c
@@ -40,6 +40,7 @@
 #include "servconf.h"
 #include "key.h"
 #include "hostfile.h"
+#include "authfile.h"
 #include "auth.h"
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -221,6 +222,7 @@
 		char *cp;
 		char *key_options;
 		int keybits;
+		char *fp;
 
 		/* Skip leading whitespace, empty and comment lines. */
 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -265,6 +267,19 @@
 			    "actual %d vs. announced %d.",
 			    file, linenum, BN_num_bits(key->rsa->n), bits);
 
+		if (blacklisted_key(key)) {
+			fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+			if (options.permit_blacklisted_keys)
+				logit("Public key %s blacklisted (see "
+				    "ssh-vulnkey(1)); continuing anyway", fp);
+			else
+				logit("Public key %s blacklisted (see "
+				    "ssh-vulnkey(1))", fp);
+			xfree(fp);
+			if (!options.permit_blacklisted_keys)
+				continue;
+		}
+
 		/* We have found the desired key. */
 		/*
 		 * If our options do not allow this key to be used,
Index: authfile.h
===================================================================
RCS file: /home/cvs/src/crypto/openssh/authfile.h,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/authfile.h -L crypto/openssh/authfile.h -u -r1.1.1.2 -r1.2
--- crypto/openssh/authfile.h
+++ crypto/openssh/authfile.h
@@ -23,4 +23,7 @@
 Key	*key_load_private_pem(int, int, const char *, char **);
 int	 key_perm_ok(int, const char *);
 
+char	*blacklist_filename(const Key *key);
+int	 blacklisted_key(const Key *key);
+
 #endif
Index: sshd.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/sshd.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -L crypto/openssh/sshd.c -L crypto/openssh/sshd.c -u -r1.7 -r1.8
--- crypto/openssh/sshd.c
+++ crypto/openssh/sshd.c
@@ -1477,6 +1477,21 @@
 
 	for (i = 0; i < options.num_host_key_files; i++) {
 		key = key_load_private(options.host_key_files[i], "", NULL);
+		if (key && blacklisted_key(key)) {
+			char *fp;
+			fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+			if (options.permit_blacklisted_keys)
+				error("Host key %s blacklisted (see "
+				    "ssh-vulnkey(1)); continuing anyway", fp);
+			else
+				error("Host key %s blacklisted (see "
+				    "ssh-vulnkey(1))", fp);
+			xfree(fp);
+			if (!options.permit_blacklisted_keys) {
+				sensitive_data.host_keys[i] = NULL;
+				continue;
+			}
+		}
 		sensitive_data.host_keys[i] = key;
 		if (key == NULL) {
 			error("Could not load host key: %s",
Index: Makefile.in
===================================================================
RCS file: /home/cvs/src/crypto/openssh/Makefile.in,v
retrieving revision 1.4
retrieving revision 1.5
diff -L crypto/openssh/Makefile.in -L crypto/openssh/Makefile.in -u -r1.4 -r1.5
--- crypto/openssh/Makefile.in
+++ crypto/openssh/Makefile.in
@@ -60,7 +60,7 @@
 INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
 INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
 
 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
@@ -88,8 +88,8 @@
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o
 
-MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
+MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
+MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
 MANTYPE		= @MANTYPE@
 
 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -165,6 +165,9 @@
 ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
 	$(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
+ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o
+	$(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
 	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -264,6 +267,7 @@
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
+	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -279,6 +283,7 @@
 	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+	$(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
 	-rm -f $(DESTDIR)$(bindir)/slogin
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
@@ -360,6 +365,7 @@
 	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
+	-rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
 	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -372,6 +378,7 @@
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Index: ssh_namespace.h
===================================================================
RCS file: /home/cvs/src/crypto/openssh/ssh_namespace.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -L crypto/openssh/ssh_namespace.h -L crypto/openssh/ssh_namespace.h -u -r1.4 -r1.5
--- crypto/openssh/ssh_namespace.h
+++ crypto/openssh/ssh_namespace.h
@@ -375,9 +375,10 @@
 #define error 					ssh_error
 #define logit 					ssh_logit
 #define verbose 				ssh_verbose
-#define mac_clear ssh_mac_clear
-#define mac_setup ssh_mac_setup
-#define umac_delete ssh_umac_delete
-#define umac_final ssh_umac_final
-#define umac_new ssh_umac_new
-#define umac_update ssh_umac_update
+#define mac_clear 				ssh_mac_clear
+#define mac_setup 				ssh_mac_setup
+#define umac_delete 				ssh_umac_delete
+#define umac_final 				ssh_umac_final
+#define umac_new 				ssh_umac_new
+#define umac_update 				ssh_umac_update
+#define SSLeay_add_all_algorithms		ssh_SSLeay_add_all_algorithms
Index: sshd_config.5
===================================================================
RCS file: /home/cvs/src/crypto/openssh/sshd_config.5,v
retrieving revision 1.5
retrieving revision 1.6
diff -L crypto/openssh/sshd_config.5 -L crypto/openssh/sshd_config.5 -u -r1.5 -r1.6
--- crypto/openssh/sshd_config.5
+++ crypto/openssh/sshd_config.5
@@ -612,6 +612,20 @@
 Specifies whether password authentication is allowed.
 The default is
 .Dq yes .
+.It Cm PermitBlacklistedKeys
+Specifies whether
+.Xr sshd 8
+should allow keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 ) .
+If
+.Dq yes ,
+then attempts to authenticate with compromised keys will be logged but
+accepted.
+If
+.Dq no ,
+then attempts to authenticate with compromised keys will be rejected.
+The default is
+.Dq no .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
Index: auth-rh-rsa.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/auth-rh-rsa.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/auth-rh-rsa.c -L crypto/openssh/auth-rh-rsa.c -u -r1.1.1.2 -r1.2
--- crypto/openssh/auth-rh-rsa.c
+++ crypto/openssh/auth-rh-rsa.c
@@ -20,6 +20,7 @@
 #include <pwd.h>
 #include <stdarg.h>
 
+#include "xmalloc.h"
 #include "packet.h"
 #include "uidswap.h"
 #include "log.h"
@@ -27,6 +28,7 @@
 #include "servconf.h"
 #include "key.h"
 #include "hostfile.h"
+#include "authfile.h"
 #include "pathnames.h"
 #include "auth.h"
 #include "canohost.h"
@@ -42,8 +44,22 @@
 auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
     Key *client_host_key)
 {
+	char *fp;
 	HostStatus host_status;
 
+	if (blacklisted_key(client_host_key)) {
+		fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX);
+		if (options.permit_blacklisted_keys)
+			logit("Public key %s blacklisted (see "
+			    "ssh-vulnkey(1)); continuing anyway", fp);
+		else
+			logit("Public key %s blacklisted (see "
+			    "ssh-vulnkey(1))", fp);
+		xfree(fp);
+		if (!options.permit_blacklisted_keys)
+			return 0;
+	}
+
 	/* Check if we would accept it using rhosts authentication. */
 	if (!auth_rhosts(pw, cuser))
 		return 0;
Index: auth2-pubkey.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/auth2-pubkey.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/auth2-pubkey.c -L crypto/openssh/auth2-pubkey.c -u -r1.1.1.2 -r1.2
--- crypto/openssh/auth2-pubkey.c
+++ crypto/openssh/auth2-pubkey.c
@@ -42,6 +42,7 @@
 #include "compat.h"
 #include "key.h"
 #include "hostfile.h"
+#include "authfile.h"
 #include "auth.h"
 #include "pathnames.h"
 #include "uidswap.h"
@@ -269,9 +270,23 @@
 int
 user_key_allowed(struct passwd *pw, Key *key)
 {
+	char *fp;
 	int success;
 	char *file;
 
+	if (blacklisted_key(key)) {
+		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+		if (options.permit_blacklisted_keys)
+			logit("Public key %s blacklisted (see "
+			    "ssh-vulnkey(1)); continuing anyway", fp);
+		else
+			logit("Public key %s blacklisted (see "
+			    "ssh-vulnkey(1))", fp);
+		xfree(fp);
+		if (!options.permit_blacklisted_keys)
+			return 0;
+	}
+
 	file = authorized_keys_file(pw);
 	success = user_key_allowed2(pw, key, file);
 	xfree(file);
Index: authfile.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/authfile.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/authfile.c -L crypto/openssh/authfile.c -u -r1.1.1.2 -r1.2
--- crypto/openssh/authfile.c
+++ crypto/openssh/authfile.c
@@ -65,6 +65,7 @@
 #include "rsa.h"
 #include "misc.h"
 #include "atomicio.h"
+#include "pathnames.h"
 
 /* Version identification string for SSH v1 identity files. */
 static const char authfile_id_string[] =
@@ -677,3 +678,113 @@
 	key_free(pub);
 	return NULL;
 }
+
+char *
+blacklist_filename(const Key *key)
+{
+	char *name;
+
+	xasprintf(&name, "%s.%s-%u",
+	    _PATH_BLACKLIST, key_type(key), key_size(key));
+	return name;
+}
+
+/* Scan a blacklist of known-vulnerable keys. */
+int
+blacklisted_key(const Key *key)
+{
+	char *blacklist_file;
+	int fd = -1;
+	char *dgst_hex = NULL;
+	char *dgst_packed = NULL, *p;
+	int i;
+	size_t line_len;
+	struct stat st;
+	char buf[256];
+	off_t start, lower, upper;
+	int ret = 0;
+
+	blacklist_file = blacklist_filename(key);
+	debug("Checking blacklist file %s", blacklist_file);
+	fd = open(blacklist_file, O_RDONLY);
+	if (fd < 0)
+		goto out;
+
+	dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+	/* Remove all colons */
+	dgst_packed = xcalloc(1, strlen(dgst_hex) + 1);
+	for (i = 0, p = dgst_packed; dgst_hex[i]; i++)
+		if (dgst_hex[i] != ':')
+			*p++ = dgst_hex[i];
+	/* Only compare least-significant 80 bits (to keep the blacklist
+	 * size down)
+	 */
+	line_len = strlen(dgst_packed + 12);
+	if (line_len > 32)
+		goto out;
+
+	/* Skip leading comments */
+	start = 0;
+	for (;;) {
+		ssize_t r;
+		char *newline;
+
+		r = atomicio(read, fd, buf, 256);
+		if (r <= 0)
+			goto out;
+		if (buf[0] != '#')
+			break;
+
+		newline = memchr(buf, '\n', 256);
+		if (!newline)
+			goto out;
+		start += newline + 1 - buf;
+		if (lseek(fd, start, SEEK_SET) < 0)
+			goto out;
+	}
+
+	/* Initialise binary search record numbers */
+	if (fstat(fd, &st) < 0)
+		goto out;
+	lower = 0;
+	upper = (st.st_size - start) / (line_len + 1);
+
+	while (lower != upper) {
+		off_t cur;
+		char buf[32];
+		int cmp;
+
+		cur = lower + (upper - lower) / 2;
+
+		/* Read this line and compare to digest; this is
+		 * overflow-safe since cur < max(off_t) / (line_len + 1) */
+		if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
+			break;
+		if (atomicio(read, fd, buf, line_len) != line_len)
+			break;
+		cmp = memcmp(buf, dgst_packed + 12, line_len);
+		if (cmp < 0) {
+			if (cur == lower)
+				break;
+			lower = cur;
+		} else if (cmp > 0) {
+			if (cur == upper)
+				break;
+			upper = cur;
+		} else {
+			debug("Found %s in blacklist", dgst_hex);
+			ret = 1;
+			break;
+		}
+	}
+
+out:
+	if (dgst_packed)
+		xfree(dgst_packed);
+	if (dgst_hex)
+		xfree(dgst_hex);
+	if (fd >= 0)
+		close(fd);
+	xfree(blacklist_file);
+	return ret;
+}
Index: auth2-hostbased.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/auth2-hostbased.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/auth2-hostbased.c -L crypto/openssh/auth2-hostbased.c -u -r1.1.1.2 -r1.2
--- crypto/openssh/auth2-hostbased.c
+++ crypto/openssh/auth2-hostbased.c
@@ -40,6 +40,7 @@
 #include "compat.h"
 #include "key.h"
 #include "hostfile.h"
+#include "authfile.h"
 #include "auth.h"
 #include "canohost.h"
 #ifdef GSSAPI
@@ -141,10 +142,24 @@
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
     Key *key)
 {
+	char *fp;
 	const char *resolvedname, *ipaddr, *lookup;
 	HostStatus host_status;
 	int len;
 
+	if (blacklisted_key(key)) {
+		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+		if (options.permit_blacklisted_keys)
+			logit("Public key %s blacklisted (see "
+			    "ssh-vulnkey(1)); continuing anyway", fp);
+		else
+			logit("Public key %s blacklisted (see "
+			    "ssh-vulnkey(1))", fp);
+		xfree(fp);
+		if (!options.permit_blacklisted_keys)
+			return 0;
+	}
+
 	resolvedname = get_canonical_hostname(options.use_dns);
 	ipaddr = get_remote_ipaddr();
 
Index: servconf.h
===================================================================
RCS file: /home/cvs/src/crypto/openssh/servconf.h,v
retrieving revision 1.5
retrieving revision 1.6
diff -L crypto/openssh/servconf.h -L crypto/openssh/servconf.h -u -r1.5 -r1.6
--- crypto/openssh/servconf.h
+++ crypto/openssh/servconf.h
@@ -95,6 +95,7 @@
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
 	int     challenge_response_authentication;
+	int     permit_blacklisted_keys;	/* If true, permit */
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     permit_user_env;	/* If true, read ~/.ssh/environment */
Index: servconf.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/servconf.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -L crypto/openssh/servconf.c -L crypto/openssh/servconf.c -u -r1.5 -r1.6
--- crypto/openssh/servconf.c
+++ crypto/openssh/servconf.c
@@ -94,6 +94,7 @@
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
+	options->permit_blacklisted_keys = -1;
 	options->permit_empty_passwd = -1;
 	options->permit_user_env = -1;
 	options->use_login = -1;
@@ -213,6 +214,8 @@
 		options->kbd_interactive_authentication = 0;
 	if (options->challenge_response_authentication == -1)
 		options->challenge_response_authentication = 1;
+	if (options->permit_blacklisted_keys == -1)
+		options->permit_blacklisted_keys = 0;
 	if (options->permit_empty_passwd == -1)
 		options->permit_empty_passwd = 0;
 	if (options->permit_user_env == -1)
@@ -282,7 +285,7 @@
 	sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
-	sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+	sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -372,6 +375,7 @@
 	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
 	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
 	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
+	{ "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
 	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
 	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
 	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
@@ -923,6 +927,10 @@
 		intptr = &options->tcp_keep_alive;
 		goto parse_flag;
 
+	case sPermitBlacklistedKeys:
+		intptr = &options->permit_blacklisted_keys;
+		goto parse_flag;
+
 	case sEmptyPasswd:
 		intptr = &options->permit_empty_passwd;
 		goto parse_flag;
Index: pathnames.h
===================================================================
RCS file: /home/cvs/src/crypto/openssh/pathnames.h,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/pathnames.h -L crypto/openssh/pathnames.h -u -r1.1.1.2 -r1.2
--- crypto/openssh/pathnames.h
+++ crypto/openssh/pathnames.h
@@ -43,6 +43,8 @@
 /* Backwards compatibility */
 #define _PATH_DH_PRIMES			SSHDIR "/primes"
 
+#define _PATH_BLACKLIST			SSHDIR "/blacklist"
+
 #ifndef _PATH_SSH_PROGRAM
 #define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
 #endif


More information about the Midnightbsd-cvs mailing list