[Midnightbsd-cvs] src: crypto/openssh: Add blacklist feature to OpenSSH to look for Debian
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri May 16 16:18:26 EDT 2008
Log Message:
-----------
Add blacklist feature to OpenSSH to look for Debian style keys
Modified Files:
--------------
src/crypto/openssh:
Makefile.in (r1.4 -> r1.5)
auth-rh-rsa.c (r1.1.1.2 -> r1.2)
auth-rsa.c (r1.1.1.3 -> r1.2)
auth2-hostbased.c (r1.1.1.2 -> r1.2)
auth2-pubkey.c (r1.1.1.2 -> r1.2)
authfile.c (r1.1.1.2 -> r1.2)
authfile.h (r1.1.1.2 -> r1.2)
pathnames.h (r1.1.1.2 -> r1.2)
servconf.c (r1.5 -> r1.6)
servconf.h (r1.5 -> r1.6)
ssh_namespace.h (r1.4 -> r1.5)
sshd.c (r1.7 -> r1.8)
sshd_config.5 (r1.5 -> r1.6)
-------------- next part --------------
Index: auth-rsa.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/auth-rsa.c,v
retrieving revision 1.1.1.3
retrieving revision 1.2
diff -L crypto/openssh/auth-rsa.c -L crypto/openssh/auth-rsa.c -u -r1.1.1.3 -r1.2
--- crypto/openssh/auth-rsa.c
+++ crypto/openssh/auth-rsa.c
@@ -40,6 +40,7 @@
#include "servconf.h"
#include "key.h"
#include "hostfile.h"
+#include "authfile.h"
#include "auth.h"
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -221,6 +222,7 @@
char *cp;
char *key_options;
int keybits;
+ char *fp;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -265,6 +267,19 @@
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
+ if (blacklisted_key(key)) {
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ if (options.permit_blacklisted_keys)
+ logit("Public key %s blacklisted (see "
+ "ssh-vulnkey(1)); continuing anyway", fp);
+ else
+ logit("Public key %s blacklisted (see "
+ "ssh-vulnkey(1))", fp);
+ xfree(fp);
+ if (!options.permit_blacklisted_keys)
+ continue;
+ }
+
/* We have found the desired key. */
/*
* If our options do not allow this key to be used,
Index: authfile.h
===================================================================
RCS file: /home/cvs/src/crypto/openssh/authfile.h,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/authfile.h -L crypto/openssh/authfile.h -u -r1.1.1.2 -r1.2
--- crypto/openssh/authfile.h
+++ crypto/openssh/authfile.h
@@ -23,4 +23,7 @@
Key *key_load_private_pem(int, int, const char *, char **);
int key_perm_ok(int, const char *);
+char *blacklist_filename(const Key *key);
+int blacklisted_key(const Key *key);
+
#endif
Index: sshd.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/sshd.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -L crypto/openssh/sshd.c -L crypto/openssh/sshd.c -u -r1.7 -r1.8
--- crypto/openssh/sshd.c
+++ crypto/openssh/sshd.c
@@ -1477,6 +1477,21 @@
for (i = 0; i < options.num_host_key_files; i++) {
key = key_load_private(options.host_key_files[i], "", NULL);
+ if (key && blacklisted_key(key)) {
+ char *fp;
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ if (options.permit_blacklisted_keys)
+ error("Host key %s blacklisted (see "
+ "ssh-vulnkey(1)); continuing anyway", fp);
+ else
+ error("Host key %s blacklisted (see "
+ "ssh-vulnkey(1))", fp);
+ xfree(fp);
+ if (!options.permit_blacklisted_keys) {
+ sensitive_data.host_keys[i] = NULL;
+ continue;
+ }
+ }
sensitive_data.host_keys[i] = key;
if (key == NULL) {
error("Could not load host key: %s",
Index: Makefile.in
===================================================================
RCS file: /home/cvs/src/crypto/openssh/Makefile.in,v
retrieving revision 1.4
retrieving revision 1.5
diff -L crypto/openssh/Makefile.in -L crypto/openssh/Makefile.in -u -r1.4 -r1.5
--- crypto/openssh/Makefile.in
+++ crypto/openssh/Makefile.in
@@ -60,7 +60,7 @@
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
@@ -88,8 +88,8 @@
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o
-MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
+MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
+MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -165,6 +165,9 @@
ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
$(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o
+ $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -264,6 +267,7 @@
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -279,6 +283,7 @@
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+ $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
-rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
@@ -360,6 +365,7 @@
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
+ -rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -372,6 +378,7 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
Index: ssh_namespace.h
===================================================================
RCS file: /home/cvs/src/crypto/openssh/ssh_namespace.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -L crypto/openssh/ssh_namespace.h -L crypto/openssh/ssh_namespace.h -u -r1.4 -r1.5
--- crypto/openssh/ssh_namespace.h
+++ crypto/openssh/ssh_namespace.h
@@ -375,9 +375,10 @@
#define error ssh_error
#define logit ssh_logit
#define verbose ssh_verbose
-#define mac_clear ssh_mac_clear
-#define mac_setup ssh_mac_setup
-#define umac_delete ssh_umac_delete
-#define umac_final ssh_umac_final
-#define umac_new ssh_umac_new
-#define umac_update ssh_umac_update
+#define mac_clear ssh_mac_clear
+#define mac_setup ssh_mac_setup
+#define umac_delete ssh_umac_delete
+#define umac_final ssh_umac_final
+#define umac_new ssh_umac_new
+#define umac_update ssh_umac_update
+#define SSLeay_add_all_algorithms ssh_SSLeay_add_all_algorithms
Index: sshd_config.5
===================================================================
RCS file: /home/cvs/src/crypto/openssh/sshd_config.5,v
retrieving revision 1.5
retrieving revision 1.6
diff -L crypto/openssh/sshd_config.5 -L crypto/openssh/sshd_config.5 -u -r1.5 -r1.6
--- crypto/openssh/sshd_config.5
+++ crypto/openssh/sshd_config.5
@@ -612,6 +612,20 @@
Specifies whether password authentication is allowed.
The default is
.Dq yes .
+.It Cm PermitBlacklistedKeys
+Specifies whether
+.Xr sshd 8
+should allow keys recorded in its blacklist of known-compromised keys (see
+.Xr ssh-vulnkey 1 ) .
+If
+.Dq yes ,
+then attempts to authenticate with compromised keys will be logged but
+accepted.
+If
+.Dq no ,
+then attempts to authenticate with compromised keys will be rejected.
+The default is
+.Dq no .
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
Index: auth-rh-rsa.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/auth-rh-rsa.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/auth-rh-rsa.c -L crypto/openssh/auth-rh-rsa.c -u -r1.1.1.2 -r1.2
--- crypto/openssh/auth-rh-rsa.c
+++ crypto/openssh/auth-rh-rsa.c
@@ -20,6 +20,7 @@
#include <pwd.h>
#include <stdarg.h>
+#include "xmalloc.h"
#include "packet.h"
#include "uidswap.h"
#include "log.h"
@@ -27,6 +28,7 @@
#include "servconf.h"
#include "key.h"
#include "hostfile.h"
+#include "authfile.h"
#include "pathnames.h"
#include "auth.h"
#include "canohost.h"
@@ -42,8 +44,22 @@
auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
Key *client_host_key)
{
+ char *fp;
HostStatus host_status;
+ if (blacklisted_key(client_host_key)) {
+ fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX);
+ if (options.permit_blacklisted_keys)
+ logit("Public key %s blacklisted (see "
+ "ssh-vulnkey(1)); continuing anyway", fp);
+ else
+ logit("Public key %s blacklisted (see "
+ "ssh-vulnkey(1))", fp);
+ xfree(fp);
+ if (!options.permit_blacklisted_keys)
+ return 0;
+ }
+
/* Check if we would accept it using rhosts authentication. */
if (!auth_rhosts(pw, cuser))
return 0;
Index: auth2-pubkey.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/auth2-pubkey.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/auth2-pubkey.c -L crypto/openssh/auth2-pubkey.c -u -r1.1.1.2 -r1.2
--- crypto/openssh/auth2-pubkey.c
+++ crypto/openssh/auth2-pubkey.c
@@ -42,6 +42,7 @@
#include "compat.h"
#include "key.h"
#include "hostfile.h"
+#include "authfile.h"
#include "auth.h"
#include "pathnames.h"
#include "uidswap.h"
@@ -269,9 +270,23 @@
int
user_key_allowed(struct passwd *pw, Key *key)
{
+ char *fp;
int success;
char *file;
+ if (blacklisted_key(key)) {
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ if (options.permit_blacklisted_keys)
+ logit("Public key %s blacklisted (see "
+ "ssh-vulnkey(1)); continuing anyway", fp);
+ else
+ logit("Public key %s blacklisted (see "
+ "ssh-vulnkey(1))", fp);
+ xfree(fp);
+ if (!options.permit_blacklisted_keys)
+ return 0;
+ }
+
file = authorized_keys_file(pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
Index: authfile.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/authfile.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/authfile.c -L crypto/openssh/authfile.c -u -r1.1.1.2 -r1.2
--- crypto/openssh/authfile.c
+++ crypto/openssh/authfile.c
@@ -65,6 +65,7 @@
#include "rsa.h"
#include "misc.h"
#include "atomicio.h"
+#include "pathnames.h"
/* Version identification string for SSH v1 identity files. */
static const char authfile_id_string[] =
@@ -677,3 +678,113 @@
key_free(pub);
return NULL;
}
+
+char *
+blacklist_filename(const Key *key)
+{
+ char *name;
+
+ xasprintf(&name, "%s.%s-%u",
+ _PATH_BLACKLIST, key_type(key), key_size(key));
+ return name;
+}
+
+/* Scan a blacklist of known-vulnerable keys. */
+int
+blacklisted_key(const Key *key)
+{
+ char *blacklist_file;
+ int fd = -1;
+ char *dgst_hex = NULL;
+ char *dgst_packed = NULL, *p;
+ int i;
+ size_t line_len;
+ struct stat st;
+ char buf[256];
+ off_t start, lower, upper;
+ int ret = 0;
+
+ blacklist_file = blacklist_filename(key);
+ debug("Checking blacklist file %s", blacklist_file);
+ fd = open(blacklist_file, O_RDONLY);
+ if (fd < 0)
+ goto out;
+
+ dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ /* Remove all colons */
+ dgst_packed = xcalloc(1, strlen(dgst_hex) + 1);
+ for (i = 0, p = dgst_packed; dgst_hex[i]; i++)
+ if (dgst_hex[i] != ':')
+ *p++ = dgst_hex[i];
+ /* Only compare least-significant 80 bits (to keep the blacklist
+ * size down)
+ */
+ line_len = strlen(dgst_packed + 12);
+ if (line_len > 32)
+ goto out;
+
+ /* Skip leading comments */
+ start = 0;
+ for (;;) {
+ ssize_t r;
+ char *newline;
+
+ r = atomicio(read, fd, buf, 256);
+ if (r <= 0)
+ goto out;
+ if (buf[0] != '#')
+ break;
+
+ newline = memchr(buf, '\n', 256);
+ if (!newline)
+ goto out;
+ start += newline + 1 - buf;
+ if (lseek(fd, start, SEEK_SET) < 0)
+ goto out;
+ }
+
+ /* Initialise binary search record numbers */
+ if (fstat(fd, &st) < 0)
+ goto out;
+ lower = 0;
+ upper = (st.st_size - start) / (line_len + 1);
+
+ while (lower != upper) {
+ off_t cur;
+ char buf[32];
+ int cmp;
+
+ cur = lower + (upper - lower) / 2;
+
+ /* Read this line and compare to digest; this is
+ * overflow-safe since cur < max(off_t) / (line_len + 1) */
+ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
+ break;
+ if (atomicio(read, fd, buf, line_len) != line_len)
+ break;
+ cmp = memcmp(buf, dgst_packed + 12, line_len);
+ if (cmp < 0) {
+ if (cur == lower)
+ break;
+ lower = cur;
+ } else if (cmp > 0) {
+ if (cur == upper)
+ break;
+ upper = cur;
+ } else {
+ debug("Found %s in blacklist", dgst_hex);
+ ret = 1;
+ break;
+ }
+ }
+
+out:
+ if (dgst_packed)
+ xfree(dgst_packed);
+ if (dgst_hex)
+ xfree(dgst_hex);
+ if (fd >= 0)
+ close(fd);
+ xfree(blacklist_file);
+ return ret;
+}
Index: auth2-hostbased.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/auth2-hostbased.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/auth2-hostbased.c -L crypto/openssh/auth2-hostbased.c -u -r1.1.1.2 -r1.2
--- crypto/openssh/auth2-hostbased.c
+++ crypto/openssh/auth2-hostbased.c
@@ -40,6 +40,7 @@
#include "compat.h"
#include "key.h"
#include "hostfile.h"
+#include "authfile.h"
#include "auth.h"
#include "canohost.h"
#ifdef GSSAPI
@@ -141,10 +142,24 @@
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Key *key)
{
+ char *fp;
const char *resolvedname, *ipaddr, *lookup;
HostStatus host_status;
int len;
+ if (blacklisted_key(key)) {
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ if (options.permit_blacklisted_keys)
+ logit("Public key %s blacklisted (see "
+ "ssh-vulnkey(1)); continuing anyway", fp);
+ else
+ logit("Public key %s blacklisted (see "
+ "ssh-vulnkey(1))", fp);
+ xfree(fp);
+ if (!options.permit_blacklisted_keys)
+ return 0;
+ }
+
resolvedname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
Index: servconf.h
===================================================================
RCS file: /home/cvs/src/crypto/openssh/servconf.h,v
retrieving revision 1.5
retrieving revision 1.6
diff -L crypto/openssh/servconf.h -L crypto/openssh/servconf.h -u -r1.5 -r1.6
--- crypto/openssh/servconf.h
+++ crypto/openssh/servconf.h
@@ -95,6 +95,7 @@
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
int challenge_response_authentication;
+ int permit_blacklisted_keys; /* If true, permit */
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
int permit_user_env; /* If true, read ~/.ssh/environment */
Index: servconf.c
===================================================================
RCS file: /home/cvs/src/crypto/openssh/servconf.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -L crypto/openssh/servconf.c -L crypto/openssh/servconf.c -u -r1.5 -r1.6
--- crypto/openssh/servconf.c
+++ crypto/openssh/servconf.c
@@ -94,6 +94,7 @@
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
+ options->permit_blacklisted_keys = -1;
options->permit_empty_passwd = -1;
options->permit_user_env = -1;
options->use_login = -1;
@@ -213,6 +214,8 @@
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
+ if (options->permit_blacklisted_keys == -1)
+ options->permit_blacklisted_keys = 0;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
if (options->permit_user_env == -1)
@@ -282,7 +285,7 @@
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -372,6 +375,7 @@
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
+ { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
@@ -923,6 +927,10 @@
intptr = &options->tcp_keep_alive;
goto parse_flag;
+ case sPermitBlacklistedKeys:
+ intptr = &options->permit_blacklisted_keys;
+ goto parse_flag;
+
case sEmptyPasswd:
intptr = &options->permit_empty_passwd;
goto parse_flag;
Index: pathnames.h
===================================================================
RCS file: /home/cvs/src/crypto/openssh/pathnames.h,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L crypto/openssh/pathnames.h -L crypto/openssh/pathnames.h -u -r1.1.1.2 -r1.2
--- crypto/openssh/pathnames.h
+++ crypto/openssh/pathnames.h
@@ -43,6 +43,8 @@
/* Backwards compatibility */
#define _PATH_DH_PRIMES SSHDIR "/primes"
+#define _PATH_BLACKLIST SSHDIR "/blacklist"
+
#ifndef _PATH_SSH_PROGRAM
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
#endif
More information about the Midnightbsd-cvs
mailing list