Line
Link Here
|
0 |
-- openssh-5.0p1/Makefile.in |
0 |
++ openssh-5.0p1/Makefile.in |
Lines 62-68
Link Here
|
62 |
|
62 |
|
63 |
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) |
63 |
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) |
64 |
|
64 |
|
65 |
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
65 |
LIBSSH_OBJS=acss.o authfd.o authfile.o blacklist.o bufaux.o bufbn.o buffer.o \ |
66 |
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ |
66 |
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ |
67 |
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ |
67 |
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ |
68 |
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ |
68 |
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ |
69 |
-- openssh-5.0p1/auth-rh-rsa.c |
69 |
++ openssh-5.0p1/auth-rh-rsa.c |
Lines 34-39
Link Here
|
34 |
#include "ssh-gss.h" |
34 |
#include "ssh-gss.h" |
35 |
#endif |
35 |
#endif |
36 |
#include "monitor_wrap.h" |
36 |
#include "monitor_wrap.h" |
|
|
37 |
#include "blacklist.h" |
37 |
|
38 |
|
38 |
/* import */ |
39 |
/* import */ |
39 |
extern ServerOptions options; |
40 |
extern ServerOptions options; |
Lines 48-53
Link Here
|
48 |
if (!auth_rhosts(pw, cuser)) |
49 |
if (!auth_rhosts(pw, cuser)) |
49 |
return 0; |
50 |
return 0; |
50 |
|
51 |
|
|
|
52 |
if (blacklisted_key(client_host_key, 0)) |
53 |
return 0; |
54 |
|
51 |
host_status = check_key_in_hostfiles(pw, client_host_key, |
55 |
host_status = check_key_in_hostfiles(pw, client_host_key, |
52 |
chost, _PATH_SSH_SYSTEM_HOSTFILE, |
56 |
chost, _PATH_SSH_SYSTEM_HOSTFILE, |
53 |
options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); |
57 |
options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); |
54 |
-- openssh-5.0p1/auth-rsa.c |
58 |
++ openssh-5.0p1/auth-rsa.c |
Lines 47-52
Link Here
|
47 |
#include "monitor_wrap.h" |
47 |
#include "monitor_wrap.h" |
48 |
#include "ssh.h" |
48 |
#include "ssh.h" |
49 |
#include "misc.h" |
49 |
#include "misc.h" |
|
|
50 |
#include "blacklist.h" |
50 |
|
51 |
|
51 |
/* import */ |
52 |
/* import */ |
52 |
extern ServerOptions options; |
53 |
extern ServerOptions options; |
Lines 265-270
Link Here
|
265 |
"actual %d vs. announced %d.", |
272 |
"actual %d vs. announced %d.", |
266 |
file, linenum, BN_num_bits(key->rsa->n), bits); |
273 |
file, linenum, BN_num_bits(key->rsa->n), bits); |
267 |
|
274 |
|
|
|
275 |
if (blacklisted_key(key, 0)) |
276 |
continue; |
277 |
|
268 |
/* We have found the desired key. */ |
278 |
/* We have found the desired key. */ |
269 |
/* |
279 |
/* |
270 |
* If our options do not allow this key to be used, |
280 |
* If our options do not allow this key to be used, |
271 |
-- openssh-5.0p1/auth2-hostbased.c |
281 |
++ openssh-5.0p1/auth2-hostbased.c |
Lines 47-52
Link Here
|
47 |
#endif |
47 |
#endif |
48 |
#include "monitor_wrap.h" |
48 |
#include "monitor_wrap.h" |
49 |
#include "pathnames.h" |
49 |
#include "pathnames.h" |
|
|
50 |
#include "blacklist.h" |
50 |
|
51 |
|
51 |
/* import */ |
52 |
/* import */ |
52 |
extern ServerOptions options; |
53 |
extern ServerOptions options; |
Lines 145-150
Link Here
|
145 |
HostStatus host_status; |
146 |
HostStatus host_status; |
146 |
int len; |
147 |
int len; |
147 |
|
148 |
|
|
|
149 |
if (blacklisted_key(key, 0)) |
150 |
return 0; |
151 |
|
148 |
resolvedname = get_canonical_hostname(options.use_dns); |
152 |
resolvedname = get_canonical_hostname(options.use_dns); |
149 |
ipaddr = get_remote_ipaddr(); |
153 |
ipaddr = get_remote_ipaddr(); |
150 |
|
154 |
|
151 |
-- openssh-5.0p1/auth2-pubkey.c |
155 |
++ openssh-5.0p1/auth2-pubkey.c |
Lines 52-57
Link Here
|
52 |
#endif |
52 |
#endif |
53 |
#include "monitor_wrap.h" |
53 |
#include "monitor_wrap.h" |
54 |
#include "misc.h" |
54 |
#include "misc.h" |
|
|
55 |
#include "blacklist.h" |
55 |
|
56 |
|
56 |
/* import */ |
57 |
/* import */ |
57 |
extern ServerOptions options; |
58 |
extern ServerOptions options; |
Lines 272-277
Link Here
|
272 |
int success; |
273 |
int success; |
273 |
char *file; |
274 |
char *file; |
274 |
|
275 |
|
|
|
276 |
if (blacklisted_key(key, 0)) |
277 |
return 0; |
278 |
|
275 |
file = authorized_keys_file(pw); |
279 |
file = authorized_keys_file(pw); |
276 |
success = user_key_allowed2(pw, key, file); |
280 |
success = user_key_allowed2(pw, key, file); |
277 |
xfree(file); |
281 |
xfree(file); |
278 |
-- /dev/null |
282 |
++ openssh-5.0p1/blacklist.c |
Line 0
Link Here
|
0 |
-- /dev/null |
1 |
/* |
|
|
2 |
* Support for RSA/DSA key blacklisting based on partial fingerprints, |
3 |
* developed under Openwall Project for Owl - http://www.openwall.com/Owl/ |
4 |
* |
5 |
* Copyright (c) 2008 Dmitry V. Levin <ldv at cvs.openwall.com> |
6 |
* |
7 |
* Permission to use, copy, modify, and distribute this software for any |
8 |
* purpose with or without fee is hereby granted, provided that the above |
9 |
* copyright notice and this permission notice appear in all copies. |
10 |
* |
11 |
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
12 |
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
13 |
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
14 |
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
15 |
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
16 |
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
17 |
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
18 |
* |
19 |
* The blacklist encoding was designed by Solar Designer and Dmitry V. Levin. |
20 |
* No intellectual property rights to the encoding scheme are claimed. |
21 |
* |
22 |
* This effort was supported by CivicActions - http://www.civicactions.com |
23 |
* |
24 |
* The file size to encode 294,903 of 48-bit fingerprints is just 1.3 MB, |
25 |
* which corresponds to less than 4.5 bytes per fingerprint. |
26 |
*/ |
27 |
|
28 |
#include "includes.h" |
29 |
#include <string.h> |
30 |
#include <unistd.h> |
31 |
#include <errno.h> |
32 |
#include <fcntl.h> |
33 |
|
34 |
#include "atomicio.h" |
35 |
#include "blacklist.h" |
36 |
#include "canohost.h" |
37 |
#include "log.h" |
38 |
#include "pathnames.h" |
39 |
#include "servconf.h" |
40 |
#include "xmalloc.h" |
41 |
|
42 |
extern ServerOptions options; |
43 |
|
44 |
typedef struct |
45 |
{ |
46 |
/* format version identifier */ |
47 |
char version[8]; |
48 |
/* index size, in bits */ |
49 |
uint8_t index_size; |
50 |
/* offset size, in bits */ |
51 |
uint8_t offset_size; |
52 |
/* record size, in bits */ |
53 |
uint8_t record_bits; |
54 |
/* number of records */ |
55 |
uint8_t records[3]; |
56 |
/* offset shift */ |
57 |
uint8_t shift[2]; |
58 |
|
59 |
} __attribute__((packed)) blacklist_header; |
60 |
|
61 |
static unsigned |
62 |
c2u(uint8_t c) |
63 |
{ |
64 |
return (c >= 'a') ? (c - 'a' + 10) : (c - '0'); |
65 |
} |
66 |
|
67 |
static blacklist_error_t |
68 |
validate_blacklist(const char *fname, int fd, unsigned *bytes, |
69 |
unsigned *records, unsigned *shift) |
70 |
{ |
71 |
unsigned expected; |
72 |
struct stat st; |
73 |
blacklist_header header; |
74 |
|
75 |
if (fstat(fd, &st)) { |
76 |
error("fstat for blacklist file %s failed: %m", fname); |
77 |
return BLACKLIST_ERROR_ACCESS; |
78 |
} |
79 |
|
80 |
if (atomicio(read, fd, &header, sizeof(header)) != sizeof(header)) { |
81 |
error("read blacklist file %s header failed: %m", fname); |
82 |
return BLACKLIST_ERROR_ACCESS; |
83 |
} |
84 |
|
85 |
if (memcmp(header.version, "SSH-FP", 6)) { |
86 |
error("blacklist file %s has unrecognized format", fname); |
87 |
return BLACKLIST_ERROR_FORMAT; |
88 |
} |
89 |
|
90 |
if (header.index_size != 16 || header.offset_size != 16 || |
91 |
memcmp(header.version, "SSH-FP00", 8)) { |
92 |
error("blacklist file %s has unsupported format", fname); |
93 |
return BLACKLIST_ERROR_VERSION; |
94 |
} |
95 |
|
96 |
*bytes = (header.record_bits >> 3) - 2; |
97 |
*records = |
98 |
(((header.records[0] << 8) + |
99 |
header.records[1]) << 8) + header.records[2]; |
100 |
*shift = (header.shift[0] << 8) + header.shift[1]; |
101 |
|
102 |
expected = sizeof(header) + 0x20000 + (*records) * (*bytes); |
103 |
if (st.st_size != expected) { |
104 |
error("blacklist file %s size mismatch: " |
105 |
"expected size %u, found size %lu", |
106 |
fname, expected, (unsigned long) st.st_size); |
107 |
return BLACKLIST_ERROR_ACCESS; |
108 |
} |
109 |
|
110 |
return BLACKLIST_ERROR_NONE; |
111 |
} |
112 |
|
113 |
static int |
114 |
expected_offset(uint16_t index, uint16_t shift, unsigned records) |
115 |
{ |
116 |
return ((index * (long long) records) >> 16) - shift; |
117 |
} |
118 |
|
119 |
static int |
120 |
xlseek(const char *fname, int fd, unsigned seek) |
121 |
{ |
122 |
if (lseek(fd, seek, SEEK_SET) != seek) { |
123 |
error("lseek for blacklist file %s failed: %m", fname); |
124 |
return BLACKLIST_ERROR_ACCESS; |
125 |
} |
126 |
return BLACKLIST_ERROR_NONE; |
127 |
} |
128 |
|
129 |
static blacklist_error_t |
130 |
check(const char *fname, int fd, const char *s) |
131 |
{ |
132 |
unsigned bytes, records, shift; |
133 |
unsigned num, i, j; |
134 |
int off_start, off_end; |
135 |
blacklist_error_t rc; |
136 |
uint16_t index; |
137 |
/* max number of bytes stored in record_bits, minus two bytes used for index */ |
138 |
uint8_t buf[(0xff >> 3) - 2]; |
139 |
|
140 |
if ((rc = validate_blacklist(fname, fd, &bytes, &records, &shift))) |
141 |
return rc; |
142 |
|
143 |
index = (((((c2u(s[0]) << 4) | c2u(s[1])) << 4) | |
144 |
c2u(s[2])) << 4) | c2u(s[3]); |
145 |
if (xlseek(fname, fd, sizeof(blacklist_header) + index * 2)) |
146 |
return BLACKLIST_ERROR_ACCESS; |
147 |
|
148 |
if (atomicio(read, fd, buf, 4) != 4) { |
149 |
error("read blacklist file %s offsets failed: %m", fname); |
150 |
return BLACKLIST_ERROR_ACCESS; |
151 |
} |
152 |
|
153 |
off_start = (buf[0] << 8) + buf[1] + |
154 |
expected_offset(index, shift, records); |
155 |
if (off_start < 0 || (unsigned) off_start > records) { |
156 |
error("blacklist file %s off_start overflow [%d] for index %#x", |
157 |
fname, off_start, index); |
158 |
return BLACKLIST_ERROR_ACCESS; |
159 |
} |
160 |
if (index < 0xffff) { |
161 |
off_end = (buf[2] << 8) + buf[3] + |
162 |
expected_offset(index + 1, shift, records); |
163 |
if (off_end < off_start || (unsigned) off_end > records) { |
164 |
error("blacklist file %s off_end overflow [%d] for index %#x", |
165 |
fname, off_end, index); |
166 |
return BLACKLIST_ERROR_ACCESS; |
167 |
} |
168 |
} else |
169 |
off_end = records; |
170 |
|
171 |
if (xlseek(fname, fd, |
172 |
sizeof(blacklist_header) + 0x20000 + off_start * bytes)) |
173 |
return BLACKLIST_ERROR_ACCESS; |
174 |
|
175 |
num = off_end - off_start; |
176 |
for (i = 0; i < num; ++i) { |
177 |
if (atomicio(read, fd, buf, bytes) != bytes) { |
178 |
error("read blacklist file %s fingerprints failed: %m", |
179 |
fname); |
180 |
return BLACKLIST_ERROR_ACCESS; |
181 |
} |
182 |
|
183 |
for (j = 0; j < bytes; ++j) |
184 |
if (((c2u(s[4 + j * 2]) << 4) | c2u(s[5 + j * 2])) != |
185 |
buf[j]) |
186 |
break; |
187 |
if (j >= bytes) { |
188 |
debug("blacklisted fingerprint: %s offset=%u, number=%u", |
189 |
s, off_start, i); |
190 |
return BLACKLIST_ERROR_ALL; |
191 |
} |
192 |
} |
193 |
|
194 |
debug("non-blacklisted fingerprint: %s offset=%u, number=%u", |
195 |
s, off_start, num); |
196 |
return BLACKLIST_ERROR_NONE; |
197 |
} |
198 |
|
199 |
static blacklist_error_t |
200 |
blacklisted_fingerprint(const char *hex) |
201 |
{ |
202 |
int fd = -1; |
203 |
blacklist_error_t rc = BLACKLIST_ERROR_ACCESS; |
204 |
const char *fname = _PATH_BLACKLIST; |
205 |
char *s, *p; |
206 |
|
207 |
debug("Checking fingerprint %s using blacklist file %s", hex, fname); |
208 |
|
209 |
s = xstrdup(hex); |
210 |
for (p = s; *hex; ++hex) |
211 |
if (*hex != ':') |
212 |
*p++ = *hex; |
213 |
*p = '\0'; |
214 |
|
215 |
if (strlen(s) != 32 || strlen(s) != strspn(s, "0123456789abcdef")) { |
216 |
error("%s: invalid fingerprint", s); |
217 |
goto out; |
218 |
} |
219 |
|
220 |
if ((fd = open(fname, O_RDONLY)) < 0) { |
221 |
if (ENOENT == errno) { |
222 |
rc = BLACKLIST_ERROR_MISSING; |
223 |
verbose("open blacklist file %s failed: %m", fname); |
224 |
} else |
225 |
logit("open blacklist file %s failed: %m", fname); |
226 |
goto out; |
227 |
} |
228 |
|
229 |
rc = check(fname, fd, s); |
230 |
|
231 |
out: |
232 |
close(fd); |
233 |
xfree(s); |
234 |
return rc; |
235 |
} |
236 |
|
237 |
int |
238 |
blacklisted_key(Key *key, int hostkey) |
239 |
{ |
240 |
int rc; |
241 |
const char *text; |
242 |
char *fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
243 |
|
244 |
switch ((rc = blacklisted_fingerprint(fp))) { |
245 |
case BLACKLIST_ERROR_NONE: |
246 |
break; |
247 |
case BLACKLIST_ERROR_ALL: |
248 |
text = (options.ignore_blacklist_errors == rc) ? |
249 |
"Permitted" : "Rejected"; |
250 |
if (hostkey) |
251 |
logit("%s blacklisted host key %s", text, fp); |
252 |
else |
253 |
logit("%s blacklisted public key %s from %.100s", |
254 |
text, fp, get_remote_ipaddr()); |
255 |
break; |
256 |
default: |
257 |
if (hostkey) |
258 |
logit("Unable to check blacklist for host key %s", |
259 |
fp); |
260 |
else |
261 |
logit("Unable to check blacklist for public key %s from %.100s", |
262 |
fp, get_remote_ipaddr()); |
263 |
} |
264 |
|
265 |
xfree(fp); |
266 |
return (rc > options.ignore_blacklist_errors); |
267 |
} |
|
|
268 |
++ openssh-5.0p1/blacklist.h |
Line 0
Link Here
|
0 |
-- openssh-5.0p1/pathnames.h |
1 |
/* |
|
|
2 |
* Support for RSA/DSA key blacklisting based on partial fingerprints, |
3 |
* developed under Openwall Project for Owl - http://www.openwall.com/Owl/ |
4 |
* |
5 |
* Copyright (c) 2008 Dmitry V. Levin <ldv at cvs.openwall.com> |
6 |
* |
7 |
* Permission to use, copy, modify, and distribute this software for any |
8 |
* purpose with or without fee is hereby granted, provided that the above |
9 |
* copyright notice and this permission notice appear in all copies. |
10 |
* |
11 |
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
12 |
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
13 |
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
14 |
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
15 |
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
16 |
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
17 |
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
18 |
*/ |
19 |
|
20 |
#ifndef BLACKLIST_H_ |
21 |
#define BLACKLIST_H_ |
22 |
|
23 |
#include "key.h" |
24 |
|
25 |
int blacklisted_key(Key *, int); |
26 |
|
27 |
typedef enum |
28 |
{ |
29 |
BLACKLIST_ERROR_NONE = 0, |
30 |
BLACKLIST_ERROR_MISSING, |
31 |
BLACKLIST_ERROR_VERSION, |
32 |
BLACKLIST_ERROR_FORMAT, |
33 |
BLACKLIST_ERROR_ACCESS, |
34 |
BLACKLIST_ERROR_ALL |
35 |
} blacklist_error_t; |
36 |
|
37 |
#endif /* BLACKLIST_H_ */ |
|
|
38 |
++ openssh-5.0p1/pathnames.h |
Lines 43-48
Link Here
|
43 |
/* Backwards compatibility */ |
43 |
/* Backwards compatibility */ |
44 |
#define _PATH_DH_PRIMES SSHDIR "/primes" |
44 |
#define _PATH_DH_PRIMES SSHDIR "/primes" |
45 |
|
45 |
|
|
|
46 |
#define _PATH_BLACKLIST SSHDIR "/blacklist" |
47 |
|
46 |
#ifndef _PATH_SSH_PROGRAM |
48 |
#ifndef _PATH_SSH_PROGRAM |
47 |
#define _PATH_SSH_PROGRAM "/usr/bin/ssh" |
49 |
#define _PATH_SSH_PROGRAM "/usr/bin/ssh" |
48 |
#endif |
50 |
#endif |
49 |
-- openssh-5.0p1/servconf.c |
51 |
++ openssh-5.0p1/servconf.c |
Lines 39-44
Link Here
|
39 |
#include "match.h" |
39 |
#include "match.h" |
40 |
#include "channels.h" |
40 |
#include "channels.h" |
41 |
#include "groupaccess.h" |
41 |
#include "groupaccess.h" |
|
|
42 |
#include "blacklist.h" |
42 |
|
43 |
|
43 |
static void add_listen_addr(ServerOptions *, char *, u_short); |
44 |
static void add_listen_addr(ServerOptions *, char *, u_short); |
44 |
static void add_one_listen_addr(ServerOptions *, char *, u_short); |
45 |
static void add_one_listen_addr(ServerOptions *, char *, u_short); |
Lines 94-99
Link Here
|
94 |
options->password_authentication = -1; |
95 |
options->password_authentication = -1; |
95 |
options->kbd_interactive_authentication = -1; |
96 |
options->kbd_interactive_authentication = -1; |
96 |
options->challenge_response_authentication = -1; |
97 |
options->challenge_response_authentication = -1; |
|
|
98 |
options->ignore_blacklist_errors = -1; |
97 |
options->permit_empty_passwd = -1; |
99 |
options->permit_empty_passwd = -1; |
98 |
options->permit_user_env = -1; |
100 |
options->permit_user_env = -1; |
99 |
options->use_login = -1; |
101 |
options->use_login = -1; |
Lines 213-218
Link Here
|
213 |
options->kbd_interactive_authentication = 0; |
217 |
options->kbd_interactive_authentication = 0; |
214 |
if (options->challenge_response_authentication == -1) |
218 |
if (options->challenge_response_authentication == -1) |
215 |
options->challenge_response_authentication = 1; |
219 |
options->challenge_response_authentication = 1; |
|
|
220 |
if (options->ignore_blacklist_errors == -1) |
221 |
options->ignore_blacklist_errors = BLACKLIST_ERROR_ALL; //VERSION; |
216 |
if (options->permit_empty_passwd == -1) |
222 |
if (options->permit_empty_passwd == -1) |
217 |
options->permit_empty_passwd = 0; |
223 |
options->permit_empty_passwd = 0; |
218 |
if (options->permit_user_env == -1) |
224 |
if (options->permit_user_env == -1) |
Lines 282-288
Link Here
|
282 |
sListenAddress, sAddressFamily, |
299 |
sListenAddress, sAddressFamily, |
283 |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
300 |
sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
284 |
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
301 |
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
285 |
sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
302 |
sStrictModes, sIgnoreBlacklistErrors, sEmptyPasswd, sTCPKeepAlive, |
286 |
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
303 |
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
287 |
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
304 |
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
288 |
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
305 |
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
Lines 372-377
Link Here
|
372 |
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
390 |
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
373 |
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
391 |
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
374 |
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
392 |
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
|
|
393 |
{ "ignoreblacklisterrors", sIgnoreBlacklistErrors, SSHCFG_GLOBAL }, |
375 |
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, |
394 |
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, |
376 |
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
395 |
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
377 |
{ "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
396 |
{ "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
Lines 923-928
Link Here
|
923 |
intptr = &options->tcp_keep_alive; |
944 |
intptr = &options->tcp_keep_alive; |
924 |
goto parse_flag; |
945 |
goto parse_flag; |
925 |
|
946 |
|
|
|
947 |
case sIgnoreBlacklistErrors: |
948 |
intptr = &options->ignore_blacklist_errors; |
949 |
arg = strdelim(&cp); |
950 |
if (!arg || *arg == '\0') |
951 |
fatal("%s line %d: missing none/missing/version/format/access/all argument.", |
952 |
filename, linenum); |
953 |
value = 0; /* silence compiler */ |
954 |
if (strcmp(arg, "none") == 0) |
955 |
value = BLACKLIST_ERROR_NONE; |
956 |
else if (strcmp(arg, "missing") == 0) |
957 |
value = BLACKLIST_ERROR_MISSING; |
958 |
else if (strcmp(arg, "version") == 0) |
959 |
value = BLACKLIST_ERROR_VERSION; |
960 |
else if (strcmp(arg, "format") == 0) |
961 |
value = BLACKLIST_ERROR_FORMAT; |
962 |
else if (strcmp(arg, "access") == 0) |
963 |
value = BLACKLIST_ERROR_ACCESS; |
964 |
else if (strcmp(arg, "all") == 0) |
965 |
value = BLACKLIST_ERROR_ALL; |
966 |
else |
967 |
fatal("%s line %d: Bad none/missing/version/format/access/all argument: %s", |
968 |
filename, linenum, arg); |
969 |
if (*activep && *intptr == -1) |
970 |
*intptr = value; |
971 |
break; |
972 |
|
926 |
case sEmptyPasswd: |
973 |
case sEmptyPasswd: |
927 |
intptr = &options->permit_empty_passwd; |
974 |
intptr = &options->permit_empty_passwd; |
928 |
goto parse_flag; |
975 |
goto parse_flag; |
929 |
-- openssh-5.0p1/servconf.h |
976 |
++ openssh-5.0p1/servconf.h |
Lines 95-100
Link Here
|
95 |
* authentication. */ |
95 |
* authentication. */ |
96 |
int kbd_interactive_authentication; /* If true, permit */ |
96 |
int kbd_interactive_authentication; /* If true, permit */ |
97 |
int challenge_response_authentication; |
97 |
int challenge_response_authentication; |
|
|
98 |
int ignore_blacklist_errors; /* none/missing/version/format/access/all */ |
98 |
int permit_empty_passwd; /* If false, do not permit empty |
99 |
int permit_empty_passwd; /* If false, do not permit empty |
99 |
* passwords. */ |
100 |
* passwords. */ |
100 |
int permit_user_env; /* If true, read ~/.ssh/environment */ |
101 |
int permit_user_env; /* If true, read ~/.ssh/environment */ |
101 |
-- openssh-5.0p1/sshd.c |
102 |
++ openssh-5.0p1/sshd.c |
Lines 118-123
Link Here
|
118 |
#include "monitor_wrap.h" |
118 |
#include "monitor_wrap.h" |
119 |
#include "monitor_fdpass.h" |
119 |
#include "monitor_fdpass.h" |
120 |
#include "version.h" |
120 |
#include "version.h" |
|
|
121 |
#include "blacklist.h" |
121 |
|
122 |
|
122 |
#ifdef LIBWRAP |
123 |
#ifdef LIBWRAP |
123 |
#include <tcpd.h> |
124 |
#include <tcpd.h> |
Lines 1484-1489
Link Here
|
1484 |
sensitive_data.host_keys[i] = NULL; |
1494 |
sensitive_data.host_keys[i] = NULL; |
1485 |
continue; |
1495 |
continue; |
1486 |
} |
1496 |
} |
|
|
1497 |
if (blacklisted_key(key, 1)) { |
1498 |
sensitive_data.host_keys[i] = NULL; |
1499 |
key_free(key); |
1500 |
continue; |
1501 |
} |
1487 |
switch (key->type) { |
1502 |
switch (key->type) { |
1488 |
case KEY_RSA1: |
1503 |
case KEY_RSA1: |
1489 |
sensitive_data.ssh1_host_key = key; |
1504 |
sensitive_data.ssh1_host_key = key; |
1490 |
-- openssh-5.0p1/sshd_config.5 |
1505 |
++ openssh-5.0p1/sshd_config.5 |
Lines 611-616
Link Here
|
611 |
Specifies whether password authentication is allowed. |
611 |
Specifies whether password authentication is allowed. |
612 |
The default is |
612 |
The default is |
613 |
.Dq yes . |
613 |
.Dq yes . |
|
|
614 |
.It Cm IgnoreBlacklistErrors |
615 |
Specifies whether |
616 |
.Xr sshd 8 |
617 |
should allow keys recorded in its blacklist of known-compromised keys. |
618 |
If |
619 |
.Dq all , |
620 |
then attempts to authenticate with compromised keys will be logged |
621 |
but accepted. |
622 |
If |
623 |
.Dq access , |
624 |
then attempts to authenticate with compromised keys will be rejected, |
625 |
but blacklist file access errors will be ignored. |
626 |
If |
627 |
.Dq format , |
628 |
then attempts to authenticate with compromised keys will be rejected, but |
629 |
blacklist file access errors due to missing blacklist file or blacklist |
630 |
file unrecognized format will be ignored. |
631 |
If |
632 |
.Dq version , |
633 |
then attempts to authenticate with compromised keys will be rejected, but |
634 |
blacklist file access errors due to missing blacklist file or blacklist |
635 |
file format version mismatch will be ignored. |
636 |
If |
637 |
.Dq missing , |
638 |
then attempts to authenticate with compromised keys will be rejected, |
639 |
but blacklist file access errors due to missing blacklist file will |
640 |
be ignored. |
641 |
If |
642 |
.Dq none , |
643 |
then attempts to authenticate with compromised keys, or in case of |
644 |
any blacklist file access error, will be rejected. |
645 |
The default is |
646 |
.Dq version . |
614 |
.It Cm PermitEmptyPasswords |
647 |
.It Cm PermitEmptyPasswords |
615 |
When password authentication is allowed, it specifies whether the |
648 |
When password authentication is allowed, it specifies whether the |
616 |
server allows login to accounts with empty password strings. |
649 |
server allows login to accounts with empty password strings. |