Attachment #1508 for bug #1469

Line Link Here

(-)file_not_specified_in_diff (-19 / +877 lines)
0	-- openssh-4.7p1.orig/auth-rh-rsa.c	0	++ openssh-4.7p1/auth-rh-rsa.c
Lines 20-25 Link Here
20	#include <pwd.h>	20	#include <pwd.h>
21	#include <stdarg.h>	21	#include <stdarg.h>
22		22
		23	#include "xmalloc.h"
23	#include "packet.h"	24	#include "packet.h"
24	#include "uidswap.h"	25	#include "uidswap.h"
25	#include "log.h"	26	#include "log.h"
Lines 27-32 Link Here
27	#include "servconf.h"	28	#include "servconf.h"
28	#include "key.h"	29	#include "key.h"
29	#include "hostfile.h"	30	#include "hostfile.h"
		31	#include "authfile.h"
30	#include "pathnames.h"	32	#include "pathnames.h"
31	#include "auth.h"	33	#include "auth.h"
32	#include "canohost.h"	34	#include "canohost.h"
Lines 42-49 Link Here
42	auth_rhosts_rsa_key_allowed(struct passwd pw, char cuser, char *chost,	44	auth_rhosts_rsa_key_allowed(struct passwd pw, char cuser, char *chost,
43	Key *client_host_key)	45	Key *client_host_key)
44	{	46	{
		47	char *fp;
45	HostStatus host_status;	48	HostStatus host_status;
46		49
		50	if (blacklisted_key(client_host_key) == 1) {
		51	fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX);
		52	if (options.permit_blacklisted_keys)
		53	logit("Public key %s from %s blacklisted (see "
		54	"ssh-vulnkey(1)); continuing anyway",
		55	fp, get_remote_ipaddr());
		56	else
		57	logit("Public key %s from %s blacklisted (see "
		58	"ssh-vulnkey(1))",
		59	fp, get_remote_ipaddr());
		60	xfree(fp);
		61	if (!options.permit_blacklisted_keys)
		62	return 0;
		63	}
		64
47	/* Check if we would accept it using rhosts authentication. */	65	/* Check if we would accept it using rhosts authentication. */
48	if (!auth_rhosts(pw, cuser))	66	if (!auth_rhosts(pw, cuser))
49	return 0;	67	return 0;
50	-- openssh-4.7p1.orig/authfile.h	68	++ openssh-4.7p1/authfile.h
Lines 23-26 Link Here
23	Key key_load_private_pem(int, int, const char , char **);	23	Key key_load_private_pem(int, int, const char , char **);
24	int key_perm_ok(int, const char *);	24	int key_perm_ok(int, const char *);
25		25
		26	int blacklisted_key(const Key *key);
		27
26	#endif	28	#endif
27	-- openssh-4.7p1.orig/sshd_config.5	29	++ openssh-4.7p1/sshd_config.5
Lines 563-568 Link Here
563	Specifies whether password authentication is allowed.	563	Specifies whether password authentication is allowed.
564	The default is	564	The default is
565	.Dq yes .	565	.Dq yes .
		566	.It Cm PermitBlacklistedKeys
		567	Specifies whether
		568	.Xr sshd 8
		569	should allow keys recorded in its blacklist of known-compromised keys (see
		570	.Xr ssh-vulnkey 1 ) .
		571	If
		572	.Dq yes ,
		573	then attempts to authenticate with compromised keys will be logged but
		574	accepted.
		575	If
		576	.Dq no ,
		577	then attempts to authenticate with compromised keys will be rejected.
		578	The default is
		579	.Dq no .
566	.It Cm PermitEmptyPasswords	580	.It Cm PermitEmptyPasswords
567	When password authentication is allowed, it specifies whether the	581	When password authentication is allowed, it specifies whether the
568	server allows login to accounts with empty password strings.	582	server allows login to accounts with empty password strings.
569	-- openssh-4.7p1.orig/ssh-vulnkey.1	583	++ openssh-4.7p1/ssh-vulnkey.1
Line 0 Link Here
0	-- openssh-4.7p1.orig/auth2-hostbased.c	1	.\" Copyright (c) 2008 Canonical Ltd. All rights reserved.
		2	.\"
		3	.\" Redistribution and use in source and binary forms, with or without
		4	.\" modification, are permitted provided that the following conditions
		5	.\" are met:
		6	.\" 1. Redistributions of source code must retain the above copyright
		7	.\" notice, this list of conditions and the following disclaimer.
		8	.\" 2. Redistributions in binary form must reproduce the above copyright
		9	.\" notice, this list of conditions and the following disclaimer in the
		10	.\" documentation and/or other materials provided with the distribution.
		11	.\"
		12	.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		13	.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		14	.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		15	.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		16	.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		17	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		18	.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		19	.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		20	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		21	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		22	.\"
		23	.Dd $Mdocdate: May 12 2008 $
		24	.Dt SSH-VULNKEY 1
		25	.Os
		26	.Sh NAME
		27	.Nm ssh-vulnkey
		28	.Nd check blacklist of compromised keys
		29	.Sh SYNOPSIS
		30	.Nm
		31	.Op Fl q \| Fl v
		32	.Ar file ...
		33	.Nm
		34	.Fl a
		35	.Sh DESCRIPTION
		36	.Nm
		37	checks a key against a blacklist of compromised keys.
		38	.Pp
		39	A substantial number of keys are known to have been generated using a broken
		40	version of OpenSSL distributed by Debian which failed to seed its random
		41	number generator correctly.
		42	Keys generated using these OpenSSL versions should be assumed to be
		43	compromised.
		44	This tool may be useful in checking for such keys.
		45	.Pp
		46	Keys that are compromised cannot be repaired; replacements must be generated
		47	using
		48	.Xr ssh-keygen 1 .
		49	Make sure to update
		50	.Pa authorized_keys
		51	files on all systems where compromised keys were permitted to authenticate.
		52	.Pp
		53	The argument list will be interpreted as a list of paths to public key files
		54	or
		55	.Pa authorized_keys
		56	files.
		57	If no suitable file is found at a given path,
		58	.Nm
		59	will append
		60	.Pa .pub
		61	and retry, in case it was given a private key file.
		62	If no files are given as arguments,
		63	.Nm
		64	will check
		65	.Pa ~/.ssh/id_rsa ,
66	.Pa ~/.ssh/id_dsa ,
67	.Pa ~/.ssh/identity ,
68	.Pa ~/.ssh/authorized_keys
69	and
70	.Pa ~/.ssh/authorized_keys2 ,
71	as well as the system's host keys if readable.
72	.Pp
73	If
74	.Dq -
75	is given as an argument,
76	.Nm
77	will read from standard input.
78	This can be used to process output from
79	.Xr ssh-keyscan 1 ,
80	for example:
81	.Pp
82	.Dl $ ssh-keyscan -t rsa remote.example.org \| ssh-vulnkey -
83	.Pp
84	Unless the
85	.Cm PermitBlacklistedKeys
86	option is used,
87	.Xr sshd 8
88	will reject attempts to authenticate with keys in the compromised list.
89	.Pp
90	The output from
91	.Nm
92	looks like this:
93	.Pp
94	.Bd -literal -offset indent
95	/etc/ssh/ssh_host_key:1: COMPROMISED: RSA1 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@host
96	/home/user/.ssh/id_dsa:1: Not blacklisted: DSA 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/user/.ssh/id_dsa.pub
97	/home/user/.ssh/authorized_keys:3: Unknown (blacklist file not installed): RSA 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host
98	.Ed
99	.Pp
100	Each line is of the following format (any lines beginning with
101	.Dq #
102	should be ignored by scripts):
103	.Pp
104	.Dl Ar filename : Ns Ar line : Ar status : Ar type Ar size Ar fingerprint Ar comment
105	.Pp
106	It is important to distinguish between the possible values of
107	.Ar status :
108	.Pp
109	.Bl -tag -width Ds
110	.It COMPROMISED
111	These keys are listed in a blacklist file, normally because their
112	corresponding private keys are well-known.
113	Replacements must be generated using
114	.Xr ssh-keygen 1 .
115	.It Not blacklisted
116	A blacklist file exists for this key type and size, but this key is not
117	listed in it.
118	Unless there is some particular reason to believe otherwise, this key
119	may be used safely.
120	(Note that DSA keys used with the broken version of OpenSSL distributed
121	by Debian may be compromised in the event that anyone captured a network
122	trace, even if they were generated with a secure version of OpenSSL.)
123	.It Unknown (blacklist file not installed)
124	No blacklist file exists for this key type and size.
125	You should find a suitable published blacklist and install it before
126	deciding whether this key is safe to use.
127	.El
128	.Pp
129	The options are as follows:
130	.Bl -tag -width Ds
131	.It Fl a
132	Check keys of all users on the system.
133	You will typically need to run
134	.Nm
135	as root to use this option.
136	For each user,
137	.Nm
138	will check
139	.Pa ~/.ssh/id_rsa ,
140	.Pa ~/.ssh/id_dsa ,
141	.Pa ~/.ssh/identity ,
142	.Pa ~/.ssh/authorized_keys
143	and
144	.Pa ~/.ssh/authorized_keys2 .
145	It will also check the system's host keys.
146	.It Fl q
147	Quiet mode.
148	Normally,
149	.Nm
150	outputs the fingerprint of each key scanned, with a description of its
151	status.
152	This option suppresses that output.
153	.It Fl v
154	Verbose mode.
155	Normally,
156	.Nm
157	does not output anything for keys that are not listed in their corresponding
158	blacklist file (although it still produces output for keys for which there
159	is no blacklist file, since their status is unknown).
160	This option causes
161	.Nm
162	to produce output for all keys.
163	.El
164	.Sh EXIT STATUS
165	.Nm
166	will exit zero if any of the given keys were in the compromised list,
167	otherwise non-zero.
168	.Sh BLACKLIST FILE FORMAT
169	The blacklist file may start with comments, on lines starting with
170	.Dq # .
171	After these initial comments, it must follow a strict format:
172	.Pp
173	.Bl -bullet -offset indent -compact
174	.It
175	All the lines must be exactly the same length (20 characters followed by a
176	newline) and must be in sorted order.
177	.It
178	Each line must consist of the lower-case hexadecimal MD5 key fingerprint,
179	without colons, and with the first 12 characters removed (that is, the least
180	significant 80 bits of the fingerprint).
181	.El
182	.Pp
183	The key fingerprint may be generated using
184	.Xr ssh-keygen 1 :
185	.Pp
186	.Dl $ ssh-keygen -l -f /path/to/key
187	.Pp
188	This strict format is necessary to allow the blacklist file to be checked
189	quickly, using a binary-search algorithm.
190	.Sh FILES
191	.Bl -tag -width Ds
192	.It Pa ~/.ssh/id_rsa
193	If present, contains the protocol version 2 RSA authentication identity of
194	the user.
195	.It Pa ~/.ssh/id_dsa
196	If present, contains the protocol version 2 DSA authentication identity of
197	the user.
198	.It Pa ~/.ssh/identity
199	If present, contains the protocol version 1 RSA authentication identity of
200	the user.
201	.It Pa ~/.ssh/authorized_keys
202	If present, lists the public keys (RSA/DSA) that can be used for logging in
203	as this user.
204	.It Pa ~/.ssh/authorized_keys2
205	Obsolete name for
206	.Pa ~/.ssh/authorized_keys .
207	This file may still be present on some old systems, but should not be
208	created if it is missing.
209	.It Pa /etc/ssh/ssh_host_rsa_key
210	If present, contains the protocol version 2 RSA identity of the system.
211	.It Pa /etc/ssh/ssh_host_dsa_key
212	If present, contains the protocol version 2 DSA identity of the system.
213	.It Pa /etc/ssh/ssh_host_key
214	If present, contains the protocol version 1 RSA identity of the system.
215	.It Pa /usr/share/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH
216	If present, lists the blacklisted keys of type
217	.Ar TYPE
218	.Pf ( Dq RSA
219	or
220	.Dq DSA )
221	and bit length
222	.Ar LENGTH .
223	The format of this file is described above.
224	RSA1 keys are converted to RSA before being checked in the blacklist.
225	Note that the fingerprints of RSA1 keys are computed differently, so you
226	will not be able to find them in the blacklist by hand.
227	.It Pa /etc/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH
228	Same as
229	.Pa /usr/share/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH ,
230	but may be edited by the system administrator to add new blacklist entries.
231	.El
232	.Sh SEE ALSO
233	.Xr ssh-keygen 1 ,
234	.Xr sshd 8
235	.Sh AUTHORS
236	.An -nosplit
237	.An Colin Watson Aq cjwatson@ubuntu.com
238	.Pp
239	Florian Weimer suggested the option to check keys of all users, and the idea
240	of processing
241	.Xr ssh-keyscan 1
242	output.
		243	++ openssh-4.7p1/auth2-hostbased.c
Lines 40-45 Link Here
40	#include "compat.h"	40	#include "compat.h"
41	#include "key.h"	41	#include "key.h"
42	#include "hostfile.h"	42	#include "hostfile.h"
		43	#include "authfile.h"
43	#include "auth.h"	44	#include "auth.h"
44	#include "canohost.h"	45	#include "canohost.h"
45	#ifdef GSSAPI	46	#ifdef GSSAPI
Lines 141-150 Link Here
141	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,	142	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,
142	Key *key)	143	Key *key)
143	{	144	{
		145	char *fp;
144	const char resolvedname, ipaddr, *lookup;	146	const char resolvedname, ipaddr, *lookup;
145	HostStatus host_status;	147	HostStatus host_status;
146	int len;	148	int len;
147		149
		150	if (blacklisted_key(key) == 1) {
		151	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		152	if (options.permit_blacklisted_keys)
		153	logit("Public key %s from %s blacklisted (see "
		154	"ssh-vulnkey(1)); continuing anyway",
		155	fp, get_remote_ipaddr());
		156	else
		157	logit("Public key %s from %s blacklisted (see "
		158	"ssh-vulnkey(1))",
		159	fp, get_remote_ipaddr());
		160	xfree(fp);
		161	if (!options.permit_blacklisted_keys)
		162	return 0;
		163	}
		164
148	resolvedname = get_canonical_hostname(options.use_dns);	165	resolvedname = get_canonical_hostname(options.use_dns);
149	ipaddr = get_remote_ipaddr();	166	ipaddr = get_remote_ipaddr();
150		167
151	-- openssh-4.7p1.orig/sshd.c	168	++ openssh-4.7p1/sshd.c
Lines 1457-1462 Link Here
1457		1457
1458	for (i = 0; i < options.num_host_key_files; i++) {	1458	for (i = 0; i < options.num_host_key_files; i++) {
1459	key = key_load_private(options.host_key_files[i], "", NULL);	1459	key = key_load_private(options.host_key_files[i], "", NULL);
		1460	if (key && blacklisted_key(key) == 1) {
		1461	char *fp;
		1462	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		1463	if (options.permit_blacklisted_keys)
		1464	error("Host key %s blacklisted (see "
		1465	"ssh-vulnkey(1)); continuing anyway", fp);
		1466	else
		1467	error("Host key %s blacklisted (see "
		1468	"ssh-vulnkey(1))", fp);
		1469	xfree(fp);
		1470	if (!options.permit_blacklisted_keys) {
		1471	sensitive_data.host_keys[i] = NULL;
		1472	continue;
		1473	}
		1474	}
1460	sensitive_data.host_keys[i] = key;	1475	sensitive_data.host_keys[i] = key;
1461	if (key == NULL) {	1476	if (key == NULL) {
1462	error("Could not load host key: %s",	1477	error("Could not load host key: %s",
1463	-- openssh-4.7p1.orig/authfile.c	1478	++ openssh-4.7p1/authfile.c
Lines 65-70 Link Here
65	#include "rsa.h"	65	#include "rsa.h"
66	#include "misc.h"	66	#include "misc.h"
67	#include "atomicio.h"	67	#include "atomicio.h"
		68	#include "pathnames.h"
68		69
69	/* Version identification string for SSH v1 identity files. */	70	/* Version identification string for SSH v1 identity files. */
70	static const char authfile_id_string[] =	71	static const char authfile_id_string[] =
Lines 677-679 Link Here
677	key_free(pub);	678	key_free(pub);
678	return NULL;	679	return NULL;
679	}	680	}
680	-- openssh-4.7p1.orig/ssh-vulnkey.c	681
		682	/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
		683	static int
		684	blacklisted_key_in_file(const Key key, const char blacklist_file)
		685	{
		686	int fd = -1;
		687	char *dgst_hex = NULL;
		688	char dgst_packed = NULL, p;
		689	int i;
		690	size_t line_len;
		691	struct stat st;
		692	char buf[256];
		693	off_t start, lower, upper;
		694	int ret = 0;
		695
		696	debug("Checking blacklist file %s", blacklist_file);
		697	fd = open(blacklist_file, O_RDONLY);
		698	if (fd < 0) {
		699	ret = -1;
		700	goto out;
		701	}
		702
		703	dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		704	/* Remove all colons */
		705	dgst_packed = xcalloc(1, strlen(dgst_hex) + 1);
		706	for (i = 0, p = dgst_packed; dgst_hex[i]; i++)
		707	if (dgst_hex[i] != ':')
		708	*p++ = dgst_hex[i];
		709	/* Only compare least-significant 80 bits (to keep the blacklist
		710	* size down)
		711	*/
		712	line_len = strlen(dgst_packed + 12);
		713	if (line_len > 32)
		714	goto out;
		715
		716	/* Skip leading comments */
		717	start = 0;
		718	for (;;) {
		719	ssize_t r;
		720	char *newline;
		721
		722	r = atomicio(read, fd, buf, sizeof(buf));
		723	if (r <= 0)
		724	goto out;
		725	if (buf[0] != '#')
		726	break;
		727
		728	newline = memchr(buf, '\n', sizeof(buf));
		729	if (!newline)
		730	goto out;
		731	start += newline + 1 - buf;
		732	if (lseek(fd, start, SEEK_SET) < 0)
		733	goto out;
		734	}
		735
		736	/* Initialise binary search record numbers */
		737	if (fstat(fd, &st) < 0)
		738	goto out;
		739	lower = 0;
		740	upper = (st.st_size - start) / (line_len + 1);
		741
		742	while (lower != upper) {
		743	off_t cur;
		744	int cmp;
		745
746	cur = lower + (upper - lower) / 2;
747
748	/* Read this line and compare to digest; this is
749	* overflow-safe since cur < max(off_t) / (line_len + 1) */
750	if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
751	break;
752	if (atomicio(read, fd, buf, line_len) != line_len)
753	break;
754	cmp = memcmp(buf, dgst_packed + 12, line_len);
755	if (cmp < 0) {
756	if (cur == lower)
757	break;
758	lower = cur;
759	} else if (cmp > 0) {
760	if (cur == upper)
761	break;
762	upper = cur;
763	} else {
764	debug("Found %s in blacklist", dgst_hex);
765	ret = 1;
766	break;
767	}
768	}
769
770	out:
771	if (dgst_packed)
772	xfree(dgst_packed);
773	if (dgst_hex)
774	xfree(dgst_hex);
775	if (fd >= 0)
776	close(fd);
777	return ret;
778	}
779
780	/* Scan blacklists of known-vulnerable keys. */
781	int
782	blacklisted_key(const Key *key)
783	{
784	Key *public;
785	char *blacklist_file;
786	int ret, ret2;
787
788	public = key_demote(key);
789	if (public->type == KEY_RSA1)
790	public->type = KEY_RSA;
791
792	xasprintf(&blacklist_file, "%s.%s-%u",
793	_PATH_BLACKLIST, key_type(public), key_size(public));
794	ret = blacklisted_key_in_file(public, blacklist_file);
795	xfree(blacklist_file);
796	if (ret > 0) {
797	key_free(public);
798	return ret;
799	}
800
801	xasprintf(&blacklist_file, "%s.%s-%u",
802	_PATH_BLACKLIST_CONFIG, key_type(public), key_size(public));
803	ret2 = blacklisted_key_in_file(public, blacklist_file);
804	xfree(blacklist_file);
805	if (ret2 > ret)
806	ret = ret2;
807
808	key_free(public);
809	return ret;
810	}
		811	++ openssh-4.7p1/ssh-vulnkey.c
Line 0 Link Here
0	-- openssh-4.7p1.orig/servconf.c	1	/*
		2	* Copyright (c) 2008 Canonical Ltd. All rights reserved.
		3	*
		4	* Redistribution and use in source and binary forms, with or without
		5	* modification, are permitted provided that the following conditions
		6	* are met:
		7	* 1. Redistributions of source code must retain the above copyright
		8	* notice, this list of conditions and the following disclaimer.
		9	* 2. Redistributions in binary form must reproduce the above copyright
		10	* notice, this list of conditions and the following disclaimer in the
		11	* documentation and/or other materials provided with the distribution.
		12	*
		13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		23	*/
		24
		25	#include "includes.h"
		26
		27	#include <sys/types.h>
		28	#include <sys/stat.h>
		29
		30	#include <errno.h>
		31	#include <string.h>
		32	#include <stdio.h>
		33	#include <fcntl.h>
		34	#include <unistd.h>
		35
		36	#include <openssl/evp.h>
		37
		38	#include "xmalloc.h"
		39	#include "ssh.h"
		40	#include "log.h"
		41	#include "key.h"
		42	#include "authfile.h"
		43	#include "pathnames.h"
		44	#include "uidswap.h"
		45	#include "misc.h"
		46
		47	extern char *__progname;
		48
		49	/* Default files to check */
		50	static char *default_host_files[] = {
		51	_PATH_HOST_RSA_KEY_FILE,
		52	_PATH_HOST_DSA_KEY_FILE,
		53	_PATH_HOST_KEY_FILE,
		54	NULL
		55	};
		56	static char *default_files[] = {
		57	_PATH_SSH_CLIENT_ID_RSA,
		58	_PATH_SSH_CLIENT_ID_DSA,
		59	_PATH_SSH_CLIENT_IDENTITY,
		60	_PATH_SSH_USER_PERMITTED_KEYS,
		61	_PATH_SSH_USER_PERMITTED_KEYS2,
		62	NULL
		63	};
		64
		65	static int verbosity = 0;
66
67	static void
68	usage(void)
69	{
70	fprintf(stderr, "usage: %s [-aqv] [file ...]\n", __progname);
71	fprintf(stderr, "Options:\n");
72	fprintf(stderr, " -a Check keys of all users.\n");
73	fprintf(stderr, " -q Quiet mode.\n");
74	fprintf(stderr, " -v Verbose mode.\n");
75	exit(1);
76	}
77
78	void
79	describe_key(const char filename, u_long linenum, const char msg,
80	const Key key, const char comment, int min_verbosity)
81	{
82	char *fp;
83
84	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
85	if (verbosity >= min_verbosity) {
86	if (strchr(filename, ':'))
87	printf("\"%s\"", filename);
88	else
89	printf("%s", filename);
90	printf(":%lu: %s: %s %u %s %s\n", linenum, msg,
91	key_type(key), key_size(key), fp, comment);
92	}
93	xfree(fp);
94	}
95
96	int
97	do_key(const char *filename, u_long linenum,
98	const Key key, const char comment)
99	{
100	Key *public;
101	int blacklist_status;
102	int ret = 1;
103
104	public = key_demote(key);
105	if (public->type == KEY_RSA1)
106	public->type = KEY_RSA;
107
108	blacklist_status = blacklisted_key(public);
109	if (blacklist_status == -1)
110	describe_key(filename, linenum,
111	"Unknown (blacklist file not installed)", key, comment, 0);
112	else if (blacklist_status == 1) {
113	describe_key(filename, linenum,
114	"COMPROMISED", key, comment, 0);
115	ret = 0;
116	} else
117	describe_key(filename, linenum,
118	"Not blacklisted", key, comment, 1);
119
120	key_free(public);
121
122	return ret;
123	}
124
125	int
126	do_filename(const char *filename, int quiet_open)
127	{
128	FILE *f;
129	char line[SSH_MAX_PUBKEY_BYTES];
130	char *cp;
131	u_long linenum = 0;
132	Key *key;
133	char *comment = NULL;
134	int found = 0, ret = 1;
135
136	/* Copy much of key_load_public's logic here so that we can read
137	* several keys from a single file (e.g. authorized_keys).
138	*/
139
140	if (strcmp(filename, "-") != 0) {
141	int save_errno;
142	f = fopen(filename, "r");
143	save_errno = errno;
144	if (!f) {
145	char pubfile[MAXPATHLEN];
146	if (strlcpy(pubfile, filename, sizeof pubfile) <
147	sizeof(pubfile) &&
148	strlcat(pubfile, ".pub", sizeof pubfile) <
149	sizeof(pubfile))
150	f = fopen(pubfile, "r");
151	}
152	errno = save_errno; /* earlier errno is more useful */
153	if (!f) {
154	if (!quiet_open)
155	perror(filename);
156	return -1;
157	}
158	if (verbosity > 0)
159	printf("# %s\n", filename);
160	} else
161	f = stdin;
162	while (read_keyfile_line(f, filename, line, sizeof(line),
163	&linenum) != -1) {
164	int i;
165	char *space;
166	int type;
167	char *end;
168
169	/* Chop trailing newline. */
170	i = strlen(line) - 1;
171	if (line[i] == '\n')
172	line[i] = '\0';
173
174	/* Skip leading whitespace, empty and comment lines. */
175	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
176	;
177	if (!cp \|\| cp == '\n' \|\| *cp == '#')
178	continue;
179
180	/* Cope with ssh-keyscan output and options in
181	* authorized_keys files.
182	*/
183	space = strchr(cp, ' ');
184	if (!space)
185	continue;
186	*space = '\0';
187	type = key_type_from_name(cp);
188	*space = ' ';
189	/* Leading number (RSA1) or valid type (RSA/DSA) indicates
190	* that we have no host name or options to skip.
191	*/
192	if ((strtol(cp, &end, 10) == 0 \|\| *end != ' ') &&
193	type == KEY_UNSPEC) {
194	int quoted = 0;
195
196	for (; cp && (quoted \|\| (cp != ' ' && *cp != '\t')); cp++) {
197	if (*cp == '\\' && cp[1] == '"')
198	cp++; /* Skip both */
199	else if (*cp == '"')
200	quoted = !quoted;
201	}
202	/* Skip remaining whitespace. */
203	for (; cp == ' ' \|\| cp == '\t'; cp++)
204	;
205	if (!*cp)
206	continue;
207	}
208
209	/* Read and process the key itself. */
210	key = key_new(KEY_RSA1);
211	if (key_read(key, &cp) == 1) {
212	while (cp == ' ' \|\| cp == '\t')
213	cp++;
214	if (!do_key(filename, linenum,
215	key, *cp ? cp : filename))
216	ret = 0;
217	found = 1;
218	} else {
219	key_free(key);
220	key = key_new(KEY_UNSPEC);
221	if (key_read(key, &cp) == 1) {
222	while (cp == ' ' \|\| cp == '\t')
223	cp++;
224	if (!do_key(filename, linenum,
225	key, *cp ? cp : filename))
226	ret = 0;
227	found = 1;
228	}
229	}
230	key_free(key);
231	}
232	if (f != stdin)
233	fclose(f);
234
235	if (!found && filename) {
236	key = key_load_public(filename, &comment);
237	if (key) {
238	if (!do_key(filename, 1, key, comment))
239	ret = 0;
240	found = 1;
241	}
242	if (comment)
243	xfree(comment);
244	}
245
246	return ret;
247	}
248
249	int
250	do_host(int quiet_open)
251	{
252	int i;
253	struct stat st;
254	int ret = 1;
255
256	for (i = 0; default_host_files[i]; i++) {
257	if (stat(default_host_files[i], &st) < 0 && errno == ENOENT)
258	continue;
259	if (!do_filename(default_host_files[i], quiet_open))
260	ret = 0;
261	}
262
263	return ret;
264	}
265
266	int
267	do_user(const char *dir)
268	{
269	int i;
270	char *file;
271	struct stat st;
272	int ret = 1;
273
274	for (i = 0; default_files[i]; i++) {
275	xasprintf(&file, "%s/%s", dir, default_files[i]);
276	if (stat(file, &st) < 0 && errno == ENOENT) {
277	xfree(file);
278	continue;
279	}
280	if (!do_filename(file, 0))
281	ret = 0;
282	xfree(file);
283	}
284
285	return ret;
286	}
287
288	int
289	main(int argc, char **argv)
290	{
291	int opt, all_users = 0;
292	int ret = 1;
293	extern int optind;
294
295	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
296	sanitise_stdfd();
297
298	__progname = ssh_get_progname(argv[0]);
299
300	SSLeay_add_all_algorithms();
301	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
302
303	/* We don't need the RNG ourselves, but symbol references here allow
304	* ld to link us properly.
305	*/
306	init_rng();
307	seed_rng();
308
309	while ((opt = getopt(argc, argv, "ahqv")) != -1) {
310	switch (opt) {
311	case 'a':
312	all_users = 1;
313	break;
314	case 'q':
315	verbosity--;
316	break;
317	case 'v':
318	verbosity++;
319	break;
320	case 'h':
321	default:
322	usage();
323	}
324	}
325
326	if (all_users) {
327	struct passwd *pw;
328
329	if (!do_host(0))
330	ret = 0;
331
332	while ((pw = getpwent()) != NULL) {
333	if (pw->pw_dir) {
334	temporarily_use_uid(pw);
335	if (!do_user(pw->pw_dir))
336	ret = 0;
337	restore_uid();
338	}
339	}
340	} else if (optind == argc) {
341	struct passwd *pw;
342
343	if (!do_host(1))
344	ret = 0;
345
346	if ((pw = getpwuid(geteuid())) == NULL)
347	fprintf(stderr, "No user found with uid %u\n",
348	(u_int)geteuid());
349	else {
350	if (!do_user(pw->pw_dir))
351	ret = 0;
352	}
353	} else {
354	while (optind < argc)
355	if (!do_filename(argv[optind++], 0))
356	ret = 0;
357	}
358
359	return ret;
360	}
		361	++ openssh-4.7p1/servconf.c
Lines 212-217 Link Here
212	options->kbd_interactive_authentication = 0;	212	options->kbd_interactive_authentication = 0;
213	if (options->challenge_response_authentication == -1)	213	if (options->challenge_response_authentication == -1)
214	options->challenge_response_authentication = 1;	214	options->challenge_response_authentication = 1;
		215	if (options->permit_blacklisted_keys == -1)
		216	options->permit_blacklisted_keys = 0;
215	if (options->permit_empty_passwd == -1)	217	if (options->permit_empty_passwd == -1)
216	options->permit_empty_passwd = 0;	218	options->permit_empty_passwd = 0;
217	if (options->permit_user_env == -1)	219	if (options->permit_user_env == -1)
Lines 281-287 Link Here
281	sListenAddress, sAddressFamily,	290	sListenAddress, sAddressFamily,
282	sPrintMotd, sPrintLastLog, sIgnoreRhosts,	291	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
283	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,	292	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
284	sStrictModes, sEmptyPasswd, sTCPKeepAlive,	293	sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
285	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,	294	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
286	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,	295	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
287	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,	296	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
Lines 371-376 Link Here
371	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },	390	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
372	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },	391	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
373	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },	392	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
		393	{ "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
374	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },	394	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
375	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },	395	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
376	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },	396	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
Lines 919-924 Link Here
919	intptr = &options->tcp_keep_alive;	947	intptr = &options->tcp_keep_alive;
920	goto parse_flag;	948	goto parse_flag;
921		949
		950	case sPermitBlacklistedKeys:
		951	intptr = &options->permit_blacklisted_keys;
		952	goto parse_flag;
		953
922	case sEmptyPasswd:	954	case sEmptyPasswd:
923	intptr = &options->permit_empty_passwd;	955	intptr = &options->permit_empty_passwd;
924	goto parse_flag;	956	goto parse_flag;
925	-- openssh-4.7p1.orig/auth-rsa.c	957	++ openssh-4.7p1/auth-rsa.c
Lines 40-46 Link Here
40	#include "servconf.h"	40	#include "servconf.h"
41	#include "key.h"	41	#include "key.h"
42	#include "hostfile.h"	42	#include "hostfile.h"
		43	#include "authfile.h"
43	#include "auth.h"	44	#include "auth.h"
		45	#include "canohost.h"
44	#ifdef GSSAPI	46	#ifdef GSSAPI
45	#include "ssh-gss.h"	47	#include "ssh-gss.h"
46	#endif	48	#endif
Lines 221-226 Link Here
221	char *cp;	223	char *cp;
222	char *key_options;	224	char *key_options;
223	int keybits;	225	int keybits;
		226	char *fp;
224		227
225	/* Skip leading whitespace, empty and comment lines. */	228	/* Skip leading whitespace, empty and comment lines. */
226	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)	229	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
Lines 265-270 Link Here
265	"actual %d vs. announced %d.",	268	"actual %d vs. announced %d.",
266	file, linenum, BN_num_bits(key->rsa->n), bits);	269	file, linenum, BN_num_bits(key->rsa->n), bits);
267		270
		271	if (blacklisted_key(key) == 1) {
		272	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		273	if (options.permit_blacklisted_keys)
		274	logit("Public key %s from %s blacklisted (see "
		275	"ssh-vulnkey(1)); continuing anyway",
		276	fp, get_remote_ipaddr());
		277	else
		278	logit("Public key %s from %s blacklisted (see "
		279	"ssh-vulnkey(1))",
		280	fp, get_remote_ipaddr());
		281	xfree(fp);
		282	if (!options.permit_blacklisted_keys)
		283	continue;
		284	}
		285
268	/* We have found the desired key. */	286	/* We have found the desired key. */
269	/*	287	/*
270	* If our options do not allow this key to be used,	288	* If our options do not allow this key to be used,
271	-- openssh-4.7p1.orig/pathnames.h	289	++ openssh-4.7p1/pathnames.h
Lines 18-23 Link Here
18	#define SSHDIR ETCDIR "/ssh"	18	#define SSHDIR ETCDIR "/ssh"
19	#endif	19	#endif
20		20
		21	#ifndef _PATH_SSH_DATADIR
		22	#define _PATH_SSH_DATADIR "/usr/share/ssh"
		23	#endif
		24
21	#ifndef _PATH_SSH_PIDDIR	25	#ifndef _PATH_SSH_PIDDIR
22	#define _PATH_SSH_PIDDIR "/var/run"	26	#define _PATH_SSH_PIDDIR "/var/run"
23	#endif	27	#endif
Lines 43-48 Link Here
43	/* Backwards compatibility */	47	/* Backwards compatibility */
44	#define _PATH_DH_PRIMES SSHDIR "/primes"	48	#define _PATH_DH_PRIMES SSHDIR "/primes"
45		49
		50	#define _PATH_BLACKLIST _PATH_SSH_DATADIR "/blacklist"
		51	#define _PATH_BLACKLIST_CONFIG SSHDIR "/blacklist"
		52
46	#ifndef _PATH_SSH_PROGRAM	53	#ifndef _PATH_SSH_PROGRAM
47	#define _PATH_SSH_PROGRAM "/usr/bin/ssh"	54	#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
48	#endif	55	#endif
49	-- openssh-4.7p1.orig/servconf.h	56	++ openssh-4.7p1/servconf.h
Lines 92-97 Link Here
92	* authentication. */	92	* authentication. */
93	int kbd_interactive_authentication; /* If true, permit */	93	int kbd_interactive_authentication; /* If true, permit */
94	int challenge_response_authentication;	94	int challenge_response_authentication;
		95	int permit_blacklisted_keys; /* If true, permit */
95	int permit_empty_passwd; /* If false, do not permit empty	96	int permit_empty_passwd; /* If false, do not permit empty
96	* passwords. */	97	* passwords. */
97	int permit_user_env; /* If true, read ~/.ssh/environment */	98	int permit_user_env; /* If true, read ~/.ssh/environment */
98	-- openssh-4.7p1.orig/auth2-pubkey.c	99	++ openssh-4.7p1/auth2-pubkey.c
Lines 42-47 Link Here
42	#include "compat.h"	42	#include "compat.h"
43	#include "key.h"	43	#include "key.h"
44	#include "hostfile.h"	44	#include "hostfile.h"
		45	#include "authfile.h"
45	#include "auth.h"	46	#include "auth.h"
46	#include "pathnames.h"	47	#include "pathnames.h"
47	#include "uidswap.h"	48	#include "uidswap.h"
Lines 269-277 Link Here
269	int	270	int
270	user_key_allowed(struct passwd pw, Key key)	271	user_key_allowed(struct passwd pw, Key key)
271	{	272	{
		273	char *fp;
272	int success;	274	int success;
273	char *file;	275	char *file;
274		276
		277	if (blacklisted_key(key) == 1) {
		278	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		279	if (options.permit_blacklisted_keys)
		280	logit("Public key %s from %s blacklisted (see "
		281	"ssh-vulnkey(1)); continuing anyway",
		282	fp, get_remote_ipaddr());
		283	else
		284	logit("Public key %s from %s blacklisted (see "
		285	"ssh-vulnkey(1))",
		286	fp, get_remote_ipaddr());
		287	xfree(fp);
		288	if (!options.permit_blacklisted_keys)
		289	return 0;
		290	}
		291
275	file = authorized_keys_file(pw);	292	file = authorized_keys_file(pw);
276	success = user_key_allowed2(pw, key, file);	293	success = user_key_allowed2(pw, key, file);
277	xfree(file);	294	xfree(file);
278	-- openssh-4.7p1.orig/Makefile.in	295	++ openssh-4.7p1/Makefile.in
Lines 26-31 Link Here
26	SFTP_SERVER=$(libexecdir)/sftp-server	26	SFTP_SERVER=$(libexecdir)/sftp-server
27	SSH_KEYSIGN=$(libexecdir)/ssh-keysign	27	SSH_KEYSIGN=$(libexecdir)/ssh-keysign
28	RAND_HELPER=$(libexecdir)/ssh-rand-helper	28	RAND_HELPER=$(libexecdir)/ssh-rand-helper
		29	SSH_DATADIR=$(datadir)/ssh
29	PRIVSEP_PATH=@PRIVSEP_PATH@	30	PRIVSEP_PATH=@PRIVSEP_PATH@
30	SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@	31	SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
31	STRIP_OPT=@STRIP_OPT@	32	STRIP_OPT=@STRIP_OPT@
Lines 37-43 Link Here
37	-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \	38	-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
38	-D_PATH_SSH_PIDDIR=\"$(piddir)\" \	39	-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
39	-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \	40	-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
40	-DSSH_RAND_HELPER=\"$(RAND_HELPER)\"	41	-DSSH_RAND_HELPER=\"$(RAND_HELPER)\" \
		42	-D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\"
41		43
42	CC=@CC@	44	CC=@CC@
43	LD=@LD@	45	LD=@LD@
Lines 60-66 Link Here
60	INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@	62	INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
61	INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@	63	INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
62		64
63	TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)	65	TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
64		66
65	LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \	67	LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
66	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \	68	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
Lines 88-95 Link Here
88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	90	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
89	audit.o audit-bsm.o platform.o	91	audit.o audit-bsm.o platform.o
90		92
91	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out	93	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
92	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5	94	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
93	MANTYPE = @MANTYPE@	95	MANTYPE = @MANTYPE@
94		96
95	CONFIGFILES=sshd_config.out ssh_config.out moduli.out	97	CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Lines 165-170 Link Here
165	ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o	167	ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
166	$(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)	168	$(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
167		169
		170	ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o
		171	$(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
		172
168	# test driver for the loginrec code - not built by default	173	# test driver for the loginrec code - not built by default
169	logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o	174	logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
170	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)	175	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
Lines 264-269 Link Here
264	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)	269	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
265	$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp	270	$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
266	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)	271	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
		272	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
267	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1	273	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
268	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1	274	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
269	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1	275	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Lines 279-284 Link Here
279	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1	285	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
280	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8	286	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
281	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8	287	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
		288	$(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
282	-rm -f $(DESTDIR)$(bindir)/slogin	289	-rm -f $(DESTDIR)$(bindir)/slogin
283	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin	290	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
284	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1	291	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Lines 360-365 Link Here
360	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)	367	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
361	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)	368	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
362	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)	369	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
		370	-rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
363	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)	371	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
364	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)	372	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
365	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)	373	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Lines 372-377 Link Here
372	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1	380	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
373	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1	381	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
374	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1	382	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
		383	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
375	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8	384	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
376	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8	385	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
377	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8	386	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8

Return to bug 1469