Attachment #1510 for bug #1469

Line Link Here

(-)file_not_specified_in_diff (-21 / +854 lines)
0	-- openssh-4.7p1.orig/auth-rh-rsa.c	0	++ openssh-4.7p1/auth-rh-rsa.c
Lines 44-49 Link Here
44	{	44	{
45	HostStatus host_status;	45	HostStatus host_status;
46		46
		47	if (reject_blacklisted_key(client_host_key, 0) == 1)
		48	return 0;
		49
47	/* Check if we would accept it using rhosts authentication. */	50	/* Check if we would accept it using rhosts authentication. */
48	if (!auth_rhosts(pw, cuser))	51	if (!auth_rhosts(pw, cuser))
49	return 0;	52	return 0;
50	-- openssh-4.7p1.orig/authfile.h	53	++ openssh-4.7p1/authfile.h
Lines 23-26 Link Here
23	Key key_load_private_pem(int, int, const char , char **);	23	Key key_load_private_pem(int, int, const char , char **);
24	int key_perm_ok(int, const char *);	24	int key_perm_ok(int, const char *);
25		25
		26	int blacklisted_key(const Key key, char *fp);
		27
26	#endif	28	#endif
27	-- openssh-4.7p1.orig/sshd_config.5	29	++ openssh-4.7p1/sshd_config.5
Lines 563-568 Link Here
563	Specifies whether password authentication is allowed.	563	Specifies whether password authentication is allowed.
564	The default is	564	The default is
565	.Dq yes .	565	.Dq yes .
		566	.It Cm PermitBlacklistedKeys
		567	Specifies whether
		568	.Xr sshd 8
		569	should allow keys recorded in its blacklist of known-compromised keys (see
		570	.Xr ssh-vulnkey 1 ) .
		571	If
		572	.Dq yes ,
		573	then attempts to authenticate with compromised keys will be logged but
		574	accepted.
		575	If
		576	.Dq no ,
		577	then attempts to authenticate with compromised keys will be rejected.
		578	The default is
		579	.Dq no .
566	.It Cm PermitEmptyPasswords	580	.It Cm PermitEmptyPasswords
567	When password authentication is allowed, it specifies whether the	581	When password authentication is allowed, it specifies whether the
568	server allows login to accounts with empty password strings.	582	server allows login to accounts with empty password strings.
569	-- openssh-4.7p1.orig/ssh-vulnkey.1	583	++ openssh-4.7p1/ssh-vulnkey.1
Line 0 Link Here
0	-- openssh-4.7p1.orig/auth2-hostbased.c	1	.\" Copyright (c) 2008 Canonical Ltd. All rights reserved.
		2	.\"
		3	.\" Redistribution and use in source and binary forms, with or without
		4	.\" modification, are permitted provided that the following conditions
		5	.\" are met:
		6	.\" 1. Redistributions of source code must retain the above copyright
		7	.\" notice, this list of conditions and the following disclaimer.
		8	.\" 2. Redistributions in binary form must reproduce the above copyright
		9	.\" notice, this list of conditions and the following disclaimer in the
		10	.\" documentation and/or other materials provided with the distribution.
		11	.\"
		12	.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		13	.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		14	.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		15	.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		16	.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		17	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		18	.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		19	.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		20	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		21	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		22	.\"
		23	.Dd $Mdocdate: May 12 2008 $
		24	.Dt SSH-VULNKEY 1
		25	.Os
		26	.Sh NAME
		27	.Nm ssh-vulnkey
		28	.Nd check blacklist of compromised keys
		29	.Sh SYNOPSIS
		30	.Nm
		31	.Op Fl q \| Fl v
		32	.Ar file ...
		33	.Nm
		34	.Fl a
		35	.Sh DESCRIPTION
		36	.Nm
		37	checks a key against a blacklist of compromised keys.
		38	.Pp
		39	A substantial number of keys are known to have been generated using a broken
		40	version of OpenSSL distributed by Debian which failed to seed its random
		41	number generator correctly.
		42	Keys generated using these OpenSSL versions should be assumed to be
		43	compromised.
		44	This tool may be useful in checking for such keys.
		45	.Pp
		46	Keys that are compromised cannot be repaired; replacements must be generated
		47	using
		48	.Xr ssh-keygen 1 .
		49	Make sure to update
		50	.Pa authorized_keys
		51	files on all systems where compromised keys were permitted to authenticate.
		52	.Pp
		53	The argument list will be interpreted as a list of paths to public key files
		54	or
		55	.Pa authorized_keys
		56	files.
		57	If no suitable file is found at a given path,
		58	.Nm
		59	will append
		60	.Pa .pub
		61	and retry, in case it was given a private key file.
		62	If no files are given as arguments,
		63	.Nm
		64	will check
		65	.Pa ~/.ssh/id_rsa ,
66	.Pa ~/.ssh/id_dsa ,
67	.Pa ~/.ssh/identity ,
68	.Pa ~/.ssh/authorized_keys
69	and
70	.Pa ~/.ssh/authorized_keys2 ,
71	as well as the system's host keys if readable.
72	.Pp
73	If
74	.Dq -
75	is given as an argument,
76	.Nm
77	will read from standard input.
78	This can be used to process output from
79	.Xr ssh-keyscan 1 ,
80	for example:
81	.Pp
82	.Dl $ ssh-keyscan -t rsa remote.example.org \| ssh-vulnkey -
83	.Pp
84	Unless the
85	.Cm PermitBlacklistedKeys
86	option is used,
87	.Xr sshd 8
88	will reject attempts to authenticate with keys in the compromised list.
89	.Pp
90	The output from
91	.Nm
92	looks like this:
93	.Pp
94	.Bd -literal -offset indent
95	/etc/ssh/ssh_host_key:1: COMPROMISED: RSA1 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@host
96	/home/user/.ssh/id_dsa:1: Not blacklisted: DSA 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/user/.ssh/id_dsa.pub
97	/home/user/.ssh/authorized_keys:3: Unknown (blacklist file not installed): RSA 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host
98	.Ed
99	.Pp
100	Each line is of the following format (any lines beginning with
101	.Dq #
102	should be ignored by scripts):
103	.Pp
104	.Dl Ar filename : Ns Ar line : Ar status : Ar type Ar size Ar fingerprint Ar comment
105	.Pp
106	It is important to distinguish between the possible values of
107	.Ar status :
108	.Pp
109	.Bl -tag -width Ds
110	.It COMPROMISED
111	These keys are listed in a blacklist file, normally because their
112	corresponding private keys are well-known.
113	Replacements must be generated using
114	.Xr ssh-keygen 1 .
115	.It Not blacklisted
116	A blacklist file exists for this key type and size, but this key is not
117	listed in it.
118	Unless there is some particular reason to believe otherwise, this key
119	may be used safely.
120	(Note that DSA keys used with the broken version of OpenSSL distributed
121	by Debian may be compromised in the event that anyone captured a network
122	trace, even if they were generated with a secure version of OpenSSL.)
123	.It Unknown (blacklist file not installed)
124	No blacklist file exists for this key type and size.
125	You should find a suitable published blacklist and install it before
126	deciding whether this key is safe to use.
127	.El
128	.Pp
129	The options are as follows:
130	.Bl -tag -width Ds
131	.It Fl a
132	Check keys of all users on the system.
133	You will typically need to run
134	.Nm
135	as root to use this option.
136	For each user,
137	.Nm
138	will check
139	.Pa ~/.ssh/id_rsa ,
140	.Pa ~/.ssh/id_dsa ,
141	.Pa ~/.ssh/identity ,
142	.Pa ~/.ssh/authorized_keys
143	and
144	.Pa ~/.ssh/authorized_keys2 .
145	It will also check the system's host keys.
146	.It Fl q
147	Quiet mode.
148	Normally,
149	.Nm
150	outputs the fingerprint of each key scanned, with a description of its
151	status.
152	This option suppresses that output.
153	.It Fl v
154	Verbose mode.
155	Normally,
156	.Nm
157	does not output anything for keys that are not listed in their corresponding
158	blacklist file (although it still produces output for keys for which there
159	is no blacklist file, since their status is unknown).
160	This option causes
161	.Nm
162	to produce output for all keys.
163	.El
164	.Sh EXIT STATUS
165	.Nm
166	will exit zero if any of the given keys were in the compromised list,
167	otherwise non-zero.
168	.Sh BLACKLIST FILE FORMAT
169	The blacklist file may start with comments, on lines starting with
170	.Dq # .
171	After these initial comments, it must follow a strict format:
172	.Pp
173	.Bl -bullet -offset indent -compact
174	.It
175	All the lines must be exactly the same length (20 characters followed by a
176	newline) and must be in sorted order.
177	.It
178	Each line must consist of the lower-case hexadecimal MD5 key fingerprint,
179	without colons, and with the first 12 characters removed (that is, the least
180	significant 80 bits of the fingerprint).
181	.El
182	.Pp
183	The key fingerprint may be generated using
184	.Xr ssh-keygen 1 :
185	.Pp
186	.Dl $ ssh-keygen -l -f /path/to/key
187	.Pp
188	This strict format is necessary to allow the blacklist file to be checked
189	quickly, using a binary-search algorithm.
190	.Sh FILES
191	.Bl -tag -width Ds
192	.It Pa ~/.ssh/id_rsa
193	If present, contains the protocol version 2 RSA authentication identity of
194	the user.
195	.It Pa ~/.ssh/id_dsa
196	If present, contains the protocol version 2 DSA authentication identity of
197	the user.
198	.It Pa ~/.ssh/identity
199	If present, contains the protocol version 1 RSA authentication identity of
200	the user.
201	.It Pa ~/.ssh/authorized_keys
202	If present, lists the public keys (RSA/DSA) that can be used for logging in
203	as this user.
204	.It Pa ~/.ssh/authorized_keys2
205	Obsolete name for
206	.Pa ~/.ssh/authorized_keys .
207	This file may still be present on some old systems, but should not be
208	created if it is missing.
209	.It Pa /etc/ssh/ssh_host_rsa_key
210	If present, contains the protocol version 2 RSA identity of the system.
211	.It Pa /etc/ssh/ssh_host_dsa_key
212	If present, contains the protocol version 2 DSA identity of the system.
213	.It Pa /etc/ssh/ssh_host_key
214	If present, contains the protocol version 1 RSA identity of the system.
215	.It Pa /usr/share/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH
216	If present, lists the blacklisted keys of type
217	.Ar TYPE
218	.Pf ( Dq RSA
219	or
220	.Dq DSA )
221	and bit length
222	.Ar LENGTH .
223	The format of this file is described above.
224	RSA1 keys are converted to RSA before being checked in the blacklist.
225	Note that the fingerprints of RSA1 keys are computed differently, so you
226	will not be able to find them in the blacklist by hand.
227	.It Pa /etc/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH
228	Same as
229	.Pa /usr/share/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH ,
230	but may be edited by the system administrator to add new blacklist entries.
231	.El
232	.Sh SEE ALSO
233	.Xr ssh-keygen 1 ,
234	.Xr sshd 8
235	.Sh AUTHORS
236	.An -nosplit
237	.An Colin Watson Aq cjwatson@ubuntu.com
238	.Pp
239	Florian Weimer suggested the option to check keys of all users, and the idea
240	of processing
241	.Xr ssh-keyscan 1
242	output.
		243	++ openssh-4.7p1/auth2-hostbased.c
Lines 145-150 Link Here
145	HostStatus host_status;	145	HostStatus host_status;
146	int len;	146	int len;
147		147
		148	if (reject_blacklisted_key(key, 0) == 1)
		149	return 0;
		150
148	resolvedname = get_canonical_hostname(options.use_dns);	151	resolvedname = get_canonical_hostname(options.use_dns);
149	ipaddr = get_remote_ipaddr();	152	ipaddr = get_remote_ipaddr();
150		153
151	-- openssh-4.7p1.orig/sshd.c	154	++ openssh-4.7p1/sshd.c
Lines 1464-1469 Link Here
1464	sensitive_data.host_keys[i] = NULL;	1464	sensitive_data.host_keys[i] = NULL;
1465	continue;	1465	continue;
1466	}	1466	}
		1467	if (reject_blacklisted_key(key, 1) == 1) {
		1468	key_free(key);
		1469	sensitive_data.host_keys[i] = NULL;
		1470	continue;
		1471	}
1467	switch (key->type) {	1472	switch (key->type) {
1468	case KEY_RSA1:	1473	case KEY_RSA1:
1469	sensitive_data.ssh1_host_key = key;	1474	sensitive_data.ssh1_host_key = key;
1470	-- openssh-4.7p1.orig/authfile.c	1475	++ openssh-4.7p1/authfile.c
Lines 65-70 Link Here
65	#include "rsa.h"	65	#include "rsa.h"
66	#include "misc.h"	66	#include "misc.h"
67	#include "atomicio.h"	67	#include "atomicio.h"
		68	#include "pathnames.h"
68		69
69	/* Version identification string for SSH v1 identity files. */	70	/* Version identification string for SSH v1 identity files. */
70	static const char authfile_id_string[] =	71	static const char authfile_id_string[] =
Lines 677-679 Link Here
677	key_free(pub);	678	key_free(pub);
678	return NULL;	679	return NULL;
679	}	680	}
680	-- openssh-4.7p1.orig/ssh-vulnkey.c	681
		682	/* Scan a blacklist of known-vulnerable keys in blacklist_file. */
		683	static int
		684	blacklisted_key_in_file(const Key key, const char blacklist_file, char **fp)
		685	{
		686	int fd = -1;
		687	char *dgst_hex = NULL;
		688	char dgst_packed = NULL, p;
		689	int i;
		690	size_t line_len;
		691	struct stat st;
		692	char buf[256];
		693	off_t start, lower, upper;
		694	int ret = 0;
		695
		696	debug("Checking blacklist file %s", blacklist_file);
		697	fd = open(blacklist_file, O_RDONLY);
		698	if (fd < 0) {
		699	ret = -1;
		700	goto out;
		701	}
		702
		703	dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		704	/* Remove all colons */
		705	dgst_packed = xcalloc(1, strlen(dgst_hex) + 1);
		706	for (i = 0, p = dgst_packed; dgst_hex[i]; i++)
		707	if (dgst_hex[i] != ':')
		708	*p++ = dgst_hex[i];
		709	/* Only compare least-significant 80 bits (to keep the blacklist
		710	* size down)
		711	*/
		712	line_len = strlen(dgst_packed + 12);
		713	if (line_len > 32)
		714	goto out;
		715
		716	/* Skip leading comments */
		717	start = 0;
		718	for (;;) {
		719	ssize_t r;
		720	char *newline;
		721
		722	r = atomicio(read, fd, buf, sizeof(buf));
		723	if (r <= 0)
		724	goto out;
		725	if (buf[0] != '#')
		726	break;
		727
		728	newline = memchr(buf, '\n', sizeof(buf));
		729	if (!newline)
		730	goto out;
		731	start += newline + 1 - buf;
		732	if (lseek(fd, start, SEEK_SET) < 0)
		733	goto out;
		734	}
		735
		736	/* Initialise binary search record numbers */
		737	if (fstat(fd, &st) < 0)
		738	goto out;
		739	lower = 0;
		740	upper = (st.st_size - start) / (line_len + 1);
		741
		742	while (lower != upper) {
		743	off_t cur;
		744	int cmp;
		745
746	cur = lower + (upper - lower) / 2;
747
748	/* Read this line and compare to digest; this is
749	* overflow-safe since cur < max(off_t) / (line_len + 1) */
750	if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
751	break;
752	if (atomicio(read, fd, buf, line_len) != line_len)
753	break;
754	cmp = memcmp(buf, dgst_packed + 12, line_len);
755	if (cmp < 0) {
756	if (cur == lower)
757	break;
758	lower = cur;
759	} else if (cmp > 0) {
760	if (cur == upper)
761	break;
762	upper = cur;
763	} else {
764	debug("Found %s in blacklist", dgst_hex);
765	ret = 1;
766	break;
767	}
768	}
769
770	out:
771	if (dgst_packed)
772	xfree(dgst_packed);
773	if (ret != 1 && dgst_hex) {
774	xfree(dgst_hex);
775	dgst_hex = NULL;
776	}
777	if (fp)
778	*fp = dgst_hex;
779	if (fd >= 0)
780	close(fd);
781	return ret;
782	}
783
784	/*
785	* Scan blacklists of known-vulnerable keys. If a vulnerable key is found,
786	* its fingerprint is returned in *fp, unless fp is NULL.
787	*/
788	int
789	blacklisted_key(const Key key, char *fp)
790	{
791	Key *public;
792	char *blacklist_file;
793	int ret, ret2;
794
795	public = key_demote(key);
796	if (public->type == KEY_RSA1)
797	public->type = KEY_RSA;
798
799	xasprintf(&blacklist_file, "%s.%s-%u",
800	_PATH_BLACKLIST, key_type(public), key_size(public));
801	ret = blacklisted_key_in_file(public, blacklist_file, fp);
802	xfree(blacklist_file);
803	if (ret > 0) {
804	key_free(public);
805	return ret;
806	}
807
808	xasprintf(&blacklist_file, "%s.%s-%u",
809	_PATH_BLACKLIST_CONFIG, key_type(public), key_size(public));
810	ret2 = blacklisted_key_in_file(public, blacklist_file, fp);
811	xfree(blacklist_file);
812	if (ret2 > ret)
813	ret = ret2;
814
815	key_free(public);
816	return ret;
817	}
		818	++ openssh-4.7p1/ssh-vulnkey.c
Line 0 Link Here
0	-- openssh-4.7p1.orig/servconf.c	1	/*
		2	* Copyright (c) 2008 Canonical Ltd. All rights reserved.
		3	*
		4	* Redistribution and use in source and binary forms, with or without
		5	* modification, are permitted provided that the following conditions
		6	* are met:
		7	* 1. Redistributions of source code must retain the above copyright
		8	* notice, this list of conditions and the following disclaimer.
		9	* 2. Redistributions in binary form must reproduce the above copyright
		10	* notice, this list of conditions and the following disclaimer in the
		11	* documentation and/or other materials provided with the distribution.
		12	*
		13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		23	*/
		24
		25	#include "includes.h"
		26
		27	#include <sys/types.h>
		28	#include <sys/stat.h>
		29
		30	#include <errno.h>
		31	#include <string.h>
		32	#include <stdio.h>
		33	#include <fcntl.h>
		34	#include <unistd.h>
		35
		36	#include <openssl/evp.h>
		37
		38	#include "xmalloc.h"
		39	#include "ssh.h"
		40	#include "log.h"
		41	#include "key.h"
		42	#include "authfile.h"
		43	#include "pathnames.h"
		44	#include "uidswap.h"
		45	#include "misc.h"
		46
		47	extern char *__progname;
		48
		49	/* Default files to check */
		50	static char *default_host_files[] = {
		51	_PATH_HOST_RSA_KEY_FILE,
		52	_PATH_HOST_DSA_KEY_FILE,
		53	_PATH_HOST_KEY_FILE,
		54	NULL
		55	};
		56	static char *default_files[] = {
		57	_PATH_SSH_CLIENT_ID_RSA,
		58	_PATH_SSH_CLIENT_ID_DSA,
		59	_PATH_SSH_CLIENT_IDENTITY,
		60	_PATH_SSH_USER_PERMITTED_KEYS,
		61	_PATH_SSH_USER_PERMITTED_KEYS2,
		62	NULL
		63	};
		64
		65	static int verbosity = 0;
66
67	static void
68	usage(void)
69	{
70	fprintf(stderr, "usage: %s [-aqv] [file ...]\n", __progname);
71	fprintf(stderr, "Options:\n");
72	fprintf(stderr, " -a Check keys of all users.\n");
73	fprintf(stderr, " -q Quiet mode.\n");
74	fprintf(stderr, " -v Verbose mode.\n");
75	exit(1);
76	}
77
78	void
79	describe_key(const char filename, u_long linenum, const char msg,
80	const Key key, const char comment, int min_verbosity)
81	{
82	char *fp;
83
84	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
85	if (verbosity >= min_verbosity) {
86	if (strchr(filename, ':'))
87	printf("\"%s\"", filename);
88	else
89	printf("%s", filename);
90	printf(":%lu: %s: %s %u %s %s\n", linenum, msg,
91	key_type(key), key_size(key), fp, comment);
92	}
93	xfree(fp);
94	}
95
96	int
97	do_key(const char *filename, u_long linenum,
98	const Key key, const char comment)
99	{
100	Key *public;
101	int blacklist_status;
102	int ret = 1;
103
104	public = key_demote(key);
105	if (public->type == KEY_RSA1)
106	public->type = KEY_RSA;
107
108	blacklist_status = blacklisted_key(public, NULL);
109	if (blacklist_status == -1)
110	describe_key(filename, linenum,
111	"Unknown (blacklist file not installed)", key, comment, 0);
112	else if (blacklist_status == 1) {
113	describe_key(filename, linenum,
114	"COMPROMISED", key, comment, 0);
115	ret = 0;
116	} else
117	describe_key(filename, linenum,
118	"Not blacklisted", key, comment, 1);
119
120	key_free(public);
121
122	return ret;
123	}
124
125	int
126	do_filename(const char *filename, int quiet_open)
127	{
128	FILE *f;
129	char line[SSH_MAX_PUBKEY_BYTES];
130	char *cp;
131	u_long linenum = 0;
132	Key *key;
133	char *comment = NULL;
134	int found = 0, ret = 1;
135
136	/* Copy much of key_load_public's logic here so that we can read
137	* several keys from a single file (e.g. authorized_keys).
138	*/
139
140	if (strcmp(filename, "-") != 0) {
141	int save_errno;
142	f = fopen(filename, "r");
143	save_errno = errno;
144	if (!f) {
145	char pubfile[MAXPATHLEN];
146	if (strlcpy(pubfile, filename, sizeof pubfile) <
147	sizeof(pubfile) &&
148	strlcat(pubfile, ".pub", sizeof pubfile) <
149	sizeof(pubfile))
150	f = fopen(pubfile, "r");
151	}
152	errno = save_errno; /* earlier errno is more useful */
153	if (!f) {
154	if (!quiet_open)
155	perror(filename);
156	return -1;
157	}
158	if (verbosity > 0)
159	printf("# %s\n", filename);
160	} else
161	f = stdin;
162	while (read_keyfile_line(f, filename, line, sizeof(line),
163	&linenum) != -1) {
164	int i;
165	char *space;
166	int type;
167	char *end;
168
169	/* Chop trailing newline. */
170	i = strlen(line) - 1;
171	if (line[i] == '\n')
172	line[i] = '\0';
173
174	/* Skip leading whitespace, empty and comment lines. */
175	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
176	;
177	if (!cp \|\| cp == '\n' \|\| *cp == '#')
178	continue;
179
180	/* Cope with ssh-keyscan output and options in
181	* authorized_keys files.
182	*/
183	space = strchr(cp, ' ');
184	if (!space)
185	continue;
186	*space = '\0';
187	type = key_type_from_name(cp);
188	*space = ' ';
189	/* Leading number (RSA1) or valid type (RSA/DSA) indicates
190	* that we have no host name or options to skip.
191	*/
192	if ((strtol(cp, &end, 10) == 0 \|\| *end != ' ') &&
193	type == KEY_UNSPEC) {
194	int quoted = 0;
195
196	for (; cp && (quoted \|\| (cp != ' ' && *cp != '\t')); cp++) {
197	if (*cp == '\\' && cp[1] == '"')
198	cp++; /* Skip both */
199	else if (*cp == '"')
200	quoted = !quoted;
201	}
202	/* Skip remaining whitespace. */
203	for (; cp == ' ' \|\| cp == '\t'; cp++)
204	;
205	if (!*cp)
206	continue;
207	}
208
209	/* Read and process the key itself. */
210	key = key_new(KEY_RSA1);
211	if (key_read(key, &cp) == 1) {
212	while (cp == ' ' \|\| cp == '\t')
213	cp++;
214	if (!do_key(filename, linenum,
215	key, *cp ? cp : filename))
216	ret = 0;
217	found = 1;
218	} else {
219	key_free(key);
220	key = key_new(KEY_UNSPEC);
221	if (key_read(key, &cp) == 1) {
222	while (cp == ' ' \|\| cp == '\t')
223	cp++;
224	if (!do_key(filename, linenum,
225	key, *cp ? cp : filename))
226	ret = 0;
227	found = 1;
228	}
229	}
230	key_free(key);
231	}
232	if (f != stdin)
233	fclose(f);
234
235	if (!found && filename) {
236	key = key_load_public(filename, &comment);
237	if (key) {
238	if (!do_key(filename, 1, key, comment))
239	ret = 0;
240	found = 1;
241	}
242	if (comment)
243	xfree(comment);
244	}
245
246	return ret;
247	}
248
249	int
250	do_host(int quiet_open)
251	{
252	int i;
253	struct stat st;
254	int ret = 1;
255
256	for (i = 0; default_host_files[i]; i++) {
257	if (stat(default_host_files[i], &st) < 0 && errno == ENOENT)
258	continue;
259	if (!do_filename(default_host_files[i], quiet_open))
260	ret = 0;
261	}
262
263	return ret;
264	}
265
266	int
267	do_user(const char *dir)
268	{
269	int i;
270	char *file;
271	struct stat st;
272	int ret = 1;
273
274	for (i = 0; default_files[i]; i++) {
275	xasprintf(&file, "%s/%s", dir, default_files[i]);
276	if (stat(file, &st) < 0 && errno == ENOENT) {
277	xfree(file);
278	continue;
279	}
280	if (!do_filename(file, 0))
281	ret = 0;
282	xfree(file);
283	}
284
285	return ret;
286	}
287
288	int
289	main(int argc, char **argv)
290	{
291	int opt, all_users = 0;
292	int ret = 1;
293	extern int optind;
294
295	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
296	sanitise_stdfd();
297
298	__progname = ssh_get_progname(argv[0]);
299
300	SSLeay_add_all_algorithms();
301	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
302
303	/* We don't need the RNG ourselves, but symbol references here allow
304	* ld to link us properly.
305	*/
306	init_rng();
307	seed_rng();
308
309	while ((opt = getopt(argc, argv, "ahqv")) != -1) {
310	switch (opt) {
311	case 'a':
312	all_users = 1;
313	break;
314	case 'q':
315	verbosity--;
316	break;
317	case 'v':
318	verbosity++;
319	break;
320	case 'h':
321	default:
322	usage();
323	}
324	}
325
326	if (all_users) {
327	struct passwd *pw;
328
329	if (!do_host(0))
330	ret = 0;
331
332	while ((pw = getpwent()) != NULL) {
333	if (pw->pw_dir) {
334	temporarily_use_uid(pw);
335	if (!do_user(pw->pw_dir))
336	ret = 0;
337	restore_uid();
338	}
339	}
340	} else if (optind == argc) {
341	struct passwd *pw;
342
343	if (!do_host(1))
344	ret = 0;
345
346	if ((pw = getpwuid(geteuid())) == NULL)
347	fprintf(stderr, "No user found with uid %u\n",
348	(u_int)geteuid());
349	else {
350	if (!do_user(pw->pw_dir))
351	ret = 0;
352	}
353	} else {
354	while (optind < argc)
355	if (!do_filename(argv[optind++], 0))
356	ret = 0;
357	}
358
359	return ret;
360	}
		361	++ openssh-4.7p1/servconf.c
Lines 94-99 Link Here
94	options->password_authentication = -1;	94	options->password_authentication = -1;
95	options->kbd_interactive_authentication = -1;	95	options->kbd_interactive_authentication = -1;
96	options->challenge_response_authentication = -1;	96	options->challenge_response_authentication = -1;
		97	options->permit_blacklisted_keys = -1;
97	options->permit_empty_passwd = -1;	98	options->permit_empty_passwd = -1;
98	options->permit_user_env = -1;	99	options->permit_user_env = -1;
99	options->use_login = -1;	100	options->use_login = -1;
Lines 212-217 Link Here
212	options->kbd_interactive_authentication = 0;	213	options->kbd_interactive_authentication = 0;
213	if (options->challenge_response_authentication == -1)	214	if (options->challenge_response_authentication == -1)
214	options->challenge_response_authentication = 1;	215	options->challenge_response_authentication = 1;
		216	if (options->permit_blacklisted_keys == -1)
		217	options->permit_blacklisted_keys = 0;
215	if (options->permit_empty_passwd == -1)	218	if (options->permit_empty_passwd == -1)
216	options->permit_empty_passwd = 0;	219	options->permit_empty_passwd = 0;
217	if (options->permit_user_env == -1)	220	if (options->permit_user_env == -1)
Lines 281-287 Link Here
281	sListenAddress, sAddressFamily,	284	sListenAddress, sAddressFamily,
282	sPrintMotd, sPrintLastLog, sIgnoreRhosts,	285	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
283	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,	286	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
284	sStrictModes, sEmptyPasswd, sTCPKeepAlive,	287	sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
285	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,	288	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
286	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,	289	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
287	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,	290	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
Lines 371-376 Link Here
371	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },	374	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
372	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },	375	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
373	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },	376	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
		377	{ "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
374	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },	378	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
375	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },	379	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
376	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },	380	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
Lines 919-924 Link Here
919	intptr = &options->tcp_keep_alive;	923	intptr = &options->tcp_keep_alive;
920	goto parse_flag;	924	goto parse_flag;
921		925
		926	case sPermitBlacklistedKeys:
		927	intptr = &options->permit_blacklisted_keys;
		928	goto parse_flag;
		929
922	case sEmptyPasswd:	930	case sEmptyPasswd:
923	intptr = &options->permit_empty_passwd;	931	intptr = &options->permit_empty_passwd;
924	goto parse_flag;	932	goto parse_flag;
925	-- openssh-4.7p1.orig/auth-rsa.c	933	++ openssh-4.7p1/auth-rsa.c
Lines 265-270 Link Here
265	"actual %d vs. announced %d.",	265	"actual %d vs. announced %d.",
266	file, linenum, BN_num_bits(key->rsa->n), bits);	266	file, linenum, BN_num_bits(key->rsa->n), bits);
267		267
		268	if (reject_blacklisted_key(key, 0) == 1)
		269	continue;
		270
268	/* We have found the desired key. */	271	/* We have found the desired key. */
269	/*	272	/*
270	* If our options do not allow this key to be used,	273	* If our options do not allow this key to be used,
271	-- openssh-4.7p1.orig/auth.h	274	++ openssh-4.7p1/auth.h
Lines 173-178 Link Here
173	check_key_in_hostfiles(struct passwd , Key , const char *,	173	check_key_in_hostfiles(struct passwd , Key , const char *,
174	const char , const char );	174	const char , const char );
175		175
		176	int reject_blacklisted_key(Key *, int);
		177
176	/* hostkey handling */	178	/* hostkey handling */
177	Key *get_hostkey_by_index(int);	179	Key *get_hostkey_by_index(int);
178	Key *get_hostkey_by_type(int);	180	Key *get_hostkey_by_type(int);
179	-- openssh-4.7p1.orig/pathnames.h	181	++ openssh-4.7p1/pathnames.h
Lines 18-23 Link Here
18	#define SSHDIR ETCDIR "/ssh"	18	#define SSHDIR ETCDIR "/ssh"
19	#endif	19	#endif
20		20
		21	#ifndef _PATH_SSH_DATADIR
		22	#define _PATH_SSH_DATADIR "/usr/share/ssh"
		23	#endif
		24
21	#ifndef _PATH_SSH_PIDDIR	25	#ifndef _PATH_SSH_PIDDIR
22	#define _PATH_SSH_PIDDIR "/var/run"	26	#define _PATH_SSH_PIDDIR "/var/run"
23	#endif	27	#endif
Lines 43-48 Link Here
43	/* Backwards compatibility */	47	/* Backwards compatibility */
44	#define _PATH_DH_PRIMES SSHDIR "/primes"	48	#define _PATH_DH_PRIMES SSHDIR "/primes"
45		49
		50	#define _PATH_BLACKLIST _PATH_SSH_DATADIR "/blacklist"
		51	#define _PATH_BLACKLIST_CONFIG SSHDIR "/blacklist"
		52
46	#ifndef _PATH_SSH_PROGRAM	53	#ifndef _PATH_SSH_PROGRAM
47	#define _PATH_SSH_PROGRAM "/usr/bin/ssh"	54	#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
48	#endif	55	#endif
49	-- openssh-4.7p1.orig/servconf.h	56	++ openssh-4.7p1/servconf.h
Lines 92-97 Link Here
92	* authentication. */	92	* authentication. */
93	int kbd_interactive_authentication; /* If true, permit */	93	int kbd_interactive_authentication; /* If true, permit */
94	int challenge_response_authentication;	94	int challenge_response_authentication;
		95	int permit_blacklisted_keys; /* If true, permit */
95	int permit_empty_passwd; /* If false, do not permit empty	96	int permit_empty_passwd; /* If false, do not permit empty
96	* passwords. */	97	* passwords. */
97	int permit_user_env; /* If true, read ~/.ssh/environment */	98	int permit_user_env; /* If true, read ~/.ssh/environment */
98	-- openssh-4.7p1.orig/auth.c	99	++ openssh-4.7p1/auth.c
Lines 57-62 Link Here
57	#include "servconf.h"	57	#include "servconf.h"
58	#include "key.h"	58	#include "key.h"
59	#include "hostfile.h"	59	#include "hostfile.h"
		60	#include "authfile.h"
60	#include "auth.h"	61	#include "auth.h"
61	#include "auth-options.h"	62	#include "auth-options.h"
62	#include "canohost.h"	63	#include "canohost.h"
Lines 397-402 Link Here
397	return host_status;	398	return host_status;
398	}	399	}
399		400
		401	int
		402	reject_blacklisted_key(Key *key, int hostkey)
		403	{
		404	char *fp;
		405
		406	if (blacklisted_key(key, &fp) != 1)
		407	return 0;
		408
		409	if (options.permit_blacklisted_keys) {
		410	if (hostkey)
		411	error("Host key %s blacklisted (see "
		412	"ssh-vulnkey(1)); continuing anyway", fp);
		413	else
		414	logit("Public key %s from %s blacklisted (see "
		415	"ssh-vulnkey(1)); continuing anyway",
		416	fp, get_remote_ipaddr());
		417	xfree(fp);
		418	} else {
		419	if (hostkey)
		420	error("Host key %s blacklisted (see "
		421	"ssh-vulnkey(1))", fp);
		422	else
		423	logit("Public key %s from %s blacklisted (see "
		424	"ssh-vulnkey(1))",
		425	fp, get_remote_ipaddr());
		426	xfree(fp);
		427	return 1;
		428	}
		429
		430	return 0;
		431	}
		432
400		433
401	/*	434	/*
402	* Check a given file for security. This is defined as all components	435	* Check a given file for security. This is defined as all components
403	-- openssh-4.7p1.orig/auth2-pubkey.c	436	++ openssh-4.7p1/auth2-pubkey.c
Lines 272-277 Link Here
272	int success;	272	int success;
273	char *file;	273	char *file;
274		274
		275	if (reject_blacklisted_key(key, 0) == 1)
		276	return 0;
		277
275	file = authorized_keys_file(pw);	278	file = authorized_keys_file(pw);
276	success = user_key_allowed2(pw, key, file);	279	success = user_key_allowed2(pw, key, file);
277	xfree(file);	280	xfree(file);
278	-- openssh-4.7p1.orig/Makefile.in	281	++ openssh-4.7p1/Makefile.in
Lines 26-31 Link Here
26	SFTP_SERVER=$(libexecdir)/sftp-server	26	SFTP_SERVER=$(libexecdir)/sftp-server
27	SSH_KEYSIGN=$(libexecdir)/ssh-keysign	27	SSH_KEYSIGN=$(libexecdir)/ssh-keysign
28	RAND_HELPER=$(libexecdir)/ssh-rand-helper	28	RAND_HELPER=$(libexecdir)/ssh-rand-helper
		29	SSH_DATADIR=$(datadir)/ssh
29	PRIVSEP_PATH=@PRIVSEP_PATH@	30	PRIVSEP_PATH=@PRIVSEP_PATH@
30	SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@	31	SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
31	STRIP_OPT=@STRIP_OPT@	32	STRIP_OPT=@STRIP_OPT@
Lines 37-43 Link Here
37	-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \	38	-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
38	-D_PATH_SSH_PIDDIR=\"$(piddir)\" \	39	-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
39	-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \	40	-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
40	-DSSH_RAND_HELPER=\"$(RAND_HELPER)\"	41	-DSSH_RAND_HELPER=\"$(RAND_HELPER)\" \
		42	-D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\"
41		43
42	CC=@CC@	44	CC=@CC@
43	LD=@LD@	45	LD=@LD@
Lines 60-66 Link Here
60	INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@	62	INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
61	INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@	63	INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
62		64
63	TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)	65	TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT)
64		66
65	LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \	67	LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
66	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \	68	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
Lines 88-95 Link Here
88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	90	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
89	audit.o audit-bsm.o platform.o	91	audit.o audit-bsm.o platform.o
90		92
91	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out	93	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
92	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5	94	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
93	MANTYPE = @MANTYPE@	95	MANTYPE = @MANTYPE@
94		96
95	CONFIGFILES=sshd_config.out ssh_config.out moduli.out	97	CONFIGFILES=sshd_config.out ssh_config.out moduli.out
Lines 165-170 Link Here
165	ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o	167	ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
166	$(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)	168	$(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
167		169
		170	ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o
		171	$(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
		172
168	# test driver for the loginrec code - not built by default	173	# test driver for the loginrec code - not built by default
169	logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o	174	logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
170	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)	175	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
Lines 264-269 Link Here
264	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)	269	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
265	$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp	270	$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
266	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)	271	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
		272	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
267	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1	273	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
268	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1	274	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
269	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1	275	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Lines 279-284 Link Here
279	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1	285	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
280	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8	286	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
281	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8	287	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
		288	$(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
282	-rm -f $(DESTDIR)$(bindir)/slogin	289	-rm -f $(DESTDIR)$(bindir)/slogin
283	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin	290	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
284	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1	291	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
Lines 360-365 Link Here
360	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)	367	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
361	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)	368	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
362	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)	369	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
		370	-rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
363	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)	371	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
364	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)	372	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
365	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)	373	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
Lines 372-377 Link Here
372	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1	380	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
373	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1	381	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
374	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1	382	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
		383	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
375	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8	384	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
376	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8	385	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
377	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8	386	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8

Return to bug 1469