summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAn-Cheng Huang <ancheng@vyatta.com>2008-10-13 15:30:52 -0700
committerAn-Cheng Huang <ancheng@vyatta.com>2008-10-13 15:30:52 -0700
commit22b1e03e3b042e1899ef31d9759f88c87a3ab58e (patch)
tree280e46052c9317fcf9413a26ce8282da4f249482
parent87e65021f2a105070cd44578a3d91bef8da2b8e1 (diff)
downloadvyatta-cfg-system-22b1e03e3b042e1899ef31d9759f88c87a3ab58e.tar.gz
vyatta-cfg-system-22b1e03e3b042e1899ef31d9759f88c87a3ab58e.zip
add ssh key blacklists
-rw-r--r--Makefile.am2
-rw-r--r--debian/control3
-rw-r--r--debian/vyatta-cfg-system.postinst.in16
-rw-r--r--sysconf/blacklist.DSA-102421
-rw-r--r--sysconf/blacklist.RSA-204821
5 files changed, 62 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index 9e66286c..a018961f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -48,6 +48,8 @@ sysconf_DATA += sysconf/motd.tail
sysconf_DATA += sysconf/syslog.conf
sysconf_DATA += sysconf/default_ssh
sysconf_DATA += sysconf/vyatta-sysctl.conf
+sysconf_DATA += sysconf/blacklist.DSA-1024
+sysconf_DATA += sysconf/blacklist.RSA-2048
libudev_SCRIPTS = scripts/vyatta_net_name
etcudev_DATA = sysconf/vyatta-net.rules
diff --git a/debian/control b/debian/control
index 89b55bbe..2094387a 100644
--- a/debian/control
+++ b/debian/control
@@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5),
snmpd,
vyatta-keepalived,
bridge-utils,
- ssh,
+ ssh (>= 5.1p1-3),
+ openssh-server (>= 5.1p1-3),
ed,
tshark,
ifenslave-2.6,
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 6e5fa735..26ae9a02 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -66,6 +66,20 @@ EOF
%users ALL=NOPASSWD: ${bindir}/sudo-users/
### END VYATTA
EOF
+
+ # set up blacklists
+ for f in blacklist.DSA-1024 blacklist.RSA-2048; do
+ if [ -r "/etc/ssh/$f" ]; then
+ l=$(head -1 $sysconfdir/$f)
+ if ! grep -q "$l" /etc/ssh/$f; then
+ tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
+ cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
+ mv $tmp /etc/ssh/$f
+ fi
+ else
+ cp $sysconfdir/$f /etc/ssh/$f
+ fi
+ done
fi
# update crontab for logrotate
@@ -87,6 +101,8 @@ fi
sed -i 's/^set /builtin set /' /etc/bash_completion
+/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server
+
# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
diff --git a/sysconf/blacklist.DSA-1024 b/sysconf/blacklist.DSA-1024
new file mode 100644
index 00000000..74ecaf53
--- /dev/null
+++ b/sysconf/blacklist.DSA-1024
@@ -0,0 +1,21 @@
+01e53715431bcae79677
+036a4048556eb8092113
+0db19fcc95efc89d2173
+22da67b6aafc3df124f3
+2307b2e9769c6b66857c
+3c13948cb606c6041284
+4218a1912ef9941a0881
+4582eff4cf42af0b19f0
+54f103cd4fbc7b08c8e2
+6d56bcebc8bb9d30ecd9
+83848247dbabf6135644
+8e730ef49b321946e7aa
+96a4f81de014a53e1890
+9adab16d72364f6032f7
+9b25df69798b447fd5ee
+9d5e4438920babd3030e
+a1eeb08f514492069e51
+d63657291b4d940a9a47
+db3101e70b8ef04ad4fe
+dd71e503f1a8319e3caf
+f407f33616b53f79c1b8
diff --git a/sysconf/blacklist.RSA-2048 b/sysconf/blacklist.RSA-2048
new file mode 100644
index 00000000..0cb0d489
--- /dev/null
+++ b/sysconf/blacklist.RSA-2048
@@ -0,0 +1,21 @@
+0a47235c3142262b3b90
+1899b9c1f6346576a66e
+20059ae36e5ac97fc3b2
+2487f28e692f45affa43
+4394e40d532aef252906
+440ea42b848111613a48
+46a6daa5036020063340
+52287579c05c0e45c57e
+52cec5c2a10c09661389
+6b3446654ce7e07da10d
+768e7f724aeb0cf86814
+84d1e68fda77b8fe88bf
+b0e10f3cfca7ac4aba50
+b8570f784995af2fa6b8
+bcdc020d5e8e6a61345a
+c3e94aed4f1d75569eab
+c5d8c5731f3fa668ffae
+d9deed191624c2472978
+e66c42ba8e40c8501106
+ea93328c2d72642a5d59
+f954c671c9c639f8a375