diff options
author | An-Cheng Huang <ancheng@vyatta.com> | 2008-10-13 15:30:52 -0700 |
---|---|---|
committer | An-Cheng Huang <ancheng@vyatta.com> | 2008-10-13 15:30:52 -0700 |
commit | 22b1e03e3b042e1899ef31d9759f88c87a3ab58e (patch) | |
tree | 280e46052c9317fcf9413a26ce8282da4f249482 | |
parent | 87e65021f2a105070cd44578a3d91bef8da2b8e1 (diff) | |
download | vyatta-cfg-system-22b1e03e3b042e1899ef31d9759f88c87a3ab58e.tar.gz vyatta-cfg-system-22b1e03e3b042e1899ef31d9759f88c87a3ab58e.zip |
add ssh key blacklists
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | debian/control | 3 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 16 | ||||
-rw-r--r-- | sysconf/blacklist.DSA-1024 | 21 | ||||
-rw-r--r-- | sysconf/blacklist.RSA-2048 | 21 |
5 files changed, 62 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am index 9e66286c..a018961f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -48,6 +48,8 @@ sysconf_DATA += sysconf/motd.tail sysconf_DATA += sysconf/syslog.conf sysconf_DATA += sysconf/default_ssh sysconf_DATA += sysconf/vyatta-sysctl.conf +sysconf_DATA += sysconf/blacklist.DSA-1024 +sysconf_DATA += sysconf/blacklist.RSA-2048 libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/control b/debian/control index 89b55bbe..2094387a 100644 --- a/debian/control +++ b/debian/control @@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, vyatta-keepalived, bridge-utils, - ssh, + ssh (>= 5.1p1-3), + openssh-server (>= 5.1p1-3), ed, tshark, ifenslave-2.6, diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 6e5fa735..26ae9a02 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -66,6 +66,20 @@ EOF %users ALL=NOPASSWD: ${bindir}/sudo-users/ ### END VYATTA EOF + + # set up blacklists + for f in blacklist.DSA-1024 blacklist.RSA-2048; do + if [ -r "/etc/ssh/$f" ]; then + l=$(head -1 $sysconfdir/$f) + if ! grep -q "$l" /etc/ssh/$f; then + tmp=$(mktemp /tmp/bl.XXXXXXXXXX) + cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp + mv $tmp /etc/ssh/$f + fi + else + cp $sysconfdir/$f /etc/ssh/$f + fi + done fi # update crontab for logrotate @@ -87,6 +101,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion +/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server + # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login diff --git a/sysconf/blacklist.DSA-1024 b/sysconf/blacklist.DSA-1024 new file mode 100644 index 00000000..74ecaf53 --- /dev/null +++ b/sysconf/blacklist.DSA-1024 @@ -0,0 +1,21 @@ +01e53715431bcae79677 +036a4048556eb8092113 +0db19fcc95efc89d2173 +22da67b6aafc3df124f3 +2307b2e9769c6b66857c +3c13948cb606c6041284 +4218a1912ef9941a0881 +4582eff4cf42af0b19f0 +54f103cd4fbc7b08c8e2 +6d56bcebc8bb9d30ecd9 +83848247dbabf6135644 +8e730ef49b321946e7aa +96a4f81de014a53e1890 +9adab16d72364f6032f7 +9b25df69798b447fd5ee +9d5e4438920babd3030e +a1eeb08f514492069e51 +d63657291b4d940a9a47 +db3101e70b8ef04ad4fe +dd71e503f1a8319e3caf +f407f33616b53f79c1b8 diff --git a/sysconf/blacklist.RSA-2048 b/sysconf/blacklist.RSA-2048 new file mode 100644 index 00000000..0cb0d489 --- /dev/null +++ b/sysconf/blacklist.RSA-2048 @@ -0,0 +1,21 @@ +0a47235c3142262b3b90 +1899b9c1f6346576a66e +20059ae36e5ac97fc3b2 +2487f28e692f45affa43 +4394e40d532aef252906 +440ea42b848111613a48 +46a6daa5036020063340 +52287579c05c0e45c57e +52cec5c2a10c09661389 +6b3446654ce7e07da10d +768e7f724aeb0cf86814 +84d1e68fda77b8fe88bf +b0e10f3cfca7ac4aba50 +b8570f784995af2fa6b8 +bcdc020d5e8e6a61345a +c3e94aed4f1d75569eab +c5d8c5731f3fa668ffae +d9deed191624c2472978 +e66c42ba8e40c8501106 +ea93328c2d72642a5d59 +f954c671c9c639f8a375 |