From 3529bdf5b65016cea331f8ba6e7293c7eea9e6ce Mon Sep 17 00:00:00 2001
From: An-Cheng Huang <ancheng@vyatta.com>
Date: Mon, 13 Oct 2008 15:31:26 -0700
Subject: add ssh key blacklists

---
 Makefile.am                          |  2 ++
 debian/control                       |  3 ++-
 debian/vyatta-cfg-system.postinst.in | 16 ++++++++++++++++
 sysconf/blacklist.DSA-1024           | 21 +++++++++++++++++++++
 sysconf/blacklist.RSA-2048           | 21 +++++++++++++++++++++
 5 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 sysconf/blacklist.DSA-1024
 create mode 100644 sysconf/blacklist.RSA-2048

diff --git a/Makefile.am b/Makefile.am
index 576be4be..7f148153 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -44,6 +44,8 @@ sysconf_DATA += sysconf/motd.tail
 sysconf_DATA += sysconf/syslog.conf
 sysconf_DATA += sysconf/default_ssh
 sysconf_DATA += sysconf/vyatta-sysctl.conf
+sysconf_DATA += sysconf/blacklist.DSA-1024
+sysconf_DATA += sysconf/blacklist.RSA-2048
 
 libudev_SCRIPTS	 = scripts/vyatta_net_name
 etcudev_DATA	 = sysconf/vyatta-net.rules
diff --git a/debian/control b/debian/control
index 4b5692bb..877ee68c 100644
--- a/debian/control
+++ b/debian/control
@@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5),
  snmpd,
  vyatta-keepalived,
  bridge-utils,
- ssh,
+ ssh (>= 5.1p1-3),
+ openssh-server (>= 5.1p1-3),
  ed,
  tshark,
  iputils-arping
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 0dd6248f..fe50fa79 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -66,6 +66,20 @@ EOF
 %users ALL=NOPASSWD: ${bindir}/sudo-users/
 ### END VYATTA
 EOF
+
+    # set up blacklists
+    for f in blacklist.DSA-1024 blacklist.RSA-2048; do
+        if [ -r "/etc/ssh/$f" ]; then
+            l=$(head -1 $sysconfdir/$f)
+            if ! grep -q "$l" /etc/ssh/$f; then
+                tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
+                cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
+                mv $tmp /etc/ssh/$f
+            fi
+        else
+            cp $sysconfdir/$f /etc/ssh/$f
+        fi
+    done
 fi
 
 # update crontab for logrotate
@@ -87,6 +101,8 @@ fi
 
 sed -i 's/^set /builtin set /' /etc/bash_completion
 
+/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server
+
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 4
diff --git a/sysconf/blacklist.DSA-1024 b/sysconf/blacklist.DSA-1024
new file mode 100644
index 00000000..74ecaf53
--- /dev/null
+++ b/sysconf/blacklist.DSA-1024
@@ -0,0 +1,21 @@
+01e53715431bcae79677
+036a4048556eb8092113
+0db19fcc95efc89d2173
+22da67b6aafc3df124f3
+2307b2e9769c6b66857c
+3c13948cb606c6041284
+4218a1912ef9941a0881
+4582eff4cf42af0b19f0
+54f103cd4fbc7b08c8e2
+6d56bcebc8bb9d30ecd9
+83848247dbabf6135644
+8e730ef49b321946e7aa
+96a4f81de014a53e1890
+9adab16d72364f6032f7
+9b25df69798b447fd5ee
+9d5e4438920babd3030e
+a1eeb08f514492069e51
+d63657291b4d940a9a47
+db3101e70b8ef04ad4fe
+dd71e503f1a8319e3caf
+f407f33616b53f79c1b8
diff --git a/sysconf/blacklist.RSA-2048 b/sysconf/blacklist.RSA-2048
new file mode 100644
index 00000000..0cb0d489
--- /dev/null
+++ b/sysconf/blacklist.RSA-2048
@@ -0,0 +1,21 @@
+0a47235c3142262b3b90
+1899b9c1f6346576a66e
+20059ae36e5ac97fc3b2
+2487f28e692f45affa43
+4394e40d532aef252906
+440ea42b848111613a48
+46a6daa5036020063340
+52287579c05c0e45c57e
+52cec5c2a10c09661389
+6b3446654ce7e07da10d
+768e7f724aeb0cf86814
+84d1e68fda77b8fe88bf
+b0e10f3cfca7ac4aba50
+b8570f784995af2fa6b8
+bcdc020d5e8e6a61345a
+c3e94aed4f1d75569eab
+c5d8c5731f3fa668ffae
+d9deed191624c2472978
+e66c42ba8e40c8501106
+ea93328c2d72642a5d59
+f954c671c9c639f8a375
-- 
cgit v1.2.3


From 1ae422b13aac7ae6d9c412ae0f392f465d7537af Mon Sep 17 00:00:00 2001
From: An-Cheng Huang <ancheng@vyatta.com>
Date: Mon, 13 Oct 2008 16:11:08 -0700
Subject: use epoch in package version number

---
 debian/control | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/control b/debian/control
index 877ee68c..2888d0e3 100644
--- a/debian/control
+++ b/debian/control
@@ -24,8 +24,8 @@ Depends: sed (>= 4.1.5),
  snmpd,
  vyatta-keepalived,
  bridge-utils,
- ssh (>= 5.1p1-3),
- openssh-server (>= 5.1p1-3),
+ ssh (>= 1:5.1p1-3),
+ openssh-server (>= 1:5.1p1-3),
  ed,
  tshark,
  iputils-arping
-- 
cgit v1.2.3


From 81c8c9f28dff67e7ff3208278790f3381bc879dc Mon Sep 17 00:00:00 2001
From: An-Cheng Huang <ancheng@vyatta.com>
Date: Mon, 13 Oct 2008 19:09:41 -0700
Subject: remove unused files

---
 debian/vyatta-cfg-system.postinst.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index fe50fa79..b484c2a1 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -102,6 +102,8 @@ fi
 sed -i 's/^set /builtin set /' /etc/bash_completion
 
 /usr/sbin/dpkg-reconfigure -f noninteractive openssh-server
+rm -f /etc/ssh/*.broken
+update-rc.d -f ssh remove >/dev/null
 
 # Local Variables:
 # mode: shell-script
-- 
cgit v1.2.3


From 1fa9bf825f3dfa51a71d87ffb08a64ad52dde61a Mon Sep 17 00:00:00 2001
From: Robert Bays <rbays@cartagena.vyatta.com>
Date: Mon, 13 Oct 2008 13:30:16 -0400
Subject: fix ssh keygen on startup

---
 scripts/rl-system.init | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/scripts/rl-system.init b/scripts/rl-system.init
index 23d67d12..36a4f64f 100755
--- a/scripts/rl-system.init
+++ b/scripts/rl-system.init
@@ -134,8 +134,25 @@ udev_rescan ()
     done
 }
 
+create_ssh_host_keys () {
+    if [ ! -f "/etc/ssh/ssh_host_rsa_key" ]; then
+        syslog "Creating ssh v2 rsa host key."
+        ssh-keygen -q -N '' -t rsa -f /etc/ssh/ssh_host_rsa_key
+    fi;
+    if [ ! -f "/etc/ssh/ssh_host_dsa_key" ]; then
+	syslog "Creating ssh v2 dsa host key."
+        ssh-keygen -q -N '' -t dsa -f /etc/ssh/ssh_host_dsa_key
+    fi;
+    if [ ! -f "/etc/ssh/ssh_host_key" ]; then
+	syslog "Creating ssh v1 host key."
+        ssh-keygen -q -N '' -t rsa1 -f /etc/ssh/ssh_host_key
+    fi;
+}
+
 start () {
     udev_rescan
+    create_ssh_host_keys || \
+	log_failure_msg "can't initialize ssh host keys"
     clear_or_override_config_files || \
 	log_failure_msg "can\'t reset config files"
     set_reboot_on_panic || \
-- 
cgit v1.2.3


From ec928267b1e61e7a957515ad553bd171baf2d651 Mon Sep 17 00:00:00 2001
From: Mark O'Brien <mobrien@firebolt.vyatta.com>
Date: Tue, 14 Oct 2008 17:30:18 -0700
Subject: 3.1.4

---
 debian/changelog | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 803fdb87..28c93bf7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+vyatta-cfg-system (0.14) unstable; urgency=low
+
+	  3.1.4
+  [ Mark O'Brien ]
+
+
+  [ Robert Bays ]
+  * fix ssh keygen on startup
+
+  [ An-Cheng Huang ]
+  * remove unused files
+  * use epoch in package version number
+  * add ssh key blacklists
+
+  [ Mark O'Brien ]
+
+ -- Mark O'Brien <mobrien@firebolt.vyatta.com>  Tue, 14 Oct 2008 17:30:18 -0700
+
 vyatta-cfg-system (0.13) unstable; urgency=low
 
 	  3.1.3
-- 
cgit v1.2.3