diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2014-01-09 23:26:49 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2014-01-09 23:26:49 +0000 |
| commit | 7c68ceaf0717757c28f18d1d70de81588655168f (patch) | |
| tree | 2f64b4e18bcedc6480e3bc9b0acca9710e638a00 /usr.bin/ssh/sshd.c | |
| parent | 3c69bcd01bec3c42c28c5b015a38895efe3392df (diff) | |
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
deranged and might make some attacks on KEX easier; ok markus@
Diffstat (limited to 'usr.bin/ssh/sshd.c')
| -rw-r--r-- | usr.bin/ssh/sshd.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index b4fd3478dbc..658e79eb1ca 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.413 2013/12/30 23:52:28 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.414 2014/01/09 23:26:48 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -481,9 +481,14 @@ sshd_exchange_identification(int sock_in, int sock_out) get_remote_ipaddr(), client_version_string); cleanup_exit(255); } - if ((datafellows & SSH_BUG_RSASIGMD5) != 0) + if ((datafellows & SSH_BUG_RSASIGMD5) != 0) { logit("Client version \"%.100s\" uses unsafe RSA signature " "scheme; disabling use of RSA keys", remote_version); + } + if ((datafellows & SSH_BUG_DERIVEKEY) != 0) { + fatal("Client version \"%.100s\" uses unsafe key agreement; " + "refusing connection", remote_version); + } mismatch = 0; switch (remote_major) { |