+++ /dev/null
-This patch is against OpenSSH 4.7p1, although should apply to other versions
-without too much difficulty. It makes the following changes:
-
- * Add key blacklisting support. Keys listed in
- /etc/ssh/blacklist.TYPE-LENGTH will be rejected for authentication by
- sshd, unless "PermitBlacklistedKeys yes" is set in /etc/ssh/sshd_config.
-
- * Add a new program, ssh-vulnkey, which can be used to check keys against
- these blacklists.
-
-This patch is up to date with respect to Debian openssh 1:4.7p1-10.
-
---- openssh-4.7p1.orig/sshd_config.5
-+++ openssh-4.7p1/sshd_config.5
-@@ -615,6 +615,20 @@
- Specifies whether password authentication is allowed.
- The default is
- .Dq yes .
-+.It Cm PermitBlacklistedKeys
-+Specifies whether
-+.Xr sshd 8
-+should allow keys recorded in its blacklist of known-compromised keys (see
-+.Xr ssh-vulnkey 1 ) .
-+If
-+.Dq yes ,
-+then attempts to authenticate with compromised keys will be logged but
-+accepted.
-+If
-+.Dq no ,
-+then attempts to authenticate with compromised keys will be rejected.
-+The default is
-+.Dq no .
- .It Cm PermitEmptyPasswords
- When password authentication is allowed, it specifies whether the
- server allows login to accounts with empty password strings.
---- openssh-4.7p1.orig/sshd.c
-+++ openssh-4.7p1/sshd.c
-@@ -1466,6 +1466,21 @@
-
- for (i = 0; i < options.num_host_key_files; i++) {
- key = key_load_private(options.host_key_files[i], "", NULL);
-+ if (key && blacklisted_key(key)) {
-+ char *fp;
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ error("Host key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ error("Host key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ free(fp);
-+ if (!options.permit_blacklisted_keys) {
-+ sensitive_data.host_keys[i] = NULL;
-+ continue;
-+ }
-+ }
- pubkey = key_load_public(options.host_key_files[i], NULL);
- sensitive_data.host_keys[i] = key;
- sensitive_data.host_pubkeys[i] = pubkey;
---- openssh-4.7p1.orig/servconf.c
-+++ openssh-4.7p1/servconf.c
-@@ -96,6 +96,7 @@
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->challenge_response_authentication = -1;
-+ options->permit_blacklisted_keys = -1;
- options->permit_empty_passwd = -1;
- options->permit_user_env = -1;
- options->use_login = -1;
-@@ -218,6 +219,8 @@
- options->kbd_interactive_authentication = 0;
- if (options->challenge_response_authentication == -1)
- options->challenge_response_authentication = 1;
-+ if (options->permit_blacklisted_keys == -1)
-+ options->permit_blacklisted_keys = 0;
- if (options->permit_empty_passwd == -1)
- options->permit_empty_passwd = 0;
- if (options->permit_user_env == -1)
-@@ -287,7 +290,7 @@
- sListenAddress, sAddressFamily,
- sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
-- sStrictModes, sEmptyPasswd, sTCPKeepAlive,
-+ sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
- sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
- sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
- sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -387,6 +390,7 @@
- { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
- { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
- { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
-+ { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
- { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
- { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
- { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -943,6 +947,10 @@
- intptr = &options->tcp_keep_alive;
- goto parse_flag;
-
-+ case sPermitBlacklistedKeys:
-+ intptr = &options->permit_blacklisted_keys;
-+ goto parse_flag;
-+
- case sEmptyPasswd:
- intptr = &options->permit_empty_passwd;
- goto parse_flag;
---- openssh-4.7p1.orig/servconf.h
-+++ openssh-4.7p1/servconf.h
-@@ -94,6 +94,7 @@
- * authentication. /
- int kbd_interactive_authentication; /* If true, permit */
- int challenge_response_authentication;
-+ int permit_blacklisted_keys; /* If true, permit */
- int zero_knowledge_password_authentication;
- /* If true, permit jpake auth */
- int permit_empty_passwd; /* If false, do not permit empty
---- openssh-4.7p1.orig/Makefile.in
-+++ openssh-4.7p1/Makefile.in
-@@ -62,7 +62,7 @@
- INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
- INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
-
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-vulnkey$(EXEEXT)
-
- LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-@@ -93,8 +93,8 @@
- audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
- roaming_common.o roaming_serv.o ldapauth.o
-
--MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
--MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
-+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out ssh-vulnkey.1.out
-+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5 ssh-vulnkey.1
- MANTYPE = @MANTYPE@
-
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -165,6 +165,9 @@
- ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
- $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-+ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o
-+ $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+
- # test driver for the loginrec code - not built by default
- logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
- $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -271,6 +274,7 @@
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey$(EXEEXT) $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
- $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
- $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -289,6 +293,7 @@
- $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
- $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
- $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-+ $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
- $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
- -rm -f $(DESTDIR)$(bindir)/slogin
- ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-@@ -361,6 +366,7 @@
- -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
- -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
- -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-+ -rm -f $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
- -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -373,6 +379,7 @@
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
---- openssh-4.7p1.orig/auth-rh-rsa.c
-+++ openssh-4.7p1/auth-rh-rsa.c
-@@ -20,6 +20,7 @@
- #include <pwd.h>
- #include <stdarg.h>
-
-+#include "xmalloc.h"
- #include "packet.h"
- #include "uidswap.h"
- #include "log.h"
-@@ -27,6 +28,7 @@
- #include "servconf.h"
- #include "key.h"
- #include "hostfile.h"
-+#include "authfile.h"
- #include "pathnames.h"
- #include "auth.h"
- #include "canohost.h"
-@@ -42,8 +44,22 @@
- auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
- Key *client_host_key)
- {
-+ char *fp;
- HostStatus host_status;
-
-+ if (blacklisted_key(client_host_key)) {
-+ fp = key_fingerprint(client_host_key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ free(fp);
-+ if (!options.permit_blacklisted_keys)
-+ return 0;
-+ }
-+
- if (auth_key_is_revoked(client_host_key))
- return 0;
-
---- openssh-4.7p1.orig/authfile.h
-+++ openssh-4.7p1/authfile.h
-@@ -23,4 +23,7 @@
- Key *key_load_private_pem(int, int, const char *, char **);
- int key_perm_ok(int, const char *);
-
-+char *blacklist_filename(const Key *key);
-+int blacklisted_key(const Key *key);
-+
- #endif
---- openssh-4.7p1.orig/ssh-vulnkey.1
-+++ openssh-4.7p1/ssh-vulnkey.1
-@@ -0,0 +1,187 @@
-+.\" Copyright (c) 2008 Canonical Ltd. All rights reserved.
-+.\"
-+.\" Redistribution and use in source and binary forms, with or without
-+.\" modification, are permitted provided that the following conditions
-+.\" are met:
-+.\" 1. Redistributions of source code must retain the above copyright
-+.\" notice, this list of conditions and the following disclaimer.
-+.\" 2. Redistributions in binary form must reproduce the above copyright
-+.\" notice, this list of conditions and the following disclaimer in the
-+.\" documentation and/or other materials provided with the distribution.
-+.\"
-+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+.\"
-+.Dd $Mdocdate: May 12 2008 $
-+.Dt SSH-VULNKEY 1
-+.Os
-+.Sh NAME
-+.Nm ssh-vulnkey
-+.Nd check blacklist of compromised keys
-+.Sh SYNOPSIS
-+.Nm
-+.Op Fl q
-+.Ar file ...
-+.Nm
-+.Fl a
-+.Sh DESCRIPTION
-+.Nm
-+checks a key against a blacklist of compromised keys.
-+.Pp
-+A substantial number of keys are known to have been generated using a broken
-+version of OpenSSL distributed by Debian which failed to seed its random
-+number generator correctly.
-+Keys generated using these OpenSSL versions should be assumed to be
-+compromised.
-+This tool may be useful in checking for such keys.
-+.Pp
-+Keys that are compromised cannot be repaired; replacements must be generated
-+using
-+.Xr ssh-keygen 1 .
-+Make sure to update
-+.Pa authorized_keys
-+files on all systems where compromised keys were permitted to authenticate.
-+.Pp
-+The argument list will be interpreted as a list of paths to public key files
-+or
-+.Pa authorized_keys
-+files.
-+If no suitable file is found at a given path,
-+.Nm
-+will append
-+.Pa .pub
-+and retry, in case it was given a private key file.
-+If no files are given as arguments,
-+.Nm
-+will check
-+.Pa ~/.ssh/id_rsa ,
-+.Pa ~/.ssh/id_dsa ,
-+.Pa ~/.ssh/identity ,
-+.Pa ~/.ssh/authorized_keys
-+and
-+.Pa ~/.ssh/authorized_keys2 ,
-+as well as the system's host keys if readable.
-+.Pp
-+If
-+.Dq -
-+is given as an argument,
-+.Nm
-+will read from standard input.
-+This can be used to process output from
-+.Xr ssh-keyscan 1 ,
-+for example:
-+.Pp
-+.Dl $ ssh-keyscan -t rsa remote.example.org | ssh-vulnkey -
-+.Pp
-+.Nm
-+will exit zero if any of the given keys were in the compromised list,
-+otherwise non-zero.
-+.Pp
-+Unless the
-+.Cm PermitBlacklistedKeys
-+option is used,
-+.Xr sshd 8
-+will reject attempts to authenticate with keys in the compromised list.
-+.Pp
-+The options are as follows:
-+.Bl -tag -width Ds
-+.It Fl a
-+Check keys of all users on the system.
-+You will typically need to run
-+.Nm
-+as root to use this option.
-+For each user,
-+.Nm
-+will check
-+.Pa ~/.ssh/id_rsa ,
-+.Pa ~/.ssh/id_dsa ,
-+.Pa ~/.ssh/identity ,
-+.Pa ~/.ssh/authorized_keys
-+and
-+.Pa ~/.ssh/authorized_keys2 .
-+It will also check the system's host keys.
-+.It Fl q
-+Quiet mode.
-+Normally,
-+.Nm
-+outputs the fingerprint of each key scanned, with a description of its
-+status.
-+This option suppresses that output.
-+.El
-+.Sh BLACKLIST FILE FORMAT
-+The blacklist file may start with comments, on lines starting with
-+.Dq # .
-+After these initial comments, it must follow a strict format:
-+.Pp
-+.Bl -bullet -offset indent -compact
-+.It
-+All the lines must be exactly the same length (20 characters followed by a
-+newline) and must be in sorted order.
-+.It
-+Each line must consist of the lower-case hexadecimal MD5 key fingerprint,
-+without colons, and with the first 12 characters removed (that is, the least
-+significant 80 bits of the fingerprint).
-+.El
-+.Pp
-+The key fingerprint may be generated using
-+.Xr ssh-keygen 1 :
-+.Pp
-+.Dl $ ssh-keygen -l -f /path/to/key
-+.Pp
-+This strict format is necessary to allow the blacklist file to be checked
-+quickly, using a binary-search algorithm.
-+.Sh FILES
-+.Bl -tag -width Ds
-+.It Pa ~/.ssh/id_rsa
-+If present, contains the protocol version 2 RSA authentication identity of
-+the user.
-+.It Pa ~/.ssh/id_dsa
-+If present, contains the protocol version 2 DSA authentication identity of
-+the user.
-+.It Pa ~/.ssh/identity
-+If present, contains the protocol version 1 RSA authentication identity of
-+the user.
-+.It Pa ~/.ssh/authorized_keys
-+If present, lists the public keys (RSA/DSA) that can be used for logging in
-+as this user.
-+.It Pa ~/.ssh/authorized_keys2
-+Obsolete name for
-+.Pa ~/.ssh/authorized_keys .
-+This file may still be present on some old systems, but should not be
-+created if it is missing.
-+.It Pa /etc/ssh/ssh_host_rsa_key
-+If present, contains the protocol version 2 RSA identity of the system.
-+.It Pa /etc/ssh/ssh_host_dsa_key
-+If present, contains the protocol version 2 DSA identity of the system.
-+.It Pa /etc/ssh/ssh_host_key
-+If present, contains the protocol version 1 RSA identity of the system.
-+.It Pa /etc/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH
-+If present, lists the blacklisted keys of type
-+.Ar TYPE
-+.Pf ( Dq RSA1 ,
-+.Dq RSA ,
-+or
-+.Dq DSA )
-+and bit length
-+.Ar LENGTH .
-+The format of this file is described above.
-+.El
-+.Sh SEE ALSO
-+.Xr ssh-keygen 1 ,
-+.Xr sshd 8
-+.Sh AUTHORS
-+.An -nosplit
-+.An Colin Watson Aq cjwatson@ubuntu.com
-+.Pp
-+Florian Weimer suggested the option to check keys of all users, and the idea
-+of processing
-+.Xr ssh-keyscan 1
-+output.
---- openssh-5.6p1/auth2-hostbased.c~ 2010-08-24 14:10:03.000000000 +0300
-+++ openssh-5.6p1/auth2-hostbased.c 2010-08-24 14:12:10.632553591 +0300
-@@ -40,6 +40,7 @@
- #include "compat.h"
- #include "key.h"
- #include "hostfile.h"
-+#include "authfile.h"
- #include "auth.h"
- #include "canohost.h"
- #ifdef GSSAPI
-@@ -147,6 +148,19 @@
- int len;
- char *fp;
-
-+ if (blacklisted_key(key)) {
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ free(fp);
-+ if (!options.permit_blacklisted_keys)
-+ return 0;
-+ }
-+
- if (auth_key_is_revoked(key))
- return 0;
-
---- openssh-4.7p1.orig/authfile.c
-+++ openssh-4.7p1/authfile.c
-@@ -65,6 +65,7 @@
- #include "rsa.h"
- #include "misc.h"
- #include "atomicio.h"
-+#include "pathnames.h"
-
- /* Version identification string for SSH v1 identity files. */
- static const char authfile_id_string[] =
-@@ -677,3 +678,113 @@
- return ret;
- }
-
-+
-+char *
-+blacklist_filename(const Key *key)
-+{
-+ char *name;
-+
-+ xasprintf(&name, "%s.%s-%u",
-+ _PATH_BLACKLIST, key_type(key), key_size(key));
-+ return name;
-+}
-+
-+/* Scan a blacklist of known-vulnerable keys. */
-+int
-+blacklisted_key(const Key *key)
-+{
-+ char *blacklist_file;
-+ int fd = -1;
-+ char *dgst_hex = NULL;
-+ char *dgst_packed = NULL, *p;
-+ int i;
-+ size_t line_len;
-+ struct stat st;
-+ char buf[256];
-+ off_t start, lower, upper;
-+ int ret = 0;
-+
-+ blacklist_file = blacklist_filename(key);
-+ debug("Checking blacklist file %s", blacklist_file);
-+ fd = open(blacklist_file, O_RDONLY);
-+ if (fd < 0)
-+ goto out;
-+
-+ dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ /* Remove all colons */
-+ dgst_packed = xcalloc(1, strlen(dgst_hex) + 1);
-+ for (i = 0, p = dgst_packed; dgst_hex[i]; i++)
-+ if (dgst_hex[i] != ':')
-+ *p++ = dgst_hex[i];
-+ /* Only compare least-significant 80 bits (to keep the blacklist
-+ * size down)
-+ */
-+ line_len = strlen(dgst_packed + 12);
-+ if (line_len > 32)
-+ goto out;
-+
-+ /* Skip leading comments */
-+ start = 0;
-+ for (;;) {
-+ ssize_t r;
-+ char *newline;
-+
-+ r = atomicio(read, fd, buf, 256);
-+ if (r <= 0)
-+ goto out;
-+ if (buf[0] != '#')
-+ break;
-+
-+ newline = memchr(buf, '\n', 256);
-+ if (!newline)
-+ goto out;
-+ start += newline + 1 - buf;
-+ if (lseek(fd, start, SEEK_SET) < 0)
-+ goto out;
-+ }
-+
-+ /* Initialise binary search record numbers */
-+ if (fstat(fd, &st) < 0)
-+ goto out;
-+ lower = 0;
-+ upper = (st.st_size - start) / (line_len + 1);
-+
-+ while (lower != upper) {
-+ off_t cur;
-+ char buf[32];
-+ int cmp;
-+
-+ cur = lower + (upper - lower) / 2;
-+
-+ /* Read this line and compare to digest; this is
-+ * overflow-safe since cur < max(off_t) / (line_len + 1) */
-+ if (lseek(fd, start + cur * (line_len + 1), SEEK_SET) < 0)
-+ break;
-+ if (atomicio(read, fd, buf, line_len) != line_len)
-+ break;
-+ cmp = memcmp(buf, dgst_packed + 12, line_len);
-+ if (cmp < 0) {
-+ if (cur == lower)
-+ break;
-+ lower = cur;
-+ } else if (cmp > 0) {
-+ if (cur == upper)
-+ break;
-+ upper = cur;
-+ } else {
-+ debug("Found %s in blacklist", dgst_hex);
-+ ret = 1;
-+ break;
-+ }
-+ }
-+
-+out:
-+ if (dgst_packed)
-+ free(dgst_packed);
-+ if (dgst_hex)
-+ free(dgst_hex);
-+ if (fd >= 0)
-+ close(fd);
-+ free(blacklist_file);
-+ return ret;
-+}
---- openssh-4.7p1.orig/ssh-vulnkey.c
-+++ openssh-4.7p1/ssh-vulnkey.c
-@@ -0,0 +1,325 @@
-+/*
-+ * Copyright (c) 2008 Canonical Ltd. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+
-+#include <string.h>
-+#include <stdio.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+
-+#include <openssl/evp.h>
-+
-+#include "xmalloc.h"
-+#include "ssh.h"
-+#include "log.h"
-+#include "key.h"
-+#include "authfile.h"
-+#include "pathnames.h"
-+#include "misc.h"
-+
-+extern char *__progname;
-+
-+/* Default files to check */
-+static char *default_host_files[] = {
-+ _PATH_HOST_RSA_KEY_FILE,
-+ _PATH_HOST_DSA_KEY_FILE,
-+ _PATH_HOST_KEY_FILE,
-+ NULL
-+};
-+static char *default_files[] = {
-+ _PATH_SSH_CLIENT_ID_RSA,
-+ _PATH_SSH_CLIENT_ID_DSA,
-+ _PATH_SSH_CLIENT_IDENTITY,
-+ _PATH_SSH_USER_PERMITTED_KEYS,
-+ _PATH_SSH_USER_PERMITTED_KEYS2,
-+ NULL
-+};
-+
-+static int quiet = 0;
-+
-+static void
-+usage(void)
-+{
-+ fprintf(stderr, "usage: %s [-aq] [file ...]\n", __progname);
-+ fprintf(stderr, "Options:\n");
-+ fprintf(stderr, " -a Check keys of all users.\n");
-+ fprintf(stderr, " -q Quiet mode.\n");
-+ exit(1);
-+}
-+
-+void
-+describe_key(const char *msg, const Key *key, const char *comment)
-+{
-+ char *fp;
-+
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (!quiet)
-+ printf("%s: %u %s %s\n", msg, key_size(key), fp, comment);
-+ free(fp);
-+}
-+
-+int
-+do_key(const Key *key, const char *comment)
-+{
-+ char *blacklist_file;
-+ struct stat st;
-+ int ret = 1;
-+
-+ blacklist_file = blacklist_filename(key);
-+ if (stat(blacklist_file, &st) < 0)
-+ describe_key("Unknown (no blacklist information)",
-+ key, comment);
-+ else if (blacklisted_key(key)) {
-+ describe_key("COMPROMISED", key, comment);
-+ ret = 0;
-+ } else
-+ describe_key("Not blacklisted", key, comment);
-+ free(blacklist_file);
-+
-+ return ret;
-+}
-+
-+int
-+do_filename(const char *filename, int quiet_open)
-+{
-+ FILE *f;
-+ char line[SSH_MAX_PUBKEY_BYTES];
-+ char *cp;
-+ u_long linenum = 0;
-+ Key *key;
-+ char *comment = NULL;
-+ int found = 0, ret = 1;
-+
-+ /* Copy much of key_load_public's logic here so that we can read
-+ * several keys from a single file (e.g. authorized_keys).
-+ */
-+
-+ if (strcmp(filename, "-") != 0) {
-+ f = fopen(filename, "r");
-+ if (!f) {
-+ char pubfile[MAXPATHLEN];
-+ if (strlcpy(pubfile, filename, sizeof pubfile) <
-+ sizeof(pubfile) &&
-+ strlcat(pubfile, ".pub", sizeof pubfile) <
-+ sizeof(pubfile))
-+ f = fopen(pubfile, "r");
-+ }
-+ if (!f) {
-+ if (!quiet_open)
-+ perror(filename);
-+ return -1;
-+ }
-+ } else
-+ f = stdin;
-+ while (read_keyfile_line(f, filename, line, sizeof(line),
-+ &linenum) != -1) {
-+ int i;
-+ char *space;
-+ int type;
-+
-+ /* Chop trailing newline. */
-+ i = strlen(line) - 1;
-+ if (line[i] == '\n')
-+ line[i] = '\0';
-+
-+ /* Skip leading whitespace, empty and comment lines. */
-+ for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-+ ;
-+ if (!*cp || *cp == '\n' || *cp == '#')
-+ continue;
-+
-+ /* Cope with ssh-keyscan output and options in
-+ * authorized_keys files.
-+ */
-+ space = strchr(cp, ' ');
-+ if (!space)
-+ continue;
-+ *space = '\0';
-+ type = key_type_from_name(cp);
-+ *space = ' ';
-+ /* Leading number (RSA1) or valid type (RSA/DSA) indicates
-+ * that we have no host name or options to skip.
-+ */
-+ if (atoi(cp) == 0 && type == KEY_UNSPEC) {
-+ int quoted = 0;
-+
-+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
-+ if (*cp == '\\' && cp[1] == '"')
-+ cp++; /* Skip both */
-+ else if (*cp == '"')
-+ quoted = !quoted;
-+ }
-+ /* Skip remaining whitespace. */
-+ for (; *cp == ' ' || *cp == '\t'; cp++)
-+ ;
-+ if (!*cp)
-+ continue;
-+ }
-+
-+ /* Read and process the key itself. */
-+ key = key_new(KEY_RSA1);
-+ if (key_read(key, &cp) == 1) {
-+ while (*cp == ' ' || *cp == '\t')
-+ cp++;
-+ if (!do_key(key, *cp ? cp : filename))
-+ ret = 0;
-+ found = 1;
-+ } else {
-+ key_free(key);
-+ key = key_new(KEY_UNSPEC);
-+ if (key_read(key, &cp) == 1) {
-+ while (*cp == ' ' || *cp == '\t')
-+ cp++;
-+ if (!do_key(key, *cp ? cp : filename))
-+ ret = 0;
-+ found = 1;
-+ }
-+ }
-+ key_free(key);
-+ }
-+ if (f != stdin)
-+ fclose(f);
-+
-+ if (!found && filename) {
-+ key = key_load_public(filename, &comment);
-+ if (key) {
-+ if (!do_key(key, comment))
-+ ret = 0;
-+ found = 1;
-+ }
-+ if (comment)
-+ free(comment);
-+ }
-+
-+ return ret;
-+}
-+
-+int
-+do_host(void)
-+{
-+ int i;
-+ struct stat st;
-+ int ret = 1;
-+
-+ for (i = 0; default_host_files[i]; i++) {
-+ if (stat(default_host_files[i], &st) < 0)
-+ continue;
-+ if (!do_filename(default_host_files[i], 1))
-+ ret = 0;
-+ }
-+
-+ return ret;
-+}
-+
-+int
-+do_user(const char *dir)
-+{
-+ int i;
-+ char buf[MAXPATHLEN];
-+ struct stat st;
-+ int ret = 1;
-+
-+ for (i = 0; default_files[i]; i++) {
-+ snprintf(buf, sizeof(buf), "%s/%s", dir, default_files[i]);
-+ if (stat(buf, &st) < 0)
-+ continue;
-+ if (!do_filename(buf, 0))
-+ ret = 0;
-+ }
-+
-+ return ret;
-+}
-+
-+int
-+main(int argc, char **argv)
-+{
-+ int opt, all_users = 0;
-+ int ret = 1;
-+ extern int optind;
-+
-+ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-+ sanitise_stdfd();
-+
-+ __progname = ssh_get_progname(argv[0]);
-+
-+ SSLeay_add_all_algorithms();
-+ log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
-+
-+ /* We don't need the RNG ourselves, but symbol references here allow
-+ * ld to link us properly.
-+ */
-+ //init_rng();
-+ //seed_rng();
-+
-+ while ((opt = getopt(argc, argv, "ahq")) != -1) {
-+ switch (opt) {
-+ case 'a':
-+ all_users = 1;
-+ break;
-+ case 'q':
-+ quiet = 1;
-+ break;
-+ case 'h':
-+ default:
-+ usage();
-+ }
-+ }
-+
-+ if (all_users) {
-+ struct passwd *pw;
-+
-+ if (!do_host())
-+ ret = 0;
-+
-+ while ((pw = getpwent()) != NULL) {
-+ if (pw->pw_dir) {
-+ if (!do_user(pw->pw_dir))
-+ ret = 0;
-+ }
-+ }
-+ } else if (optind == argc) {
-+ struct passwd *pw;
-+
-+ if (!do_host())
-+ ret = 0;
-+
-+ if ((pw = getpwuid(getuid())) == NULL)
-+ fprintf(stderr, "No user found with uid %u\n",
-+ (u_int)getuid());
-+ else {
-+ if (!do_user(pw->pw_dir))
-+ ret = 0;
-+ }
-+ } else {
-+ while (optind < argc)
-+ if (!do_filename(argv[optind++], 0))
-+ ret = 0;
-+ }
-+
-+ return ret;
-+}
---- openssh-4.7p1.orig/auth-rsa.c
-+++ openssh-4.7p1/auth-rsa.c
-@@ -40,6 +40,7 @@
- #include "servconf.h"
- #include "key.h"
- #include "hostfile.h"
-+#include "authfile.h"
- #include "auth.h"
- #ifdef GSSAPI
- #include "ssh-gss.h"
-@@ -221,6 +222,7 @@
- char *cp;
- char *key_options;
- int keybits;
-+ char *fp;
-
- /* Skip leading whitespace, empty and comment lines. */
- for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -265,6 +267,19 @@
- "actual %d vs. announced %d.",
- file, linenum, BN_num_bits(key->rsa->n), bits);
-
-+ if (blacklisted_key(key)) {
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ free(fp);
-+ if (!options.permit_blacklisted_keys)
-+ continue;
-+ }
-+
- /* We have found the desired key. */
- /*
- * If our options do not allow this key to be used,
---- openssh-4.7p1.orig/pathnames.h
-+++ openssh-4.7p1/pathnames.h
-@@ -43,6 +43,8 @@
- /* Backwards compatibility */
- #define _PATH_DH_PRIMES SSHDIR "/primes"
-
-+#define _PATH_BLACKLIST SSHDIR "/blacklist"
-+
- #ifndef _PATH_SSH_PROGRAM
- #define _PATH_SSH_PROGRAM "/usr/bin/ssh"
- #endif
---- openssh-5.9p1/auth2-pubkey.c~ 2011-09-29 00:36:17.000000000 +0300
-+++ openssh-5.9p1/auth2-pubkey.c 2011-09-29 00:37:17.847762648 +0300
-@@ -42,6 +42,7 @@
- #include "compat.h"
- #include "key.h"
- #include "hostfile.h"
-+#include "authfile.h"
- #include "auth.h"
- #include "pathnames.h"
- #include "uidswap.h"
-@@ -608,6 +609,20 @@
- {
- u_int success, i;
- char *file;
-+ char *fp;
-+
-+ if (blacklisted_key(key)) {
-+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ if (options.permit_blacklisted_keys)
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1)); continuing anyway", fp);
-+ else
-+ logit("Public key %s blacklisted (see "
-+ "ssh-vulnkey(1))", fp);
-+ free(fp);
-+ if (!options.permit_blacklisted_keys)
-+ return 0;
-+ }
-
- if (auth_key_is_revoked(key))
- return 0;
-
+++ /dev/null
-diff -up openssh-5.8p1/auth-krb5.c.kuserok openssh-5.8p1/auth-krb5.c
---- openssh-5.8p1/auth-krb5.c.kuserok 2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.8p1/auth-krb5.c 2011-02-14 09:15:12.000000000 +0100
-@@ -54,6 +54,20 @@
-
- extern ServerOptions options;
-
-+int
-+ssh_krb5_kuserok(krb5_context krb5_ctx, krb5_principal krb5_user, const char *client)
-+{
-+ if (options.use_kuserok)
-+ return krb5_kuserok(krb5_ctx, krb5_user, client);
-+ else {
-+ char kuser[65];
-+
-+ if (krb5_aname_to_localname(krb5_ctx, krb5_user, sizeof(kuser), kuser))
-+ return 0;
-+ return strcmp(kuser, client) == 0;
-+ }
-+}
-+
- static int
- krb5_init(void *context)
- {
-@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
- if (problem)
- goto out;
-
-- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->pw->pw_name)) {
- problem = -1;
- goto out;
-diff -up openssh-5.8p1/gss-serv-krb5.c.kuserok openssh-5.8p1/gss-serv-krb5.c
---- openssh-5.8p1/gss-serv-krb5.c.kuserok 2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.8p1/gss-serv-krb5.c 2011-02-14 09:15:12.000000000 +0100
-@@ -57,6 +57,7 @@ extern ServerOptions options;
- #endif
-
- static krb5_context krb_context = NULL;
-+extern int ssh_krb5_kuserok(krb5_context, krb5_principal, const char *);
-
- /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-
-@@ -97,7 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
- krb5_free_error_message(krb_context, errmsg);
- return 0;
- }
-- if (krb5_kuserok(krb_context, princ, name)) {
-+ if (ssh_krb5_kuserok(krb_context, princ, name)) {
- retval = 1;
- logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- name, (char *)client->displayname.value);
-diff -up openssh-5.8p1/servconf.c.kuserok openssh-5.8p1/servconf.c
---- openssh-5.8p1/servconf.c.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/servconf.c 2011-02-14 09:20:22.000000000 +0100
-@@ -133,6 +133,7 @@
- options->num_accept_env = 0;
- options->permit_tun = -1;
- options->num_permitted_opens = -1;
-+ options->use_kuserok = -1;
- options->adm_forced_command = NULL;
- options->chroot_directory = NULL;
- options->authorized_keys_command = NULL;
-@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
- if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
-
-+ if (options->use_kuserok == -1)
-+ options->use_kuserok = 1;
- #ifndef HAVE_MMAP
- if (use_privsep && options->compression == 1) {
- error("This platform does not support both privilege "
-@@ -312,7 +315,7 @@ typedef enum {
- sPermitRootLogin, sLogFacility, sLogLevel,
- sRhostsRSAAuthentication, sRSAAuthentication,
- sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-- sKerberosGetAFSToken,
-+ sKerberosGetAFSToken, sKerberosUseKuserok,
- sKerberosTgtPassing, sChallengeResponseAuthentication,
- sPasswordAuthentication, sKbdInteractiveAuthentication,
- sListenAddress, sAddressFamily,
-@@ -381,11 +384,13 @@ static struct {
- #else
- { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
- #endif
-+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
- #else
- { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
- { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
- { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
- { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
-+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
- #endif
- { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
- { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1341,6 +1346,10 @@ process_server_config_line(ServerOptions
- *activep = value;
- break;
-
-+ case sKerberosUseKuserok:
-+ intptr = &options->use_kuserok;
-+ goto parse_flag;
-+
- case sPermitOpen:
- arg = strdelim(&cp);
- if (!arg || *arg == '\0')
-@@ -1544,6 +1553,7 @@ copy_set_server_options(ServerOptions *d
- M_CP_INTOPT(ip_qos_bulk);
- M_CP_INTOPT(rekey_limit);
- M_CP_INTOPT(rekey_interval);
-+ M_CP_INTOPT(use_kuserok);
-
- /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
- #define M_CP_STROPT(n) do {\
-@@ -1764,6 +1774,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sUseDNS, o->use_dns);
- dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
- dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
-+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
-
- /* string arguments */
- dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-5.8p1/servconf.h.kuserok openssh-5.8p1/servconf.h
---- openssh-5.8p1/servconf.h.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/servconf.h 2011-02-14 09:15:12.000000000 +0100
-@@ -157,6 +157,7 @@ typedef struct {
-
- int num_permitted_opens;
-
-+ int use_kuserok;
- char *chroot_directory;
- char *revoked_keys_file;
- char *trusted_user_ca_keys;
-diff -up openssh-5.8p1/sshd_config.5.kuserok openssh-5.8p1/sshd_config.5
---- openssh-5.8p1/sshd_config.5.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/sshd_config.5 2011-02-14 09:17:11.000000000 +0100
-@@ -574,6 +574,10 @@ Specifies whether to automatically destr
- file on logout.
- The default is
- .Dq yes .
-+.It Cm KerberosUseKuserok
-+Specifies whether to look at .k5login file for user's aliases.
-+The default is
-+.Dq yes .
- .It Cm KexAlgorithms
- Specifies the available KEX (Key Exchange) algorithms.
- Multiple algorithms must be comma-separated.
-@@ -715,6 +719,7 @@ Available keywords are
- .Cm HostbasedUsesNameFromPacketOnly ,
- .Cm KbdInteractiveAuthentication ,
- .Cm KerberosAuthentication ,
-+.Cm KerberosUseKuserok ,
- .Cm MaxAuthTries ,
- .Cm MaxSessions ,
- .Cm PasswordAuthentication ,
-diff -up openssh-5.8p1/sshd_config.kuserok openssh-5.8p1/sshd_config
---- openssh-5.8p1/sshd_config.kuserok 2011-02-14 09:15:12.000000000 +0100
-+++ openssh-5.8p1/sshd_config 2011-02-14 09:15:12.000000000 +0100
-@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
-+#KerberosUseKuserok yes
-
- # GSSAPI options
- #GSSAPIAuthentication no