diff options
| author |   djm <djm@openbsd.org> | 2014-01-09 23:26:48 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2014-01-09 23:26:48 +0000 |
| commit | e220a72538972d78ac9902441559ec8ba75505b6 (patch) | |
| tree | 9072305b450801976891741436670e089a8d32ed /usr.bin/ssh/sshconnect.c | |
| parent | Introduce digest API and use it to perform all hashing operations (diff) | |
| download | wireguard-openbsd-e220a72538972d78ac9902441559ec8ba75505b6.tar.xz wireguard-openbsd-e220a72538972d78ac9902441559ec8ba75505b6.zip | |
ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
deranged and might make some attacks on KEX easier; ok markus@
Diffstat (limited to 'usr.bin/ssh/sshconnect.c')
| -rw-r--r-- | usr.bin/ssh/sshconnect.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index 28ea1d0f728..f8ecb785b39 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.243 2013/12/30 23:52:27 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.244 2014/01/09 23:26:48 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -652,6 +652,9 @@ ssh_exchange_identification(int timeout_ms) fatal("Protocol major versions differ: %d vs. %d", (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, remote_major); + if ((datafellows & SSH_BUG_DERIVEKEY) != 0) + fatal("Server version \"%.100s\" uses unsafe key agreement; " + "refusing connection", remote_version); if ((datafellows & SSH_BUG_RSASIGMD5) != 0) logit("Server version \"%.100s\" uses unsafe RSA signature " "scheme; disabling use of RSA keys", remote_version); |