bmh10 / rpms / openssh

Forked from rpms/openssh 2 days ago
Clone

Blame SOURCES/openssh-8.0p1-crypto-policies.patch

4369a3
diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
0d83e7
--- openssh-8.0p1/ssh_config.5.crypto-policies	2020-03-24 17:32:54.821789205 +0100
0d83e7
+++ openssh-8.0p1/ssh_config.5	2020-03-24 17:59:58.174122920 +0100
0d83e7
@@ -357,17 +357,17 @@ or
0d83e7
 .Qq *.c.example.com
0d83e7
 domains.
0d83e7
 .It Cm CASignatureAlgorithms
0d83e7
+The default is handled system-wide by
0d83e7
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
0d83e7
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies which algorithms are allowed for signing of certificates
0d83e7
 by certificate authorities (CAs).
0d83e7
-The default is:
0d83e7
-.Bd -literal -offset indent
0d83e7
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
0d83e7
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0d83e7
-.Ed
0d83e7
-.Pp
0d83e7
 .Xr ssh 1
0d83e7
 will not accept host certificates signed using algorithms other than those
0d83e7
 specified.
0d83e7
+.Pp
0d83e7
 .It Cm CertificateFile
0d83e7
 Specifies a file from which the user's certificate is read.
0d83e7
 A corresponding private key must be provided separately in order
0d83e7
@@ -420,16 +420,21 @@ If the option is set to
0d83e7
 .Cm no ,
0d83e7
 the check will not be executed.
0d83e7
 .It Cm Ciphers
0d83e7
+The default is handled system-wide by
0d83e7
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
0d83e7
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies the ciphers allowed and their order of preference.
0d83e7
 Multiple ciphers must be comma-separated.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq +
0d83e7
-character, then the specified ciphers will be appended to the default set
0d83e7
+character, then the specified ciphers will be appended to the built-in default set
0d83e7
 instead of replacing them.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq -
0d83e7
 character, then the specified ciphers (including wildcards) will be removed
0d83e7
-from the default set instead of replacing them.
0d83e7
+from the built-in default set instead of replacing them.
0d83e7
 .Pp
0d83e7
 The supported ciphers are:
0d83e7
 .Bd -literal -offset indent
0d83e7
@@ -445,13 +450,6 @@ aes256-gcm@openssh.com
4369a3
 chacha20-poly1305@openssh.com
4369a3
 .Ed
4369a3
 .Pp
4369a3
-The default is:
4369a3
-.Bd -literal -offset indent
4369a3
-chacha20-poly1305@openssh.com,
4369a3
-aes128-ctr,aes192-ctr,aes256-ctr,
4369a3
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
4369a3
-.Ed
0d83e7
-.Pp
0d83e7
 The list of available ciphers may also be obtained using
0d83e7
 .Qq ssh -Q cipher .
0d83e7
 .It Cm ClearAllForwardings
0d83e7
@@ -800,6 +798,11 @@ command line will be passed untouched to
0d83e7
 The default is
0d83e7
 .Dq no .
0d83e7
 .It Cm GSSAPIKexAlgorithms
4369a3
+The default is handled system-wide by
4369a3
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
4369a3
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 The list of key exchange algorithms that are offered for GSSAPI
0d83e7
 key exchange. Possible values are
0d83e7
 .Bd -literal -offset 3n
0d83e7
@@ -812,9 +815,8 @@ gss-nistp256-sha256-,
4369a3
 gss-curve25519-sha256-
4369a3
 .Ed
4369a3
 .Pp
4369a3
-The default is
0d83e7
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
0d83e7
 This option only applies to connections using GSSAPI.
0d83e7
+.Pp
0d83e7
 .It Cm HashKnownHosts
0d83e7
 Indicates that
0d83e7
 .Xr ssh 1
0d83e7
@@ -1114,26 +1115,21 @@ it may be zero or more of:
0d83e7
 and
0d83e7
 .Cm pam .
0d83e7
 .It Cm KexAlgorithms
4369a3
+The default is handled system-wide by
4369a3
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
4369a3
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies the available KEX (Key Exchange) algorithms.
0d83e7
 Multiple algorithms must be comma-separated.
0d83e7
 Alternately if the specified value begins with a
0d83e7
 .Sq +
0d83e7
-character, then the specified methods will be appended to the default set
0d83e7
+character, then the specified methods will be appended to the built-in default set
0d83e7
 instead of replacing them.
0d83e7
 If the specified value begins with a
4369a3
 .Sq -
4369a3
 character, then the specified methods (including wildcards) will be removed
0d83e7
-from the default set instead of replacing them.
4369a3
-The default is:
4369a3
-.Bd -literal -offset indent
4369a3
-curve25519-sha256,curve25519-sha256@libssh.org,
4369a3
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
4369a3
-diffie-hellman-group-exchange-sha256,
4369a3
-diffie-hellman-group16-sha512,
4369a3
-diffie-hellman-group18-sha512,
4369a3
-diffie-hellman-group14-sha256,
4369a3
-diffie-hellman-group14-sha1
4369a3
-.Ed
0d83e7
+from the built-in default set instead of replacing them.
0d83e7
 .Pp
0d83e7
 The list of available key exchange algorithms may also be obtained using
0d83e7
 .Qq ssh -Q kex .
0d83e7
@@ -1193,33 +1189,29 @@ The default is INFO.
0d83e7
 DEBUG and DEBUG1 are equivalent.
0d83e7
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
0d83e7
 .It Cm MACs
4369a3
+The default is handled system-wide by
4369a3
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
4369a3
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies the MAC (message authentication code) algorithms
0d83e7
 in order of preference.
0d83e7
 The MAC algorithm is used for data integrity protection.
0d83e7
 Multiple algorithms must be comma-separated.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq +
0d83e7
-character, then the specified algorithms will be appended to the default set
0d83e7
+character, then the specified algorithms will be appended to the built-in default set
0d83e7
 instead of replacing them.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq -
0d83e7
 character, then the specified algorithms (including wildcards) will be removed
0d83e7
-from the default set instead of replacing them.
0d83e7
+from the built-in default set instead of replacing them.
4369a3
 .Pp
0d83e7
 The algorithms that contain
0d83e7
 .Qq -etm
4369a3
 calculate the MAC after encryption (encrypt-then-mac).
4369a3
 These are considered safer and their use recommended.
4369a3
 .Pp
4369a3
-The default is:
4369a3
-.Bd -literal -offset indent
4369a3
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
4369a3
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
4369a3
-hmac-sha1-etm@openssh.com,
4369a3
-umac-64@openssh.com,umac-128@openssh.com,
4369a3
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
4369a3
-.Ed
0d83e7
-.Pp
0d83e7
 The list of available MAC algorithms may also be obtained using
0d83e7
 .Qq ssh -Q mac .
0d83e7
 .It Cm NoHostAuthenticationForLocalhost
0d83e7
@@ -1352,27 +1344,21 @@ instead of continuing to execute and pas
0d83e7
 The default is
0d83e7
 .Cm no .
0d83e7
 .It Cm PubkeyAcceptedKeyTypes
4369a3
+The default is handled system-wide by
4369a3
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
4369a3
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies the key types that will be used for public key authentication
0d83e7
 as a comma-separated list of patterns.
0d83e7
 Alternately if the specified value begins with a
0d83e7
 .Sq +
0d83e7
-character, then the key types after it will be appended to the default
0d83e7
+character, then the key types after it will be appended to the built-in default
0d83e7
 instead of replacing it.
0d83e7
 If the specified value begins with a
4369a3
 .Sq -
4369a3
 character, then the specified key types (including wildcards) will be removed
0d83e7
-from the default set instead of replacing them.
4369a3
-The default for this option is:
4369a3
-.Bd -literal -offset 3n
4369a3
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
4369a3
-ssh-ed25519-cert-v01@openssh.com,
4369a3
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
4369a3
-ssh-rsa-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
4369a3
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
4369a3
-.Ed
0d83e7
+from the built-in default set instead of replacing them.
4369a3
 .Pp
4369a3
 The list of available key types may also be obtained using
4369a3
 .Qq ssh -Q key .
4369a3
diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
0d83e7
--- openssh-8.0p1/sshd_config.5.crypto-policies	2020-03-24 17:32:54.802788908 +0100
0d83e7
+++ openssh-8.0p1/sshd_config.5	2020-03-24 17:54:13.347740176 +0100
0d83e7
@@ -383,16 +383,16 @@ If the argument is
0d83e7
 then no banner is displayed.
0d83e7
 By default, no banner is displayed.
0d83e7
 .It Cm CASignatureAlgorithms
0d83e7
+The default is handled system-wide by
0d83e7
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
0d83e7
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies which algorithms are allowed for signing of certificates
0d83e7
 by certificate authorities (CAs).
0d83e7
-The default is:
0d83e7
-.Bd -literal -offset indent
0d83e7
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
0d83e7
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0d83e7
-.Ed
0d83e7
-.Pp
0d83e7
 Certificates signed using other algorithms will not be accepted for
0d83e7
 public key or host-based authentication.
0d83e7
+.Pp
0d83e7
 .It Cm ChallengeResponseAuthentication
0d83e7
 Specifies whether challenge-response authentication is allowed (e.g. via
0d83e7
 PAM or through authentication styles supported in
0d83e7
@@ -454,16 +454,21 @@ The default is
0d83e7
 indicating not to
0d83e7
 .Xr chroot 2 .
0d83e7
 .It Cm Ciphers
0d83e7
+The default is handled system-wide by
0d83e7
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
0d83e7
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies the ciphers allowed.
0d83e7
 Multiple ciphers must be comma-separated.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq +
0d83e7
-character, then the specified ciphers will be appended to the default set
0d83e7
+character, then the specified ciphers will be appended to the built-in default set
0d83e7
 instead of replacing them.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq -
0d83e7
 character, then the specified ciphers (including wildcards) will be removed
0d83e7
-from the default set instead of replacing them.
0d83e7
+from the built-in default set instead of replacing them.
0d83e7
 .Pp
0d83e7
 The supported ciphers are:
0d83e7
 .Pp
0d83e7
@@ -490,13 +495,6 @@ aes256-gcm@openssh.com
4369a3
 chacha20-poly1305@openssh.com
4369a3
 .El
4369a3
 .Pp
4369a3
-The default is:
4369a3
-.Bd -literal -offset indent
4369a3
-chacha20-poly1305@openssh.com,
4369a3
-aes128-ctr,aes192-ctr,aes256-ctr,
4369a3
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
4369a3
-.Ed
0d83e7
-.Pp
0d83e7
 The list of available ciphers may also be obtained using
0d83e7
 .Qq ssh -Q cipher .
0d83e7
 .It Cm ClientAliveCountMax
0d83e7
@@ -688,6 +686,11 @@ For this to work
0d83e7
 .Cm GSSAPIKeyExchange
0d83e7
 needs to be enabled in the server and also used by the client.
0d83e7
 .It Cm GSSAPIKexAlgorithms
4369a3
+The default is handled system-wide by
4369a3
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
4369a3
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 The list of key exchange algorithms that are accepted by GSSAPI
0d83e7
 key exchange. Possible values are
0d83e7
 .Bd -literal -offset 3n
0d83e7
@@ -700,8 +703,6 @@ gss-nistp256-sha256-,
4369a3
 gss-curve25519-sha256-
4369a3
 .Ed
4369a3
 .Pp
4369a3
-The default is
0d83e7
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
0d83e7
 This option only applies to connections using GSSAPI.
4369a3
 .It Cm HostbasedAcceptedKeyTypes
4369a3
 Specifies the key types that will be accepted for hostbased authentication
0d83e7
@@ -791,19 +791,13 @@ is specified, the location of the socket
0d83e7
 .Ev SSH_AUTH_SOCK
0d83e7
 environment variable.
4369a3
 .It Cm HostKeyAlgorithms
0d83e7
+The default is handled system-wide by
0d83e7
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
0d83e7
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
4369a3
 Specifies the host key algorithms
4369a3
 that the server offers.
4369a3
-The default for this option is:
4369a3
-.Bd -literal -offset 3n
4369a3
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
4369a3
-ssh-ed25519-cert-v01@openssh.com,
4369a3
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
4369a3
-ssh-rsa-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
4369a3
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
4369a3
-.Ed
0d83e7
 .Pp
0d83e7
 The list of available key types may also be obtained using
0d83e7
 .Qq ssh -Q key .
0d83e7
@@ -922,16 +916,21 @@ Specifies whether to look at .k5login fi
0d83e7
 The default is
0d83e7
 .Cm yes .
0d83e7
 .It Cm KexAlgorithms
4369a3
+The default is handled system-wide by
4369a3
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
4369a3
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies the available KEX (Key Exchange) algorithms.
0d83e7
 Multiple algorithms must be comma-separated.
0d83e7
 Alternately if the specified value begins with a
0d83e7
 .Sq +
0d83e7
-character, then the specified methods will be appended to the default set
0d83e7
+character, then the specified methods will be appended to the built-in default set
0d83e7
 instead of replacing them.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq -
0d83e7
 character, then the specified methods (including wildcards) will be removed
0d83e7
-from the default set instead of replacing them.
0d83e7
+from the built-in default set instead of replacing them.
0d83e7
 The supported algorithms are:
4369a3
 .Pp
0d83e7
 .Bl -item -compact -offset indent
0d83e7
@@ -961,15 +960,6 @@ ecdh-sha2-nistp384
4369a3
 ecdh-sha2-nistp521
4369a3
 .El
4369a3
 .Pp
4369a3
-The default is:
4369a3
-.Bd -literal -offset indent
4369a3
-curve25519-sha256,curve25519-sha256@libssh.org,
4369a3
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
4369a3
-diffie-hellman-group-exchange-sha256,
4369a3
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
4369a3
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
4369a3
-.Ed
0d83e7
-.Pp
0d83e7
 The list of available key exchange algorithms may also be obtained using
0d83e7
 .Qq ssh -Q kex .
0d83e7
 .It Cm ListenAddress
0d83e7
@@ -1038,17 +1028,22 @@ DEBUG and DEBUG1 are equivalent.
0d83e7
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.
0d83e7
 Logging with a DEBUG level violates the privacy of users and is not recommended.
0d83e7
 .It Cm MACs
4369a3
+The default is handled system-wide by
4369a3
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
4369a3
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies the available MAC (message authentication code) algorithms.
0d83e7
 The MAC algorithm is used for data integrity protection.
0d83e7
 Multiple algorithms must be comma-separated.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq +
0d83e7
-character, then the specified algorithms will be appended to the default set
0d83e7
+character, then the specified algorithms will be appended to the built-in default set
0d83e7
 instead of replacing them.
0d83e7
 If the specified value begins with a
0d83e7
 .Sq -
0d83e7
 character, then the specified algorithms (including wildcards) will be removed
0d83e7
-from the default set instead of replacing them.
0d83e7
+from the built-in default set instead of replacing them.
4369a3
 .Pp
0d83e7
 The algorithms that contain
0d83e7
 .Qq -etm
0d83e7
@@ -1091,15 +1086,6 @@ umac-64-etm@openssh.com
4369a3
 umac-128-etm@openssh.com
4369a3
 .El
4369a3
 .Pp
4369a3
-The default is:
4369a3
-.Bd -literal -offset indent
4369a3
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
4369a3
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
4369a3
-hmac-sha1-etm@openssh.com,
4369a3
-umac-64@openssh.com,umac-128@openssh.com,
4369a3
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
4369a3
-.Ed
0d83e7
-.Pp
0d83e7
 The list of available MAC algorithms may also be obtained using
0d83e7
 .Qq ssh -Q mac .
0d83e7
 .It Cm Match
0d83e7
@@ -1446,27 +1432,21 @@ or equivalent.)
0d83e7
 The default is
0d83e7
 .Cm yes .
0d83e7
 .It Cm PubkeyAcceptedKeyTypes
4369a3
+The default is handled system-wide by
4369a3
+.Xr crypto-policies 7 .
0d83e7
+To see the current defaults and how to modify them, see manual page
4369a3
+.Xr update-crypto-policies 8 .
0d83e7
+.Pp
0d83e7
 Specifies the key types that will be accepted for public key authentication
0d83e7
 as a list of comma-separated patterns.
0d83e7
 Alternately if the specified value begins with a
0d83e7
 .Sq +
0d83e7
-character, then the specified key types will be appended to the default set
0d83e7
+character, then the specified key types will be appended to the built-in default set
0d83e7
 instead of replacing them.
0d83e7
 If the specified value begins with a
4369a3
 .Sq -
4369a3
 character, then the specified key types (including wildcards) will be removed
0d83e7
-from the default set instead of replacing them.
4369a3
-The default for this option is:
4369a3
-.Bd -literal -offset 3n
4369a3
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
4369a3
-ssh-ed25519-cert-v01@openssh.com,
4369a3
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
4369a3
-ssh-rsa-cert-v01@openssh.com,
4369a3
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
4369a3
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
4369a3
-.Ed
0d83e7
+from the built-in default set instead of replacing them.
4369a3
 .Pp
4369a3
 The list of available key types may also be obtained using
4369a3
 .Qq ssh -Q key .