e8622f
Don't propose disallowed algorithms during hostkey negotiation
@@ -0,0 +1,63 @@
|
|
1
|
+
diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
|
2
|
+
--- a/regress/hostkey-agent.sh 2021-08-20 06:03:49.000000000 +0200
|
3
|
+
+++ b/regress/hostkey-agent.sh 2022-07-14 11:58:12.172786060 +0200
|
4
|
+
@@ -13,8 +13,12 @@ r=$?
|
5
|
+
grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
|
6
|
+
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
|
7
|
+
|
8
|
+
+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
|
9
|
+
+ grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
|
10
|
+
+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
|
11
|
+
+
|
12
|
+
trace "load hostkeys"
|
13
|
+
-for k in $SSH_KEYTYPES ; do
|
14
|
+
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
15
|
+
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
|
16
|
+
(
|
17
|
+
printf 'localhost-with-alias,127.0.0.1,::1 '
|
18
|
+
@@ -31,7 +35,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_host
|
19
|
+
unset SSH_AUTH_SOCK
|
20
|
+
|
21
|
+
for ps in yes; do
|
22
|
+
- for k in $SSH_KEYTYPES ; do
|
23
|
+
+ for k in $SSH_ACCEPTED_KEYTYPES ; do
|
24
|
+
verbose "key type $k privsep=$ps"
|
25
|
+
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
26
|
+
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
|
27
|
+
diff --color -rup a/sshconnect2.c b/sshconnect2.c
|
28
|
+
--- a/sshconnect2.c 2022-07-14 10:10:07.262975710 +0200
|
29
|
+
+++ b/sshconnect2.c 2022-07-14 10:10:32.068452067 +0200
|
30
|
+
@@ -222,6 +222,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
31
|
+
{
|
32
|
+
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
|
33
|
+
char *s, *all_key;
|
34
|
+
+ char *hostkeyalgs = NULL, *pkalg = NULL;
|
35
|
+
char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
|
36
|
+
int r, use_known_hosts_order = 0;
|
37
|
+
|
38
|
+
@@ -264,14 +265,19 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
39
|
+
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
40
|
+
if (use_known_hosts_order) {
|
41
|
+
/* Query known_hosts and prefer algorithms that appear there */
|
42
|
+
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
|
43
|
+
- compat_pkalg_proposal(ssh,
|
44
|
+
- order_hostkeyalgs(host, hostaddr, port, cinfo));
|
45
|
+
+ if ((hostkeyalgs = order_hostkeyalgs(host, hostaddr, port, cinfo)) == NULL)
|
46
|
+
+ fatal_f("order_hostkeyalgs");
|
47
|
+
+ pkalg = match_filter_allowlist(hostkeyalgs, options.pubkey_accepted_algos);
|
48
|
+
+ free(hostkeyalgs);
|
49
|
+
} else {
|
50
|
+
- /* Use specified HostkeyAlgorithms exactly */
|
51
|
+
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
|
52
|
+
- compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
|
53
|
+
+ /* Use specified HostkeyAlgorithms */
|
54
|
+
+ pkalg = match_filter_allowlist(options.hostkeyalgorithms, options.pubkey_accepted_algos);
|
55
|
+
}
|
56
|
+
+ if (pkalg == NULL)
|
57
|
+
+ fatal_f("match_filter_allowlist");
|
58
|
+
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
|
59
|
+
+ compat_pkalg_proposal(ssh, pkalg);
|
60
|
+
+ free(pkalg);
|
61
|
+
|
62
|
+
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
63
|
+
if (options.gss_keyex) {
|
@@ -51,7 +51,7 @@
|
|
51
51
|
|
52
52
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
53
53
|
%global openssh_ver 8.7p1
|
54
|
-
%global openssh_rel
|
54
|
+
%global openssh_rel 16
|
55
55
|
%global pam_ssh_agent_ver 0.10.4
|
56
56
|
%global pam_ssh_agent_rel 4
|
57
57
|
|
@@ -246,6 +246,10 @@ Patch1004: openssh-8.7p1-gssapi-auth.patch
|
|
246
246
|
# d9dbb5d9a0326e252d3c7bc13beb9c2434f59409
|
247
247
|
# fdb1d58d0d3888b042e5a500f6ce524486aaf782
|
248
248
|
Patch1005: openssh-8.7p1-host-based-auth.patch
|
249
|
+
# Don't propose disallowed algorithms during hostkey negotiation
|
250
|
+
# upstream MR:
|
251
|
+
# https://github.com/openssh/openssh-portable/pull/323
|
252
|
+
Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
|
249
253
|
|
250
254
|
License: BSD
|
251
255
|
Requires: /sbin/nologin
|
@@ -440,6 +444,7 @@ popd
|
|
440
444
|
%patch1003 -p1 -b .mem-leak
|
441
445
|
%patch1004 -p1 -b .gssapi-auth
|
442
446
|
%patch1005 -p1 -b .host-based-auth
|
447
|
+
%patch1006 -p1 -b .negotiate-supported-algs
|
443
448
|
|
444
449
|
%patch100 -p1 -b .coverity
|
445
450
|
|
@@ -720,6 +725,10 @@ test -f %{sysconfig_anaconda} && \
|
|
720
725
|
%endif
|
721
726
|
|
722
727
|
%changelog
|
728
|
+
* Thu Jul 14 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-16
|
729
|
+
- Don't propose disallowed algorithms during hostkey negotiation
|
730
|
+
Resolves: rhbz#2068423
|
731
|
+
|
723
732
|
* Thu Jul 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-15
|
724
733
|
- Disable ed25519 and ed25519-sk keys in FIPS mode
|
725
734
|
Related: rhbz#2087915
|