bmh10 / rpms / openssh

Forked from rpms/openssh 22 days ago
Clone

e8622f Don't propose disallowed algorithms during hostkey negotiation

Authored and Committed by Zoltan Fridrich 2 years ago
    Don't propose disallowed algorithms during hostkey negotiation
    
    Resolves: rhbz#2068423
    
    Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
    
        
openssh-8.7p1-negotiate-supported-algs.patch ADDED
@@ -0,0 +1,63 @@
1
+ diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
2
+ --- a/regress/hostkey-agent.sh 2021-08-20 06:03:49.000000000 +0200
3
+ +++ b/regress/hostkey-agent.sh 2022-07-14 11:58:12.172786060 +0200
4
+ @@ -13,8 +13,12 @@ r=$?
5
+ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
6
+ echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
7
+
8
+ +PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
9
+ + grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
10
+ +SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
11
+ +
12
+ trace "load hostkeys"
13
+ -for k in $SSH_KEYTYPES ; do
14
+ +for k in $SSH_ACCEPTED_KEYTYPES ; do
15
+ ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
16
+ (
17
+ printf 'localhost-with-alias,127.0.0.1,::1 '
18
+ @@ -31,7 +35,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_host
19
+ unset SSH_AUTH_SOCK
20
+
21
+ for ps in yes; do
22
+ - for k in $SSH_KEYTYPES ; do
23
+ + for k in $SSH_ACCEPTED_KEYTYPES ; do
24
+ verbose "key type $k privsep=$ps"
25
+ cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
26
+ echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
27
+ diff --color -rup a/sshconnect2.c b/sshconnect2.c
28
+ --- a/sshconnect2.c 2022-07-14 10:10:07.262975710 +0200
29
+ +++ b/sshconnect2.c 2022-07-14 10:10:32.068452067 +0200
30
+ @@ -222,6 +222,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
31
+ {
32
+ char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
33
+ char *s, *all_key;
34
+ + char *hostkeyalgs = NULL, *pkalg = NULL;
35
+ char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
36
+ int r, use_known_hosts_order = 0;
37
+
38
+ @@ -264,14 +265,19 @@ ssh_kex2(struct ssh *ssh, char *host, st
39
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
40
+ if (use_known_hosts_order) {
41
+ /* Query known_hosts and prefer algorithms that appear there */
42
+ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
43
+ - compat_pkalg_proposal(ssh,
44
+ - order_hostkeyalgs(host, hostaddr, port, cinfo));
45
+ + if ((hostkeyalgs = order_hostkeyalgs(host, hostaddr, port, cinfo)) == NULL)
46
+ + fatal_f("order_hostkeyalgs");
47
+ + pkalg = match_filter_allowlist(hostkeyalgs, options.pubkey_accepted_algos);
48
+ + free(hostkeyalgs);
49
+ } else {
50
+ - /* Use specified HostkeyAlgorithms exactly */
51
+ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
52
+ - compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
53
+ + /* Use specified HostkeyAlgorithms */
54
+ + pkalg = match_filter_allowlist(options.hostkeyalgorithms, options.pubkey_accepted_algos);
55
+ }
56
+ + if (pkalg == NULL)
57
+ + fatal_f("match_filter_allowlist");
58
+ + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
59
+ + compat_pkalg_proposal(ssh, pkalg);
60
+ + free(pkalg);
61
+
62
+ #if defined(GSSAPI) && defined(WITH_OPENSSL)
63
+ if (options.gss_keyex) {
file modified
+10 -1
openssh.spec CHANGED
@@ -51,7 +51,7 @@
51
51
52
52
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
53
53
%global openssh_ver 8.7p1
54
- %global openssh_rel 15
54
+ %global openssh_rel 16
55
55
%global pam_ssh_agent_ver 0.10.4
56
56
%global pam_ssh_agent_rel 4
57
57
@@ -246,6 +246,10 @@ Patch1004: openssh-8.7p1-gssapi-auth.patch
246
246
# d9dbb5d9a0326e252d3c7bc13beb9c2434f59409
247
247
# fdb1d58d0d3888b042e5a500f6ce524486aaf782
248
248
Patch1005: openssh-8.7p1-host-based-auth.patch
249
+ # Don't propose disallowed algorithms during hostkey negotiation
250
+ # upstream MR:
251
+ # https://github.com/openssh/openssh-portable/pull/323
252
+ Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
249
253
250
254
License: BSD
251
255
Requires: /sbin/nologin
@@ -440,6 +444,7 @@ popd
440
444
%patch1003 -p1 -b .mem-leak
441
445
%patch1004 -p1 -b .gssapi-auth
442
446
%patch1005 -p1 -b .host-based-auth
447
+ %patch1006 -p1 -b .negotiate-supported-algs
443
448
444
449
%patch100 -p1 -b .coverity
445
450
@@ -720,6 +725,10 @@ test -f %{sysconfig_anaconda} && \
720
725
%endif
721
726
722
727
%changelog
728
+ * Thu Jul 14 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-16
729
+ - Don't propose disallowed algorithms during hostkey negotiation
730
+ Resolves: rhbz#2068423
731
+
723
732
* Thu Jul 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-15
724
733
- Disable ed25519 and ed25519-sk keys in FIPS mode
725
734
Related: rhbz#2087915