From c98f5597250d6f9a8e8d96960beb6306d150ef0f Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Aug 22 2015 20:22:48 +0000 Subject: HostKeyAlgorithms option on server is broken when using + sign --- diff --git a/openssh-6.7p1-fips.patch b/openssh-6.7p1-fips.patch index b8d5ede..9a743b1 100644 --- a/openssh-6.7p1-fips.patch +++ b/openssh-6.7p1-fips.patch @@ -382,7 +382,7 @@ diff -up openssh-7.0p1/servconf.c.fips openssh-7.0p1/servconf.c + kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS + : KEX_SERVER_KEX), &options->kex_algorithms) != 0 || kex_assemble_names(KEX_DEFAULT_PK_ALG, - &options->hostbased_key_types) != 0 || + &options->hostkeyalgorithms) != 0 || kex_assemble_names(KEX_DEFAULT_PK_ALG, @@ -2355,8 +2358,10 @@ dump_config(ServerOptions *o) /* string arguments */ diff --git a/openssh-7.1p1-hostkeyalgorithms.patch b/openssh-7.1p1-hostkeyalgorithms.patch new file mode 100644 index 0000000..4a22cdc --- /dev/null +++ b/openssh-7.1p1-hostkeyalgorithms.patch @@ -0,0 +1,46 @@ +diff --git a/readconf.c b/readconf.c +index 374e741..23d74fb 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host) + int i; + char vbuf[5]; + ++ /* This is normally prepared in ssh_kex2 */ ++ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0) ++ fatal("%s: kex_assemble_names failed", __func__); ++ + /* Most interesting options first: user, host, port */ + dump_cfg_string(oUser, o->user); + dump_cfg_string(oHostName, host); +@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host) + dump_cfg_string(oBindAddress, o->bind_address); + dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); + dump_cfg_string(oControlPath, o->control_path); +- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); ++ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); + dump_cfg_string(oHostKeyAlias, o->host_key_alias); + dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types); + dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); +diff --git a/servconf.c b/servconf.c +index 04404a4..08c8139 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options) + options->hostbased_authentication = 0; + if (options->hostbased_uses_name_from_packet_only == -1) + options->hostbased_uses_name_from_packet_only = 0; +- if (options->hostkeyalgorithms == NULL) +- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); + if (options->rsa_authentication == -1) + options->rsa_authentication = 1; + if (options->pubkey_authentication == -1) +@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options) + kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || + kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, ++ &options->hostkeyalgorithms) != 0 || ++ kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options->hostbased_key_types) != 0 || + kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options->pubkey_key_types) != 0) diff --git a/openssh.spec b/openssh.spec index b90201b..ae5ad96 100644 --- a/openssh.spec +++ b/openssh.spec @@ -229,6 +229,9 @@ Patch931: openssh-6.9p1-scp-progressmeter.patch Patch932: openssh-7.0p1-gssKexAlgorithms.patch # Possibility to validate legacy systems by more fingerprints (#1249626)(#2439) Patch933: openssh-7.0p1-show-more-fingerprints.patch +# Brokend HostKeyAlgorthms on server using + sign +# from http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034324.html +Patch934: openssh-7.1p1-hostkeyalgorithms.patch License: BSD @@ -466,6 +469,7 @@ popd %patch931 -p1 -b .progressmeter %patch932 -p1 -b .gsskexalg %patch933 -p1 -b .fingerprint +%patch934 -p1 -b .hostkey %patch200 -p1 -b .audit %patch700 -p1 -b .fips