forked from rpms/openssh
Merge manpage crypto-policies related patches
Signed-off-by: Norbert Pocs <npocs@redhat.com>
This commit is contained in:
parent
fb40f0afda
commit
2b67ec48c2
@ -1,7 +1,7 @@
|
||||
diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
--- a/ssh_config.5 2022-07-12 15:05:22.550013071 +0200
|
||||
+++ b/ssh_config.5 2022-07-12 15:17:20.016704545 +0200
|
||||
@@ -373,17 +373,13 @@
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh_config.5 openssh-9.3p1-patched/ssh_config.5
|
||||
--- openssh-9.3p1/ssh_config.5 2023-06-07 10:26:48.284590156 +0200
|
||||
+++ openssh-9.3p1-patched/ssh_config.5 2023-06-07 10:26:00.623052194 +0200
|
||||
@@ -378,17 +378,13 @@
|
||||
causes no CNAMEs to be considered for canonicalization.
|
||||
This is the default behaviour.
|
||||
.It Cm CASignatureAlgorithms
|
||||
@ -24,7 +24,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified algorithms will be appended to the default set
|
||||
@@ -445,20 +441,25 @@
|
||||
@@ -450,20 +446,25 @@
|
||||
(the default),
|
||||
the check will not be executed.
|
||||
.It Cm Ciphers
|
||||
@ -54,7 +54,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
.Pp
|
||||
The supported ciphers are:
|
||||
.Bd -literal -offset indent
|
||||
@@ -474,13 +475,6 @@
|
||||
@@ -479,13 +480,6 @@
|
||||
chacha20-poly1305@openssh.com
|
||||
.Ed
|
||||
.Pp
|
||||
@ -68,7 +68,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClearAllForwardings
|
||||
@@ -874,6 +868,11 @@
|
||||
@@ -885,6 +879,11 @@
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
@ -80,7 +80,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
The list of key exchange algorithms that are offered for GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
@@ -886,10 +885,8 @@
|
||||
@@ -897,10 +896,8 @@
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
@ -92,7 +92,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
@@ -913,36 +910,25 @@
|
||||
@@ -919,36 +916,25 @@
|
||||
but may be manually hashed using
|
||||
.Xr ssh-keygen 1 .
|
||||
.It Cm HostbasedAcceptedAlgorithms
|
||||
@ -137,7 +137,25 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
.Pp
|
||||
The
|
||||
.Fl Q
|
||||
@@ -1219,30 +1216,25 @@
|
||||
@@ -1001,6 +987,17 @@
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
+.Pp
|
||||
+The proposed
|
||||
+.Cm HostKeyAlgorithms
|
||||
+during KEX are limited to the set of algorithms that is defined in
|
||||
+.Cm PubkeyAcceptedAlgorithms
|
||||
+and therefore they are indirectly affected by system-wide
|
||||
+.Xr crypto_policies 7 .
|
||||
+.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so
|
||||
+would break the order given by the
|
||||
+.Pa known_hosts
|
||||
+file.
|
||||
.It Cm HostKeyAlias
|
||||
Specifies an alias that should be used instead of the
|
||||
real host name when looking up or saving the host key
|
||||
@@ -1232,30 +1229,25 @@
|
||||
and
|
||||
.Cm pam .
|
||||
.It Cm KexAlgorithms
|
||||
@ -177,7 +195,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
@@ -1351,37 +1344,33 @@
|
||||
@@ -1365,37 +1357,33 @@
|
||||
file.
|
||||
This option is intended for debugging and no overrides are enabled by default.
|
||||
.It Cm MACs
|
||||
@ -224,7 +242,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm NoHostAuthenticationForLocalhost
|
||||
@@ -1553,36 +1542,25 @@
|
||||
@@ -1567,39 +1555,31 @@
|
||||
The default is
|
||||
.Cm no .
|
||||
.It Cm PubkeyAcceptedAlgorithms
|
||||
@ -270,7 +288,13 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||
@@ -2237,7 +2207,9 @@ for those users who do not have a config
|
||||
+.Pp
|
||||
+This option affects also
|
||||
+.Cm HostKeyAlgorithms
|
||||
.It Cm PubkeyAuthentication
|
||||
Specifies whether to try public key authentication.
|
||||
The argument to this keyword must be
|
||||
@@ -2265,7 +2245,9 @@
|
||||
This file must be world-readable.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
@ -281,10 +305,10 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
||||
.Sh AUTHORS
|
||||
.An -nosplit
|
||||
OpenSSH is a derivative of the original and free
|
||||
diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
--- a/sshd_config.5 2022-07-12 15:05:22.535012771 +0200
|
||||
+++ b/sshd_config.5 2022-07-12 15:15:33.394809258 +0200
|
||||
@@ -373,17 +373,13 @@
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/sshd_config.5 openssh-9.3p1-patched/sshd_config.5
|
||||
--- openssh-9.3p1/sshd_config.5 2023-06-07 10:26:48.277590077 +0200
|
||||
+++ openssh-9.3p1-patched/sshd_config.5 2023-06-07 10:26:00.592051845 +0200
|
||||
@@ -379,17 +379,13 @@
|
||||
then no banner is displayed.
|
||||
By default, no banner is displayed.
|
||||
.It Cm CASignatureAlgorithms
|
||||
@ -307,7 +331,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
character, then the specified algorithms will be appended to the default set
|
||||
@@ -450,20 +446,25 @@
|
||||
@@ -525,20 +521,25 @@
|
||||
indicating not to
|
||||
.Xr chroot 2 .
|
||||
.It Cm Ciphers
|
||||
@ -337,7 +361,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
.Pp
|
||||
The supported ciphers are:
|
||||
.Pp
|
||||
@@ -490,13 +491,6 @@
|
||||
@@ -565,13 +566,6 @@
|
||||
chacha20-poly1305@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
@ -351,7 +375,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClientAliveCountMax
|
||||
@@ -685,53 +679,43 @@
|
||||
@@ -766,53 +760,43 @@
|
||||
.Cm GSSAPIKeyExchange
|
||||
needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
@ -424,7 +448,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostbasedAcceptedAlgorithms .
|
||||
@@ -799,25 +794,14 @@
|
||||
@@ -879,25 +863,14 @@
|
||||
.Ev SSH_AUTH_SOCK
|
||||
environment variable.
|
||||
.It Cm HostKeyAlgorithms
|
||||
@ -455,7 +479,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
.It Cm IgnoreRhosts
|
||||
@@ -965,20 +947,25 @@
|
||||
@@ -1044,20 +1017,25 @@
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
@ -485,7 +509,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
The supported algorithms are:
|
||||
.Pp
|
||||
.Bl -item -compact -offset indent
|
||||
@@ -1010,16 +997,6 @@
|
||||
@@ -1089,16 +1067,6 @@
|
||||
sntrup761x25519-sha512@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
@ -502,7 +526,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q KexAlgorithms .
|
||||
.It Cm ListenAddress
|
||||
@@ -1104,21 +1082,26 @@
|
||||
@@ -1184,21 +1152,26 @@
|
||||
file.
|
||||
This option is intended for debugging and no overrides are enabled by default.
|
||||
.It Cm MACs
|
||||
@ -533,7 +557,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
.Pp
|
||||
The algorithms that contain
|
||||
.Qq -etm
|
||||
@@ -1161,15 +1144,6 @@
|
||||
@@ -1241,15 +1214,6 @@
|
||||
umac-128-etm@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
@ -549,7 +573,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm Match
|
||||
@@ -1548,36 +1522,25 @@
|
||||
@@ -1633,36 +1597,25 @@
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm PubkeyAcceptedAlgorithms
|
||||
@ -595,7 +619,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||
@@ -2011,7 +1968,9 @@ This file should be writable by root onl
|
||||
@@ -2131,7 +2084,9 @@
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr sftp-server 8 ,
|
||||
|
@ -1,16 +0,0 @@
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh_config.5 openssh-8.7p1-patched/ssh_config.5
|
||||
--- openssh-8.7p1/ssh_config.5 2023-05-29 13:41:19.731835097 +0200
|
||||
+++ openssh-8.7p1-patched/ssh_config.5 2023-05-29 13:40:58.806604144 +0200
|
||||
@@ -989,6 +989,12 @@
|
||||
.Pp
|
||||
The list of available signature algorithms may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
+.Pp
|
||||
+.Xr crypto_policies 7 does not handle the list of algorithms as doing so
|
||||
+would break the order given by the
|
||||
+.Pa known_hosts
|
||||
+file. Therefore the list is filtered by
|
||||
+.Cm PubkeyAcceptedAlgorithms.
|
||||
.It Cm HostKeyAlias
|
||||
Specifies an alias that should be used instead of the
|
||||
real host name when looking up or saving the host key
|
@ -181,6 +181,7 @@ Patch951: openssh-8.0p1-pkcs11-uri.patch
|
||||
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||
# Mention crypto-policies in manual pages (#1668325)
|
||||
# clarify rhbz#2068423 on the man page of ssh_config
|
||||
Patch962: openssh-8.0p1-crypto-policies.patch
|
||||
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
|
||||
# TODO fix the comment above ^
|
||||
@ -228,9 +229,6 @@ Patch1012: openssh-9.0p1-evp-fips-dh.patch
|
||||
Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
|
||||
Patch1014: openssh-8.7p1-nohostsha1proof.patch
|
||||
|
||||
# clarify rhbz#2068423 on the man page of ssh_config
|
||||
Patch1016: openssh-9.0p1-man-hostkeyalgos.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
|
||||
@ -434,8 +432,6 @@ popd
|
||||
%patch -P 1013 -p1 -b .evp-fips-ecdh
|
||||
%patch -P 1014 -p1 -b .nosha1hostproof
|
||||
|
||||
%patch -P 1016 -p1 -b .man-hostkeyalgos
|
||||
|
||||
%patch -P 100 -p1 -b .coverity
|
||||
|
||||
autoreconf
|
||||
|
Loading…
Reference in New Issue
Block a user