From 6caa973459f4e66872fe5ef43949f2ce62e1d9e5 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 13 May 2019 14:22:21 +0200 Subject: [PATCH] Mention crypto-policies in the manual pages instead of the hardcoded defaults Resolves: rhbz#1668325 --- openssh-8.0p1-crypto-policies.patch | 210 ++++++++++++++++++++++++++++ openssh.spec | 3 + 2 files changed, 213 insertions(+) create mode 100644 openssh-8.0p1-crypto-policies.patch diff --git a/openssh-8.0p1-crypto-policies.patch b/openssh-8.0p1-crypto-policies.patch new file mode 100644 index 0000000..8a63501 --- /dev/null +++ b/openssh-8.0p1-crypto-policies.patch @@ -0,0 +1,210 @@ +diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5 +--- openssh-8.0p1/ssh_config.5.crypto-policies 2019-05-13 14:04:01.999099570 +0200 ++++ openssh-8.0p1/ssh_config.5 2019-05-13 14:12:36.343923071 +0200 +@@ -445,12 +445,10 @@ aes256-gcm@openssh.com + chacha20-poly1305@openssh.com + .Ed + .Pp +-The default is: +-.Bd -literal -offset indent +-chacha20-poly1305@openssh.com, +-aes128-ctr,aes192-ctr,aes256-ctr, +-aes128-gcm@openssh.com,aes256-gcm@openssh.com +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available ciphers may also be obtained using + .Qq ssh -Q cipher . +@@ -812,8 +810,10 @@ gss-nistp256-sha256-, + gss-curve25519-sha256- + .Ed + .Pp +-The default is +-.Dq gss-gex-sha1-,gss-group14-sha1- . ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that +@@ -1123,16 +1123,10 @@ If the specified value begins with a + .Sq - + character, then the specified methods (including wildcards) will be removed + from the default set instead of replacing them. +-The default is: +-.Bd -literal -offset indent +-curve25519-sha256,curve25519-sha256@libssh.org, +-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +-diffie-hellman-group-exchange-sha256, +-diffie-hellman-group16-sha512, +-diffie-hellman-group18-sha512, +-diffie-hellman-group14-sha256, +-diffie-hellman-group14-sha1 +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available key exchange algorithms may also be obtained using + .Qq ssh -Q kex . +@@ -1210,14 +1204,10 @@ The algorithms that contain + calculate the MAC after encryption (encrypt-then-mac). + These are considered safer and their use recommended. + .Pp +-The default is: +-.Bd -literal -offset indent +-umac-64-etm@openssh.com,umac-128-etm@openssh.com, +-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +-hmac-sha1-etm@openssh.com, +-umac-64@openssh.com,umac-128@openssh.com, +-hmac-sha2-256,hmac-sha2-512,hmac-sha1 +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available MAC algorithms may also be obtained using + .Qq ssh -Q mac . +@@ -1361,17 +1351,10 @@ If the specified value begins with a + .Sq - + character, then the specified key types (including wildcards) will be removed + from the default set instead of replacing them. +-The default for this option is: +-.Bd -literal -offset 3n +-ecdsa-sha2-nistp256-cert-v01@openssh.com, +-ecdsa-sha2-nistp384-cert-v01@openssh.com, +-ecdsa-sha2-nistp521-cert-v01@openssh.com, +-ssh-ed25519-cert-v01@openssh.com, +-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +-ssh-rsa-cert-v01@openssh.com, +-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available key types may also be obtained using + .Qq ssh -Q key . +diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5 +--- openssh-8.0p1/sshd_config.5.crypto-policies 2019-05-13 14:12:41.226968863 +0200 ++++ openssh-8.0p1/sshd_config.5 2019-05-13 14:15:14.581406997 +0200 +@@ -490,12 +490,10 @@ aes256-gcm@openssh.com + chacha20-poly1305@openssh.com + .El + .Pp +-The default is: +-.Bd -literal -offset indent +-chacha20-poly1305@openssh.com, +-aes128-ctr,aes192-ctr,aes256-ctr, +-aes128-gcm@openssh.com,aes256-gcm@openssh.com +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available ciphers may also be obtained using + .Qq ssh -Q cipher . +@@ -700,8 +698,10 @@ gss-nistp256-sha256-, + gss-curve25519-sha256- + .Ed + .Pp +-The default is +-.Dq gss-gex-sha1-,gss-group14-sha1- . ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HostbasedAcceptedKeyTypes + Specifies the key types that will be accepted for hostbased authentication +@@ -792,17 +792,10 @@ environment variable. + .It Cm HostKeyAlgorithms + Specifies the host key algorithms + that the server offers. +-The default for this option is: +-.Bd -literal -offset 3n +-ecdsa-sha2-nistp256-cert-v01@openssh.com, +-ecdsa-sha2-nistp384-cert-v01@openssh.com, +-ecdsa-sha2-nistp521-cert-v01@openssh.com, +-ssh-ed25519-cert-v01@openssh.com, +-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +-ssh-rsa-cert-v01@openssh.com, +-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available key types may also be obtained using + .Qq ssh -Q key . +@@ -960,14 +953,10 @@ ecdh-sha2-nistp384 + ecdh-sha2-nistp521 + .El + .Pp +-The default is: +-.Bd -literal -offset indent +-curve25519-sha256,curve25519-sha256@libssh.org, +-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +-diffie-hellman-group-exchange-sha256, +-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, +-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available key exchange algorithms may also be obtained using + .Qq ssh -Q kex . +@@ -1090,14 +1079,10 @@ umac-64-etm@openssh.com + umac-128-etm@openssh.com + .El + .Pp +-The default is: +-.Bd -literal -offset indent +-umac-64-etm@openssh.com,umac-128-etm@openssh.com, +-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, +-hmac-sha1-etm@openssh.com, +-umac-64@openssh.com,umac-128@openssh.com, +-hmac-sha2-256,hmac-sha2-512,hmac-sha1 +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available MAC algorithms may also be obtained using + .Qq ssh -Q mac . +@@ -1455,17 +1440,10 @@ If the specified value begins with a + .Sq - + character, then the specified key types (including wildcards) will be removed + from the default set instead of replacing them. +-The default for this option is: +-.Bd -literal -offset 3n +-ecdsa-sha2-nistp256-cert-v01@openssh.com, +-ecdsa-sha2-nistp384-cert-v01@openssh.com, +-ecdsa-sha2-nistp521-cert-v01@openssh.com, +-ssh-ed25519-cert-v01@openssh.com, +-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +-ssh-rsa-cert-v01@openssh.com, +-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-.Ed ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modifuy this default, see manual page ++.Xr update-crypto-policies 8 . + .Pp + The list of available key types may also be obtained using + .Qq ssh -Q key . diff --git a/openssh.spec b/openssh.spec index 1d3fda7..2bc313f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -210,6 +210,8 @@ Patch960: openssh-7.9p1-updated-cached-pw.patch # Verify the SCP vulnerabilities are fixed in the package testsuite # https://bugzilla.mindrot.org/show_bug.cgi?id=3007 Patch961: openssh-8.0p1-scp-tests.patch +# Mention crypto-policies in manual pages (#1668325) +Patch962: openssh-8.0p1-crypto-policies.patch License: BSD Requires: /sbin/nologin @@ -414,6 +416,7 @@ popd %patch958 -p1 -b .ssh-copy-id %patch960 -p1 -b .update-pw %patch961 -p1 -b .scp-tests +%patch962 -p1 -b .crypto-policies %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race