From b5213cc0b33a177614908baa43b9d69125b380e1 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Wed, 30 Apr 2025 15:58:03 +0200 Subject: [PATCH] Ignore bad hostkeys in known_hosts file Resolves: RHEL-83644 Signed-off-by: Zoltan Fridrich --- openssh-9.9p1-bad-hostkey.patch | 68 +++++++++++++++++++++++++++++++++ openssh.spec | 4 ++ 2 files changed, 72 insertions(+) create mode 100644 openssh-9.9p1-bad-hostkey.patch diff --git a/openssh-9.9p1-bad-hostkey.patch b/openssh-9.9p1-bad-hostkey.patch new file mode 100644 index 0000000..d4f11f1 --- /dev/null +++ b/openssh-9.9p1-bad-hostkey.patch @@ -0,0 +1,68 @@ +diff --color -ruNp a/hostfile.c b/hostfile.c +--- a/hostfile.c 2024-09-20 00:20:48.000000000 +0200 ++++ b/hostfile.c 2025-04-30 15:52:02.792091018 +0200 +@@ -63,6 +63,14 @@ + #include "hmac.h" + #include "sshbuf.h" + ++static int required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; ++ ++void ++hostfile_set_minimum_rsa_size(int size) ++{ ++ required_rsa_size = size; ++} ++ + /* XXX hmac is too easy to dictionary attack; use bcrypt? */ + + static int +@@ -233,6 +241,7 @@ record_hostkey(struct hostkey_foreach_li + struct load_callback_ctx *ctx = (struct load_callback_ctx *)_ctx; + struct hostkeys *hostkeys = ctx->hostkeys; + struct hostkey_entry *tmp; ++ int r = 0; + + if (l->status == HKF_STATUS_INVALID) { + /* XXX make this verbose() in the future */ +@@ -241,6 +250,12 @@ record_hostkey(struct hostkey_foreach_li + return 0; + } + ++ if ((r = sshkey_check_rsa_length(l->key, required_rsa_size)) != 0) { ++ debug2_f("%s:%ld: ignoring hostkey: %s", ++ l->path, l->linenum, ssh_err(r)); ++ return 0; ++ } ++ + debug3_f("found %skey type %s in file %s:%lu", + l->marker == MRK_NONE ? "" : + (l->marker == MRK_CA ? "ca " : "revoked "), +diff --color -ruNp a/hostfile.h b/hostfile.h +--- a/hostfile.h 2024-09-20 00:20:48.000000000 +0200 ++++ b/hostfile.h 2025-04-30 15:17:44.789206468 +0200 +@@ -119,5 +119,6 @@ int hostkeys_foreach_file(const char *pa + const char *host, const char *ip, u_int options, u_int note); + + void hostfile_create_user_ssh_dir(const char *, int); ++void hostfile_set_minimum_rsa_size(int); + + #endif +diff --color -ruNp a/ssh.c b/ssh.c +--- a/ssh.c 2025-04-29 15:40:27.916735894 +0200 ++++ b/ssh.c 2025-04-30 15:19:48.856855308 +0200 +@@ -109,6 +109,7 @@ + #include "ssherr.h" + #include "myproposal.h" + #include "utf8.h" ++#include "hostfile.h" + + #ifdef ENABLE_PKCS11 + #include "ssh-pkcs11.h" +@@ -1395,6 +1396,7 @@ main(int ac, char **av) + options.update_hostkeys = 0; + } + } ++ hostfile_set_minimum_rsa_size(options.required_rsa_size); + if (options.connection_attempts <= 0) + fatal("Invalid number of ConnectionAttempts"); + diff --git a/openssh.spec b/openssh.spec index 03b0b76..fe5fcdd 100644 --- a/openssh.spec +++ b/openssh.spec @@ -211,6 +211,7 @@ Patch1023: openssh-9.9p1-compression-directive.patch # upstream fc86875e6acb36401dfc1dfb6b628a9d1460f367 Patch1024: openssh-9.9p1-disable-forwarding.patch Patch1025: openssh-9.9p1-non-supported-keys-err-msg.patch +Patch1026: openssh-9.9p1-bad-hostkey.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -401,6 +402,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1023 -p1 -b .compression %patch -P 1024 -p1 -b .disable-forwarding %patch -P 1025 -p1 -b .non-supported-keys-err-msg +%patch -P 1026 -p1 -b .bad-hostkey %patch -P 100 -p1 -b .coverity @@ -686,6 +688,8 @@ test -f %{sysconfig_anaconda} && \ Resolves: RHEL-86819 - Provide better error for non-supported private keys Resolves: RHEL-68124 +- Ignore bad hostkeys in known_hosts file + Resolves: RHEL-83644 * Thu Mar 20 2025 Dmitry Belyavskiy - 9.9p1-8 - OpenSSH should not use its own implementation of MLKEM