From fe22f31e2272d312d52038e3f3bf507a69d5b09f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= Date: Fri, 12 Dec 2025 08:35:38 +0100 Subject: [PATCH] Workaround sshd rate limiting in tests By backporting upstream commit 7b89ff7, which exempts the test client from PerSourcePenalties. Resolves: RHEL-135506 --- libssh.spec | 3 ++ workaround-sshd-failure-rate-limiting.patch | 47 +++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 workaround-sshd-failure-rate-limiting.patch diff --git a/libssh.spec b/libssh.spec index 062931d..0c4c113 100644 --- a/libssh.spec +++ b/libssh.spec @@ -57,6 +57,7 @@ Patch15: CVE-2023-6918.patch Patch16: escape-brackets-in-proxycommand.patch Patch17: CVE-2025-5318.patch Patch18: CVE-2025-5987.patch +Patch19: workaround-sshd-failure-rate-limiting.patch %description The ssh library was designed to be used by programmers needing a working SSH @@ -152,6 +153,8 @@ popd * Thu Dec 11 2025 Pavol Žáčik - 0.10.4-16 - Fix CVE-2025-5987 Resolves: RHEL-130051 +- Workaround sshd failure rate limiting in tests + Resolves: RHEL-135506 * Wed Oct 01 2025 Pavol Žáčik - 0.10.4-15 - Bump spec to make the 9.7 NVR higher than the 9.6 one diff --git a/workaround-sshd-failure-rate-limiting.patch b/workaround-sshd-failure-rate-limiting.patch new file mode 100644 index 0000000..07c2f9f --- /dev/null +++ b/workaround-sshd-failure-rate-limiting.patch @@ -0,0 +1,47 @@ +From f2deda1b970ff3ab469e0838114c93a3d08051d8 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 9 Aug 2024 11:30:15 +0200 +Subject: [PATCH] test: Workaround the new OpenSSH failure rate limiting + +The new OpenSSH rate limits the failed authentication attempts per source +address and drops connection when the amount is reached, which is happening +in our testsuite. + +By whitelisting the IP address of the client on the socket wrapper, +this allows the tests to pass. + +https://man.openbsd.org/sshd_config.5#PerSourcePenaltyExemptList + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +--- + tests/torture.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tests/torture.c b/tests/torture.c +index f5a6bcc7..0590ee3d 100644 +--- a/tests/torture.c ++++ b/tests/torture.c +@@ -771,6 +771,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam) + "HostKeyAlgorithms " OPENSSH_KEYS "\n" + #if OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2 + "CASignatureAlgorithms " OPENSSH_KEYS "\n" ++#endif ++#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9 ++ "PerSourcePenaltyExemptList 127.0.0.21\n" + #endif + "Ciphers " OPENSSH_CIPHERS "\n" + "KexAlgorithms " OPENSSH_KEX "\n" +@@ -801,6 +804,9 @@ static void torture_setup_create_sshd_config(void **state, bool pam) + "%s\n" /* Here comes UsePam */ + "%s" /* The space for test-specific options */ + "\n" ++#if (OPENSSH_VERSION_MAJOR == 9 && OPENSSH_VERSION_MINOR >= 8) || OPENSSH_VERSION_MAJOR > 9 ++ "PerSourcePenaltyExemptList 127.0.0.21\n" ++#endif + "Ciphers " + "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc," + "aes128-gcm@openssh.com,aes128-ctr,aes128-cbc" +-- +2.51.0 +