Change ssh-keygen defaults in FIPS mode

Resolves: RHEL-37324
2024-07-26 13:18:20 +02:00 · 2024-07-26 13:18:20 +02:00 · 1c01acf847
commit 1c01acf847
parent 7a357709f5
2 changed files with 33 additions and 3 deletions
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -516,6 +516,14 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
 #include <openssl/pem.h>
 #include "openbsd-compat/openssl-compat.h"
 #endif
+@@ -69,6 +69,7 @@
+ #include "cipher.h"
+ 
+ #define DEFAULT_KEY_TYPE_NAME "ed25519"
+#define FIPS_DEFAULT_KEY_TYPE_NAME "rsa"
+ 
+ /*
+  * Default number of bits in the RSA, DSA and ECDSA keys.  These value can be
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
 #endif
 	}
@ -529,6 +537,15 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
 	switch (type) {
 	case KEY_DSA:
 		if (*bitsp != 1024)
+@@ -266,7 +267,7 @@ ask_filename(struct passwd *pw, const ch
+ 	char *name = NULL;
+ 
+ 	if (key_type_name == NULL)
+-		name = _PATH_SSH_CLIENT_ID_ED25519;
+		name = FIPS_mode() ? _PATH_SSH_CLIENT_ID_RSA : _PATH_SSH_CLIENT_ID_ED25519;
+ 	else {
+ 		switch (sshkey_type_from_name(key_type_name)) {
+ #ifdef WITH_DSA
@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
 			first = 1;
 			printf("%s: generating new host keys: ", __progname);
@ -548,6 +565,15 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
 		if ((fd = mkstemp(prv_tmp)) == -1) {
 			error("Could not save your private key in %s: %s",
 			    prv_tmp, strerror(errno));
+@@ -3830,7 +3831,7 @@ main(int argc, char **argv)
+ 	}
+ 
+ 	if (key_type_name == NULL)
+-		key_type_name = DEFAULT_KEY_TYPE_NAME;
+		key_type_name = FIPS_mode() ? FIPS_DEFAULT_KEY_TYPE_NAME : DEFAULT_KEY_TYPE_NAME;
+ 
+ 	type = sshkey_type_from_name(key_type_name);
+ 	type_bits_valid(type, key_type_name, &bits);
 diff -up openssh-9.3p1/ssh-rsa.c.evpgenrsa openssh-9.3p1/ssh-rsa.c
 --- openssh-9.3p1/ssh-rsa.c.evpgenrsa	2022-06-30 15:14:58.200518353 +0200
 +++ openssh-9.3p1/ssh-rsa.c	2022-06-30 15:24:31.499641196 +0200
--- a/openssh.spec
+++ b/openssh.spec
@ -39,7 +39,7 @@
 %{?static_openssl:%global static_libcrypto 1}

 %global openssh_ver 9.8p1
-%global openssh_rel 1
+%global openssh_rel 2

 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@ -653,11 +653,15 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so

 %changelog
+* Fri Jul 26 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-2.0
+- Temporary disabling self-test
+  Related: RHEL-42635
+- Change ssh-keygen defaults in FIPS mode
+  Resolves: RHEL-37324
+
 * Thu Jul 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-1.0
 - Rebase OpenSSH to 9.8p1
  Resolves: RHEL-42635
- Temporary disabling self-test
-  Related: RHEL-42635

 * Fri Jul 12 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.5
 - Build OpenSSH without ENGINE API