Change ssh-keygen defaults in FIPS mode
Resolves: RHEL-37324
This commit is contained in:
parent
7a357709f5
commit
1c01acf847
@ -516,6 +516,14 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
|
||||
#include <openssl/pem.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
@@ -69,6 +69,7 @@
|
||||
#include "cipher.h"
|
||||
|
||||
#define DEFAULT_KEY_TYPE_NAME "ed25519"
|
||||
+#define FIPS_DEFAULT_KEY_TYPE_NAME "rsa"
|
||||
|
||||
/*
|
||||
* Default number of bits in the RSA, DSA and ECDSA keys. These value can be
|
||||
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
|
||||
#endif
|
||||
}
|
||||
@ -529,6 +537,15 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
|
||||
switch (type) {
|
||||
case KEY_DSA:
|
||||
if (*bitsp != 1024)
|
||||
@@ -266,7 +267,7 @@ ask_filename(struct passwd *pw, const ch
|
||||
char *name = NULL;
|
||||
|
||||
if (key_type_name == NULL)
|
||||
- name = _PATH_SSH_CLIENT_ID_ED25519;
|
||||
+ name = FIPS_mode() ? _PATH_SSH_CLIENT_ID_RSA : _PATH_SSH_CLIENT_ID_ED25519;
|
||||
else {
|
||||
switch (sshkey_type_from_name(key_type_name)) {
|
||||
#ifdef WITH_DSA
|
||||
@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
first = 1;
|
||||
printf("%s: generating new host keys: ", __progname);
|
||||
@ -548,6 +565,15 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
|
||||
if ((fd = mkstemp(prv_tmp)) == -1) {
|
||||
error("Could not save your private key in %s: %s",
|
||||
prv_tmp, strerror(errno));
|
||||
@@ -3830,7 +3831,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (key_type_name == NULL)
|
||||
- key_type_name = DEFAULT_KEY_TYPE_NAME;
|
||||
+ key_type_name = FIPS_mode() ? FIPS_DEFAULT_KEY_TYPE_NAME : DEFAULT_KEY_TYPE_NAME;
|
||||
|
||||
type = sshkey_type_from_name(key_type_name);
|
||||
type_bits_valid(type, key_type_name, &bits);
|
||||
diff -up openssh-9.3p1/ssh-rsa.c.evpgenrsa openssh-9.3p1/ssh-rsa.c
|
||||
--- openssh-9.3p1/ssh-rsa.c.evpgenrsa 2022-06-30 15:14:58.200518353 +0200
|
||||
+++ openssh-9.3p1/ssh-rsa.c 2022-06-30 15:24:31.499641196 +0200
|
||||
|
10
openssh.spec
10
openssh.spec
@ -39,7 +39,7 @@
|
||||
%{?static_openssl:%global static_libcrypto 1}
|
||||
|
||||
%global openssh_ver 9.8p1
|
||||
%global openssh_rel 1
|
||||
%global openssh_rel 2
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
@ -653,11 +653,15 @@ test -f %{sysconfig_anaconda} && \
|
||||
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
|
||||
|
||||
%changelog
|
||||
* Fri Jul 26 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-2.0
|
||||
- Temporary disabling self-test
|
||||
Related: RHEL-42635
|
||||
- Change ssh-keygen defaults in FIPS mode
|
||||
Resolves: RHEL-37324
|
||||
|
||||
* Thu Jul 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-1.0
|
||||
- Rebase OpenSSH to 9.8p1
|
||||
Resolves: RHEL-42635
|
||||
- Temporary disabling self-test
|
||||
Related: RHEL-42635
|
||||
|
||||
* Fri Jul 12 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.5
|
||||
- Build OpenSSH without ENGINE API
|
||||
|
Loading…
Reference in New Issue
Block a user