Enable SHA2-based GSSAPI key exchange algorithms by default (#1666781)
This commit is contained in:
Jakub Jelen
parent
fbd5f1bee2
commit
1cc7c87af2
@ -40,17 +40,18 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
||||
.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
@@ -824,8 +822,10 @@ gss-nistp256-sha256-,
|
||||
@@ -824,9 +822,10 @@ gss-nistp256-sha256-,
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is
|
||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
This option only applies to connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
@@ -1162,15 +1162,10 @@ If the specified list begins with a
|
||||
@ -160,17 +161,18 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||
.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
@@ -693,8 +691,10 @@ gss-nistp256-sha256-,
|
||||
@@ -693,9 +691,10 @@ gss-nistp256-sha256-,
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is
|
||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
This option only applies to connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
@@ -794,22 +794,10 @@ environment variable.
|
||||
|
||||
@ -3253,7 +3253,7 @@ index 36180d07..70dd3665 100644
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -61,10 +61,30 @@
|
||||
@@ -61,10 +61,34 @@
|
||||
|
||||
#define SSH_GSS_OIDTYPE 0x06
|
||||
|
||||
@ -3273,6 +3273,10 @@ index 36180d07..70dd3665 100644
|
||||
+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
|
||||
+
|
||||
+#define GSS_KEX_DEFAULT_KEX \
|
||||
+ KEX_GSS_GRP14_SHA256_ID "," \
|
||||
+ KEX_GSS_GRP16_SHA512_ID "," \
|
||||
+ KEX_GSS_NISTP256_SHA256_ID "," \
|
||||
+ KEX_GSS_C25519_SHA256_ID "," \
|
||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
||||
+ KEX_GSS_GRP14_SHA1_ID
|
||||
+
|
||||
@ -3429,7 +3433,7 @@ diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 06a32d31..3f490697 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -766,10 +766,67 @@ The default is
|
||||
@@ -766,10 +766,68 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
.Cm no .
|
||||
@ -3492,8 +3496,9 @@ index 06a32d31..3f490697 100644
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
+This option only applies to connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
@ -3863,7 +3868,7 @@ index 70ccea44..f6b41a2f 100644
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
@@ -660,6 +665,31 @@ machine's default store.
|
||||
@@ -660,6 +665,32 @@ machine's default store.
|
||||
This facility is provided to assist with operation on multi homed machines.
|
||||
The default is
|
||||
.Cm yes .
|
||||
@ -3890,8 +3895,9 @@ index 70ccea44..f6b41a2f 100644
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
+This option only applies to connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a list of comma-separated patterns.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user