Enable SHA2-based GSSAPI key exchange algorithms by default (#1666781)
This commit is contained in:
Jakub Jelen
parent
fbd5f1bee2
commit
1cc7c87af2
@ -40,17 +40,18 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
@@ -824,8 +822,10 @@ gss-nistp256-sha256-,
|
@@ -824,9 +822,10 @@ gss-nistp256-sha256-,
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
-The default is
|
-The default is
|
||||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
This option only applies to protocol version 2 connections using GSSAPI.
|
This option only applies to connections using GSSAPI.
|
||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
@@ -1162,15 +1162,10 @@ If the specified list begins with a
|
@@ -1162,15 +1162,10 @@ If the specified list begins with a
|
||||||
@ -160,17 +161,18 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
@@ -693,8 +691,10 @@ gss-nistp256-sha256-,
|
@@ -693,9 +691,10 @@ gss-nistp256-sha256-,
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
-The default is
|
-The default is
|
||||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
This option only applies to protocol version 2 connections using GSSAPI.
|
This option only applies to connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
@@ -794,22 +794,10 @@ environment variable.
|
@@ -794,22 +794,10 @@ environment variable.
|
||||||
|
|||||||
@ -3253,7 +3253,7 @@ index 36180d07..70dd3665 100644
|
|||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions
|
* modification, are permitted provided that the following conditions
|
||||||
@@ -61,10 +61,30 @@
|
@@ -61,10 +61,34 @@
|
||||||
|
|
||||||
#define SSH_GSS_OIDTYPE 0x06
|
#define SSH_GSS_OIDTYPE 0x06
|
||||||
|
|
||||||
@ -3273,6 +3273,10 @@ index 36180d07..70dd3665 100644
|
|||||||
+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
|
+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
|
||||||
+
|
+
|
||||||
+#define GSS_KEX_DEFAULT_KEX \
|
+#define GSS_KEX_DEFAULT_KEX \
|
||||||
|
+ KEX_GSS_GRP14_SHA256_ID "," \
|
||||||
|
+ KEX_GSS_GRP16_SHA512_ID "," \
|
||||||
|
+ KEX_GSS_NISTP256_SHA256_ID "," \
|
||||||
|
+ KEX_GSS_C25519_SHA256_ID "," \
|
||||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
+ KEX_GSS_GEX_SHA1_ID "," \
|
||||||
+ KEX_GSS_GRP14_SHA1_ID
|
+ KEX_GSS_GRP14_SHA1_ID
|
||||||
+
|
+
|
||||||
@ -3429,7 +3433,7 @@ diff --git a/ssh_config.5 b/ssh_config.5
|
|||||||
index 06a32d31..3f490697 100644
|
index 06a32d31..3f490697 100644
|
||||||
--- a/ssh_config.5
|
--- a/ssh_config.5
|
||||||
+++ b/ssh_config.5
|
+++ b/ssh_config.5
|
||||||
@@ -766,10 +766,67 @@ The default is
|
@@ -766,10 +766,68 @@ The default is
|
||||||
Specifies whether user authentication based on GSSAPI is allowed.
|
Specifies whether user authentication based on GSSAPI is allowed.
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
@ -3492,8 +3496,9 @@ index 06a32d31..3f490697 100644
|
|||||||
+.Ed
|
+.Ed
|
||||||
+.Pp
|
+.Pp
|
||||||
+The default is
|
+The default is
|
||||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
+This option only applies to connections using GSSAPI.
|
||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
@ -3863,7 +3868,7 @@ index 70ccea44..f6b41a2f 100644
|
|||||||
.It Cm GSSAPIStrictAcceptorCheck
|
.It Cm GSSAPIStrictAcceptorCheck
|
||||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||||
a client authenticates against.
|
a client authenticates against.
|
||||||
@@ -660,6 +665,31 @@ machine's default store.
|
@@ -660,6 +665,32 @@ machine's default store.
|
||||||
This facility is provided to assist with operation on multi homed machines.
|
This facility is provided to assist with operation on multi homed machines.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
@ -3890,8 +3895,9 @@ index 70ccea44..f6b41a2f 100644
|
|||||||
+.Ed
|
+.Ed
|
||||||
+.Pp
|
+.Pp
|
||||||
+The default is
|
+The default is
|
||||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
+This option only applies to connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
as a list of comma-separated patterns.
|
as a list of comma-separated patterns.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user