From 262bb33bcb5097ae9dfc3629bd1e432e13a52fb6 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 28 Aug 2024 16:55:18 +0200 Subject: [PATCH] "publickey-hostbound@openssh.com" extension makes no sense with GSS Related: RHEL-42635 --- openssh-8.0p1-gssapi-keyex.patch | 44 ++++++++++++++++++++++++++++++++ openssh.spec | 2 ++ 2 files changed, 46 insertions(+) diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index 1e5b888..82b2bfe 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -1124,6 +1124,50 @@ diff --color -ruNp a/gss-serv-krb5.c b/gss-serv-krb5.c diff --color -ruNp a/kex.c b/kex.c --- a/kex.c 2024-07-01 06:36:28.000000000 +0200 +++ b/kex.c 2024-08-28 12:35:41.249432103 +0200 +@@ -303,17 +303,37 @@ static int + kex_compose_ext_info_server(struct ssh *ssh, struct sshbuf *m) + { + int r; ++ int have_key = 0; ++ int ext_count = 2; ++ ++#ifdef GSSAPI ++ /* ++ * Currently GSS KEX don't provide host keys as optional message, so ++ * no reasons to announce the publickey-hostbound extension ++ */ ++ if (ssh->kex->gss == NULL) ++ have_key = 1; ++#endif ++ ext_count += have_key; ++ + + if (ssh->kex->server_sig_algs == NULL && + (ssh->kex->server_sig_algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) + return SSH_ERR_ALLOC_FAIL; +- if ((r = sshbuf_put_u32(m, 3)) != 0 || ++ if ((r = sshbuf_put_u32(m, ext_count)) != 0 || + (r = sshbuf_put_cstring(m, "server-sig-algs")) != 0 || +- (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0 || +- (r = sshbuf_put_cstring(m, +- "publickey-hostbound@openssh.com")) != 0 || +- (r = sshbuf_put_cstring(m, "0")) != 0 || +- (r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 || ++ (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0) { ++ error_fr(r, "compose"); ++ return r; ++ } ++ if (have_key) { ++ if ((r = sshbuf_put_cstring(m, "publickey-hostbound@openssh.com")) != 0 || ++ (r = sshbuf_put_cstring(m, "0")) != 0) { ++ error_fr(r, "compose"); ++ return r; ++ } ++ } ++ if ((r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 || + (r = sshbuf_put_cstring(m, "0")) != 0) { + error_fr(r, "compose"); + return r; @@ -737,6 +737,9 @@ kex_free(struct kex *kex) sshbuf_free(kex->server_version); sshbuf_free(kex->client_pub); diff --git a/openssh.spec b/openssh.spec index 6240116..dd3b823 100644 --- a/openssh.spec +++ b/openssh.spec @@ -658,6 +658,8 @@ test -f %{sysconfig_anaconda} && \ Related: RHEL-42635 - Add missing gsskeyex authentication method Related: RHEL-42635 +- "publickey-hostbound@openssh.com" extension makes no sense with GSS + Related: RHEL-42635 * Fri Aug 16 2024 Dmitry Belyavskiy - 9.8p1-4 - Address SAST scan issues