"publickey-hostbound@openssh.com" extension makes no sense with GSS
Related: RHEL-42635
This commit is contained in:
parent
5c31606342
commit
262bb33bcb
@ -1124,6 +1124,50 @@ diff --color -ruNp a/gss-serv-krb5.c b/gss-serv-krb5.c
|
|||||||
diff --color -ruNp a/kex.c b/kex.c
|
diff --color -ruNp a/kex.c b/kex.c
|
||||||
--- a/kex.c 2024-07-01 06:36:28.000000000 +0200
|
--- a/kex.c 2024-07-01 06:36:28.000000000 +0200
|
||||||
+++ b/kex.c 2024-08-28 12:35:41.249432103 +0200
|
+++ b/kex.c 2024-08-28 12:35:41.249432103 +0200
|
||||||
|
@@ -303,17 +303,37 @@ static int
|
||||||
|
kex_compose_ext_info_server(struct ssh *ssh, struct sshbuf *m)
|
||||||
|
{
|
||||||
|
int r;
|
||||||
|
+ int have_key = 0;
|
||||||
|
+ int ext_count = 2;
|
||||||
|
+
|
||||||
|
+#ifdef GSSAPI
|
||||||
|
+ /*
|
||||||
|
+ * Currently GSS KEX don't provide host keys as optional message, so
|
||||||
|
+ * no reasons to announce the publickey-hostbound extension
|
||||||
|
+ */
|
||||||
|
+ if (ssh->kex->gss == NULL)
|
||||||
|
+ have_key = 1;
|
||||||
|
+#endif
|
||||||
|
+ ext_count += have_key;
|
||||||
|
+
|
||||||
|
|
||||||
|
if (ssh->kex->server_sig_algs == NULL &&
|
||||||
|
(ssh->kex->server_sig_algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
|
||||||
|
return SSH_ERR_ALLOC_FAIL;
|
||||||
|
- if ((r = sshbuf_put_u32(m, 3)) != 0 ||
|
||||||
|
+ if ((r = sshbuf_put_u32(m, ext_count)) != 0 ||
|
||||||
|
(r = sshbuf_put_cstring(m, "server-sig-algs")) != 0 ||
|
||||||
|
- (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0 ||
|
||||||
|
- (r = sshbuf_put_cstring(m,
|
||||||
|
- "publickey-hostbound@openssh.com")) != 0 ||
|
||||||
|
- (r = sshbuf_put_cstring(m, "0")) != 0 ||
|
||||||
|
- (r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 ||
|
||||||
|
+ (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0) {
|
||||||
|
+ error_fr(r, "compose");
|
||||||
|
+ return r;
|
||||||
|
+ }
|
||||||
|
+ if (have_key) {
|
||||||
|
+ if ((r = sshbuf_put_cstring(m, "publickey-hostbound@openssh.com")) != 0 ||
|
||||||
|
+ (r = sshbuf_put_cstring(m, "0")) != 0) {
|
||||||
|
+ error_fr(r, "compose");
|
||||||
|
+ return r;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if ((r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 ||
|
||||||
|
(r = sshbuf_put_cstring(m, "0")) != 0) {
|
||||||
|
error_fr(r, "compose");
|
||||||
|
return r;
|
||||||
@@ -737,6 +737,9 @@ kex_free(struct kex *kex)
|
@@ -737,6 +737,9 @@ kex_free(struct kex *kex)
|
||||||
sshbuf_free(kex->server_version);
|
sshbuf_free(kex->server_version);
|
||||||
sshbuf_free(kex->client_pub);
|
sshbuf_free(kex->client_pub);
|
||||||
|
@ -658,6 +658,8 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
Related: RHEL-42635
|
Related: RHEL-42635
|
||||||
- Add missing gsskeyex authentication method
|
- Add missing gsskeyex authentication method
|
||||||
Related: RHEL-42635
|
Related: RHEL-42635
|
||||||
|
- "publickey-hostbound@openssh.com" extension makes no sense with GSS
|
||||||
|
Related: RHEL-42635
|
||||||
|
|
||||||
* Fri Aug 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-4
|
* Fri Aug 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-4
|
||||||
- Address SAST scan issues
|
- Address SAST scan issues
|
||||||
|
Loading…
Reference in New Issue
Block a user