rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

"publickey-hostbound@openssh.com" extension makes no sense with GSS

Browse Source 
Related: RHEL-42635
This commit is contained in:
Dmitry Belyavskiy 2024-08-28 16:55:18 +02:00
parent 5c31606342
commit 262bb33bcb
2 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
openssh-8.0p1-gssapi-keyex.patch
View File

@ -1124,6 +1124,50 @@ diff --color -ruNp a/gss-serv-krb5.c b/gss-serv-krb5.c
diff --color -ruNp a/kex.c b/kex.c
--- a/kex.c 2024-07-01 06:36:28.000000000 +0200
+++ b/kex.c 2024-08-28 12:35:41.249432103 +0200
@@ -303,17 +303,37 @@ static int
kex_compose_ext_info_server(struct ssh *ssh, struct sshbuf *m)
{
int r;
+ int have_key = 0;
+ int ext_count = 2;
+
+#ifdef GSSAPI
+ /*
+ * Currently GSS KEX don't provide host keys as optional message, so
+ * no reasons to announce the publickey-hostbound extension
+ */
+ if (ssh->kex->gss == NULL)
+ have_key = 1;
+#endif
+ ext_count += have_key;
+
if (ssh->kex->server_sig_algs == NULL &&
(ssh->kex->server_sig_algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
return SSH_ERR_ALLOC_FAIL;
- if ((r = sshbuf_put_u32(m, 3)) != 0 ||
+ if ((r = sshbuf_put_u32(m, ext_count)) != 0 ||
(r = sshbuf_put_cstring(m, "server-sig-algs")) != 0 ||
- (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0 ||
- (r = sshbuf_put_cstring(m,
- "publickey-hostbound@openssh.com")) != 0 ||
- (r = sshbuf_put_cstring(m, "0")) != 0 ||
- (r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 ||
+ (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0) {
+ error_fr(r, "compose");
+ return r;
+ }
+ if (have_key) {
+ if ((r = sshbuf_put_cstring(m, "publickey-hostbound@openssh.com")) != 0 ||
+ (r = sshbuf_put_cstring(m, "0")) != 0) {
+ error_fr(r, "compose");
+ return r;
+ }
+ }
+ if ((r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 ||
(r = sshbuf_put_cstring(m, "0")) != 0) {
error_fr(r, "compose");
return r;
@@ -737,6 +737,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->server_version);
sshbuf_free(kex->client_pub);

2
openssh.spec
View File

@ -658,6 +658,8 @@ test -f %{sysconfig_anaconda} && \
Related: RHEL-42635
- Add missing gsskeyex authentication method
Related: RHEL-42635
- "publickey-hostbound@openssh.com" extension makes no sense with GSS
Related: RHEL-42635
* Fri Aug 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-4
- Address SAST scan issues