diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index fcd0245..8d442a4 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -701,3 +701,29 @@ diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c if ((cp = kex_names_cat(kexalgos, ssh->kex->server ? "ext-info-s,kex-strict-s-v00@openssh.com" : "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) +diff --color -ruNp a/ssh-keyscan.c b/ssh-keyscan.c +--- a/ssh-keyscan.c 2026-03-18 13:58:55.708193373 +0100 ++++ b/ssh-keyscan.c 2026-03-18 15:34:35.495942538 +0100 +@@ -22,6 +22,7 @@ + #ifdef WITH_OPENSSL + #include + #endif ++#include + + #include + #include +@@ -239,6 +240,14 @@ keygrab_ssh2(con *c) + char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + int r; + ++ if (FIPS_mode()) { ++ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS; ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = KEX_FIPS_ENCRYPT; ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; ++ myproposal[PROPOSAL_MAC_ALGS_CTOS] = KEX_FIPS_MAC; ++ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; ++ } ++ + switch (c->c_keytype) { + case KT_DSA: + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? diff --git a/openssh.spec b/openssh.spec index 7e547a7..9d7c632 100644 --- a/openssh.spec +++ b/openssh.spec @@ -43,7 +43,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: 22%{?dist} +Release: 23%{?dist} URL: http://www.openssh.com/portable.html Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -719,6 +719,10 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so %changelog +* Wed Mar 18 2026 Zoltan Fridrich - 9.9p1-23 +- Don't negotiate non-FIPS algorithms in ssh-keyscan key exchange in FIPS mode + Resolves: RHEL-88565 + * Thu Mar 12 2026 Zoltan Fridrich - 9.9p1-22 - Remove recommendation of p11-kit Resolves: RHEL-139070