From 415f8e730bda6e3baafc37b24420c2d2bf427b39 Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: Mon, 29 May 2023 13:46:14 +0200 Subject: [PATCH] Clarify rhbz#2068423 on the ssh_config man page Resolves: rhbz#2209096 Signed-off-by: Norbert Pocs --- openssh-8.7p1-man-hostkeyalgos.patch | 31 ++++++++++++++++++++++++++++ openssh.spec | 8 ++++++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 openssh-8.7p1-man-hostkeyalgos.patch diff --git a/openssh-8.7p1-man-hostkeyalgos.patch b/openssh-8.7p1-man-hostkeyalgos.patch new file mode 100644 index 0000000..92c53b1 --- /dev/null +++ b/openssh-8.7p1-man-hostkeyalgos.patch @@ -0,0 +1,31 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh_config.5 openssh-8.7p1-patched/ssh_config.5 +--- openssh-8.7p1/ssh_config.5 2023-06-02 09:14:40.279373577 +0200 ++++ openssh-8.7p1-patched/ssh_config.5 2023-05-30 16:01:04.533848172 +0200 +@@ -989,6 +989,17 @@ + .Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q HostKeyAlgorithms . ++.Pp ++The proposed ++.Cm HostKeyAlgorithms ++during KEX are limited to the set of algorithms that is defined in ++.Cm PubkeyAcceptedAlgorithms ++and therefore they are indirectly affected by system-wide ++.Xr crypto_policies 7 . ++.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so ++would break the order given by the ++.Pa known_hosts ++file. + .It Cm HostKeyAlias + Specifies an alias that should be used instead of the + real host name when looking up or saving the host key +@@ -1564,6 +1575,9 @@ + .Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q PubkeyAcceptedAlgorithms . ++.Pp ++This option affects also ++.Cm HostKeyAlgorithms + .It Cm PubkeyAuthentication + Specifies whether to try public key authentication. + The argument to this keyword must be diff --git a/openssh.spec b/openssh.spec index a51e330..29682b8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -272,6 +272,9 @@ Patch1010: openssh-8.7p1-evp-fips-compl-dh.patch Patch1011: openssh-8.7p1-evp-fips-compl-ecdh.patch Patch1012: openssh-8.7p1-evp-pkcs11.patch +# clarify rhbz#2068423 on the man page of ssh_config +Patch1013: openssh-8.7p1-man-hostkeyalgos.patch + License: BSD Requires: /sbin/nologin @@ -487,6 +490,8 @@ popd %patch1011 -p1 -b .evp_fips_ecdh %patch1012 -p1 -b .evp_pkcs11 +%patch1013 -p1 -b .man-hostkeyalgos + autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -775,7 +780,8 @@ test -f %{sysconfig_anaconda} && \ * Wed May 24 2023 Norbert Pocs - 8.7p1-32 - Fix pkcs11 issue with the recent changes - Delete unnecessary log messages from previous compl-dh patch -- Resolves: rhbz#2207793 +- Add ssh_config man page explanation on rhbz#2068423 +- Resolves: rhbz#2207793, rhbz#2209096 * Tue May 16 2023 Norbert Pocs - 8.7p1-31 - Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch: