Mark HostbasedAcceptedAlgorithms as governed by crypto-policies
This commit is contained in:
parent
483723014e
commit
42b22d9ad2
@ -92,6 +92,51 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
|||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
|
@@ -913,36 +910,25 @@
|
||||||
|
but may be manually hashed using
|
||||||
|
.Xr ssh-keygen 1 .
|
||||||
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the signature algorithms that will be used for hostbased
|
||||||
|
authentication as a comma-separated list of patterns.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
character, then the specified signature algorithms will be appended
|
||||||
|
-to the default set instead of replacing them.
|
||||||
|
+to the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified signature algorithms (including wildcards)
|
||||||
|
-will be removed from the default set instead of replacing them.
|
||||||
|
+will be removed from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified signature algorithms will be placed
|
||||||
|
-at the head of the default set.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
+at the head of the built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The
|
||||||
|
.Fl Q
|
||||||
@@ -1219,30 +1216,25 @@
|
@@ -1219,30 +1216,25 @@
|
||||||
and
|
and
|
||||||
.Cm pam .
|
.Cm pam .
|
||||||
@ -225,6 +270,17 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available signature algorithms may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
|
@@ -2237,7 +2207,9 @@ for those users who do not have a config
|
||||||
|
This file must be world-readable.
|
||||||
|
.El
|
||||||
|
.Sh SEE ALSO
|
||||||
|
-.Xr ssh 1
|
||||||
|
+.Xr ssh 1 ,
|
||||||
|
+.Xr crypto-policies 7 ,
|
||||||
|
+.Xr update-crypto-policies 8
|
||||||
|
.Sh AUTHORS
|
||||||
|
.An -nosplit
|
||||||
|
OpenSSH is a derivative of the original and free
|
||||||
diff --color -ru a/sshd_config.5 b/sshd_config.5
|
diff --color -ru a/sshd_config.5 b/sshd_config.5
|
||||||
--- a/sshd_config.5 2022-07-12 15:05:22.535012771 +0200
|
--- a/sshd_config.5 2022-07-12 15:05:22.535012771 +0200
|
||||||
+++ b/sshd_config.5 2022-07-12 15:15:33.394809258 +0200
|
+++ b/sshd_config.5 2022-07-12 15:15:33.394809258 +0200
|
||||||
@ -295,7 +351,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
|||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
.It Cm ClientAliveCountMax
|
.It Cm ClientAliveCountMax
|
||||||
@@ -685,21 +679,22 @@
|
@@ -685,53 +679,43 @@
|
||||||
.Cm GSSAPIKeyExchange
|
.Cm GSSAPIKeyExchange
|
||||||
needs to be enabled in the server and also used by the client.
|
needs to be enabled in the server and also used by the client.
|
||||||
.It Cm GSSAPIKexAlgorithms
|
.It Cm GSSAPIKexAlgorithms
|
||||||
@ -327,7 +383,47 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
|||||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
This option only applies to connections using GSSAPI.
|
This option only applies to connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedAlgorithms
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
Specifies the signature algorithms that will be accepted for hostbased
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
|
authentication as a list of comma-separated patterns.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
character, then the specified signature algorithms will be appended to
|
||||||
|
-the default set instead of replacing them.
|
||||||
|
+the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified signature algorithms (including wildcards)
|
||||||
|
-will be removed from the default set instead of replacing them.
|
||||||
|
+will be removed from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified signature algorithms will be placed at
|
||||||
|
-the head of the default set.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
|
-.Ed
|
||||||
|
+the head of the built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The list of available signature algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q HostbasedAcceptedAlgorithms .
|
||||||
@@ -799,25 +794,14 @@
|
@@ -799,25 +794,14 @@
|
||||||
.Ev SSH_AUTH_SOCK
|
.Ev SSH_AUTH_SOCK
|
||||||
environment variable.
|
environment variable.
|
||||||
@ -499,3 +595,14 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available signature algorithms may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
|
@@ -2011,7 +1968,9 @@ This file should be writable by root onl
|
||||||
|
.El
|
||||||
|
.Sh SEE ALSO
|
||||||
|
.Xr sftp-server 8 ,
|
||||||
|
-.Xr sshd 8
|
||||||
|
+.Xr sshd 8 ,
|
||||||
|
+.Xr crypto-policies 7 ,
|
||||||
|
+.Xr update-crypto-policies 8
|
||||||
|
.Sh AUTHORS
|
||||||
|
.An -nosplit
|
||||||
|
OpenSSH is a derivative of the original and free
|
||||||
|
@ -51,7 +51,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 9.0p1
|
%global openssh_ver 9.0p1
|
||||||
%global openssh_rel 2
|
%global openssh_rel 3
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 7
|
%global pam_ssh_agent_rel 7
|
||||||
|
|
||||||
@ -289,14 +289,14 @@ BuildRequires: gnupg2
|
|||||||
%package clients
|
%package clients
|
||||||
Summary: An open source SSH client applications
|
Summary: An open source SSH client applications
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Requires: crypto-policies >= 20200610-1
|
Requires: crypto-policies >= 20220824-1
|
||||||
|
|
||||||
%package server
|
%package server
|
||||||
Summary: An open source SSH server daemon
|
Summary: An open source SSH server daemon
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Requires(pre): /usr/sbin/useradd
|
Requires(pre): /usr/sbin/useradd
|
||||||
Requires: pam >= 1.0.1-3
|
Requires: pam >= 1.0.1-3
|
||||||
Requires: crypto-policies >= 20200610-1
|
Requires: crypto-policies >= 20220824-1
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
|
|
||||||
%package keycat
|
%package keycat
|
||||||
@ -718,6 +718,9 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 24 2022 Alexander Sosedkin <asosedkin@redhat.com> - 9.0p1-3
|
||||||
|
- State in manpages that HostbasedAcceptedAlgorithms is set by crypto-policies
|
||||||
|
|
||||||
* Wed Aug 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-2
|
* Wed Aug 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-2
|
||||||
- Port patches from CentOS - RSAMinSize (rhbz#2117264)
|
- Port patches from CentOS - RSAMinSize (rhbz#2117264)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user