rpms/openssh
6
0
Fork 2
Code Issues Pull Requests Releases Activity

Relax GSS Kex restriction in FIPS mode

Browse Source 
Resolves: RHEL-91181
This commit is contained in:
Dmitry Belyavskiy 2025-09-15 15:31:09 +02:00
parent ab204f7870
commit 5be8bc1b40
2 changed files with 5 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
openssh-7.7p1-fips.patch
View File

@ -360,36 +360,6 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
/*
* Chdir to the root directory so that the current disk can be
* unmounted if desired.
diff -up openssh-8.6p1/sshd-session.c.fips openssh-8.6p1/sshd-session.c
--- a/sshd-session.c.fips 2021-05-06 12:08:36.493926838 +0200
+++ b/sshd-session.c 2021-05-06 12:13:56.501492639 +0200
@@ -78,6 +79,7 @@
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
+#include <openssl/fips.h>
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -2506,10 +2513,14 @@ do_ssh2_kex(struct ssh *ssh)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
- if (options.gss_keyex)
- gss = ssh_gssapi_server_mechanisms();
- else
- gss = NULL;
+ if (options.gss_keyex) {
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ gss = ssh_gssapi_server_mechanisms();
+ }
+ }
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.6p1/sshkey.c.fips 2021-05-06 12:08:36.493926838 +0200
+++ openssh-8.6p1/sshkey.c 2021-05-06 12:08:36.502926908 +0200

6
openssh.spec
View File

@ -43,7 +43,7 @@
Summary: An open source implementation of SSH protocol version 2
Name: openssh
Version: %{openssh_ver}
Release: 13%{?dist}
Release: 14%{?dist}
URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -689,6 +689,10 @@ test -f %{sysconfig_anaconda} && \
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
%changelog
* Mon Sep 15 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-14
- Relax GSS Kex restriction in FIPS mode
Resolves: RHEL-91181
* Mon Sep 01 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-13
- Allow non-cryptographical use of MD5 in GSS Kex in FIPS mode
Related: RHEL-91181