Compatibility with Debian's openssh-7.4p1 (#1881301)
This only version does incorrectly reports server_sig_algorithms extension and in Fedora 33 with disabled SHA1, clients are unable to connect to Debian servers
This commit is contained in:
parent
bbe3c2e156
commit
6a07699454
57
openssh-8.4p1-debian-compat.patch
Normal file
57
openssh-8.4p1-debian-compat.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700
|
||||||
|
+++ compat.h 2020-10-05 10:10:17.587733113 -0700
|
||||||
|
@@ -34,7 +34,7 @@
|
||||||
|
|
||||||
|
#define SSH_BUG_UTF8TTYMODE 0x00000001
|
||||||
|
#define SSH_BUG_SIGTYPE 0x00000002
|
||||||
|
-/* #define unused 0x00000004 */
|
||||||
|
+#define SSH_BUG_SIGTYPE74 0x00000004
|
||||||
|
/* #define unused 0x00000008 */
|
||||||
|
#define SSH_OLD_SESSIONID 0x00000010
|
||||||
|
/* #define unused 0x00000020 */
|
||||||
|
--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700
|
||||||
|
+++ compat.c 2020-10-05 10:13:11.637282492 -0700
|
||||||
|
@@ -65,11 +65,12 @@
|
||||||
|
{ "OpenSSH_6.5*,"
|
||||||
|
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
|
||||||
|
SSH_BUG_SIGTYPE},
|
||||||
|
+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
|
||||||
|
+ SSH_BUG_SIGTYPE74},
|
||||||
|
{ "OpenSSH_7.0*,"
|
||||||
|
"OpenSSH_7.1*,"
|
||||||
|
"OpenSSH_7.2*,"
|
||||||
|
"OpenSSH_7.3*,"
|
||||||
|
- "OpenSSH_7.4*,"
|
||||||
|
"OpenSSH_7.5*,"
|
||||||
|
"OpenSSH_7.6*,"
|
||||||
|
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
|
||||||
|
--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700
|
||||||
|
+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700
|
||||||
|
@@ -1305,6 +1305,26 @@
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
free(oallowed);
|
||||||
|
+ /*
|
||||||
|
+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
|
||||||
|
+ * support. For that release, check the local policy against the
|
||||||
|
+ * SHA2 signature types.
|
||||||
|
+ */
|
||||||
|
+ if (alg == NULL &&
|
||||||
|
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
|
||||||
|
+ oallowed = allowed = xstrdup(options.pubkey_key_types);
|
||||||
|
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
||||||
|
+ if (sshkey_type_from_name(cp) != key->type)
|
||||||
|
+ continue;
|
||||||
|
+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
|
||||||
|
+ if (tmp != NULL)
|
||||||
|
+ alg = xstrdup(cp);
|
||||||
|
+ free(tmp);
|
||||||
|
+ if (alg != NULL)
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ free(oallowed);
|
||||||
|
+ }
|
||||||
|
return alg;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
@ -199,6 +199,8 @@ Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
|||||||
Patch967: openssh-8.4p1-ssh-copy-id.patch
|
Patch967: openssh-8.4p1-ssh-copy-id.patch
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
|
||||||
Patch968: openssh-8.4p1-sandbox-seccomp.patch
|
Patch968: openssh-8.4p1-sandbox-seccomp.patch
|
||||||
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
||||||
|
Patch969: openssh-8.4p1-debian-compat.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -384,6 +386,7 @@ popd
|
|||||||
%patch966 -p1 -b .x11-ipv6
|
%patch966 -p1 -b .x11-ipv6
|
||||||
%patch967 -p1 -b .ssh-copy-id
|
%patch967 -p1 -b .ssh-copy-id
|
||||||
%patch968 -p1 -b .seccomp
|
%patch968 -p1 -b .seccomp
|
||||||
|
%patch969 -p0 -b .debian
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
|
Loading…
Reference in New Issue
Block a user