From 78bb33ab57bd2fdc69a352ac78556239931abb0b Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 27 Aug 2024 13:52:28 +0200 Subject: [PATCH] Restore GSS connectivity when no hostkeys are present Related: RHEL-42635 --- openssh-9.8p1-gsskex-regression.patch | 33 +++++++++++++++++++++++++++ openssh.spec | 10 +++++++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 openssh-9.8p1-gsskex-regression.patch diff --git a/openssh-9.8p1-gsskex-regression.patch b/openssh-9.8p1-gsskex-regression.patch new file mode 100644 index 0000000..690b77f --- /dev/null +++ b/openssh-9.8p1-gsskex-regression.patch @@ -0,0 +1,33 @@ +diff -up openssh-9.8p1/sshd-session.c.xxx openssh-9.8p1/sshd-session.c +--- openssh-9.8p1/sshd-session.c.xxx 2024-08-26 13:23:33.071882129 +0200 ++++ openssh-9.8p1/sshd-session.c 2024-08-26 13:26:02.990528767 +0200 +@@ -1229,8 +1229,9 @@ main(int ac, char **av) + break; + } + } +- if (!have_key) +- fatal("internal error: monitor received no hostkeys"); ++ /* The GSSAPI key exchange can run without a host key */ ++ if (!have_key && !options.gss_keyex) ++ fatal("internal error: monitor received no hostkeys and GSS KEX is not configured"); + + /* Ensure that umask disallows at least group and world write */ + new_umask = umask(0077) | 0022; +@@ -1565,7 +1565,7 @@ do_ssh2_kex(struct ssh *ssh) + if (gss && orig) + xasprintf(&newstr, "%s,%s", gss, orig); + else if (gss) +- newstr = gss; ++ xasprintf(&newstr, "%s,%s", gss, "kex-strict-s-v00@openssh.com"); + else if (orig) + newstr = orig; + +@@ -1575,7 +1575,7 @@ do_ssh2_kex(struct ssh *ssh) + * host key algorithm we support + */ + if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) +- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xstrdup("null"); + + if (newstr) + myproposal[PROPOSAL_KEX_ALGS] = newstr; diff --git a/openssh.spec b/openssh.spec index b9f35bf..e512f61 100644 --- a/openssh.spec +++ b/openssh.spec @@ -39,7 +39,7 @@ %{?static_openssl:%global static_libcrypto 1} %global openssh_ver 9.8p1 -%global openssh_rel 4 +%global openssh_rel 5 Summary: An open source implementation of SSH protocol version 2 Name: openssh @@ -202,6 +202,8 @@ Patch1014: openssh-8.7p1-nohostsha1proof.patch Patch1015: openssh-9.6p1-pam-rhost.patch +Patch1016: openssh-9.8p1-gsskex-regression.patch + License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -379,6 +381,8 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 100 -p1 -b .coverity +%patch -P 1016 -p1 -b .gss-regression + autoreconf %build @@ -653,6 +657,10 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so %changelog +* Mon Aug 26 2024 Dmitry Belyavskiy - 9.8p1-5 +- Restore GSS connectivity when no hostkeys are present + Related: RHEL-42635 + * Fri Aug 16 2024 Dmitry Belyavskiy - 9.8p1-4 - Address SAST scan issues Resolves: RHEL-36766