Restore GSS connectivity when no hostkeys are present
Related: RHEL-42635
This commit is contained in:
Dmitry Belyavskiy
parent
303ff5b834
commit
78bb33ab57
33
openssh-9.8p1-gsskex-regression.patch
Normal file
33
openssh-9.8p1-gsskex-regression.patch
Normal file
@ -0,0 +1,33 @@
|
||||
diff -up openssh-9.8p1/sshd-session.c.xxx openssh-9.8p1/sshd-session.c
|
||||
--- openssh-9.8p1/sshd-session.c.xxx 2024-08-26 13:23:33.071882129 +0200
|
||||
+++ openssh-9.8p1/sshd-session.c 2024-08-26 13:26:02.990528767 +0200
|
||||
@@ -1229,8 +1229,9 @@ main(int ac, char **av)
|
||||
break;
|
||||
}
|
||||
}
|
||||
- if (!have_key)
|
||||
- fatal("internal error: monitor received no hostkeys");
|
||||
+ /* The GSSAPI key exchange can run without a host key */
|
||||
+ if (!have_key && !options.gss_keyex)
|
||||
+ fatal("internal error: monitor received no hostkeys and GSS KEX is not configured");
|
||||
|
||||
/* Ensure that umask disallows at least group and world write */
|
||||
new_umask = umask(0077) | 0022;
|
||||
@@ -1565,7 +1565,7 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
if (gss && orig)
|
||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||
else if (gss)
|
||||
- newstr = gss;
|
||||
+ xasprintf(&newstr, "%s,%s", gss, "kex-strict-s-v00@openssh.com");
|
||||
else if (orig)
|
||||
newstr = orig;
|
||||
|
||||
@@ -1575,7 +1575,7 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
* host key algorithm we support
|
||||
*/
|
||||
if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0)
|
||||
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null";
|
||||
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xstrdup("null");
|
||||
|
||||
if (newstr)
|
||||
myproposal[PROPOSAL_KEX_ALGS] = newstr;
|
||||
10
openssh.spec
10
openssh.spec
@ -39,7 +39,7 @@
|
||||
%{?static_openssl:%global static_libcrypto 1}
|
||||
|
||||
%global openssh_ver 9.8p1
|
||||
%global openssh_rel 4
|
||||
%global openssh_rel 5
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
@ -202,6 +202,8 @@ Patch1014: openssh-8.7p1-nohostsha1proof.patch
|
||||
|
||||
Patch1015: openssh-9.6p1-pam-rhost.patch
|
||||
|
||||
Patch1016: openssh-9.8p1-gsskex-regression.patch
|
||||
|
||||
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
|
||||
Requires: /sbin/nologin
|
||||
|
||||
@ -379,6 +381,8 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
||||
|
||||
%patch -P 100 -p1 -b .coverity
|
||||
|
||||
%patch -P 1016 -p1 -b .gss-regression
|
||||
|
||||
autoreconf
|
||||
|
||||
%build
|
||||
@ -653,6 +657,10 @@ test -f %{sysconfig_anaconda} && \
|
||||
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
|
||||
|
||||
%changelog
|
||||
* Mon Aug 26 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-5
|
||||
- Restore GSS connectivity when no hostkeys are present
|
||||
Related: RHEL-42635
|
||||
|
||||
* Fri Aug 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-4
|
||||
- Address SAST scan issues
|
||||
Resolves: RHEL-36766
|
||||
|
||||
Loading…
Reference in New Issue
Block a user