diff --git a/openssh-9.0p1-man-hostkeyalgos.patch b/openssh-9.0p1-man-hostkeyalgos.patch new file mode 100644 index 0000000..2b16c2b --- /dev/null +++ b/openssh-9.0p1-man-hostkeyalgos.patch @@ -0,0 +1,16 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh_config.5 openssh-8.7p1-patched/ssh_config.5 +--- openssh-8.7p1/ssh_config.5 2023-05-29 13:41:19.731835097 +0200 ++++ openssh-8.7p1-patched/ssh_config.5 2023-05-29 13:40:58.806604144 +0200 +@@ -989,6 +989,12 @@ + .Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q HostKeyAlgorithms . ++.Pp ++.Xr crypto_policies 7 does not handle the list of algorithms as doing so ++would break the order given by the ++.Pa known_hosts ++file. Therefore the list is filtered by ++.Cm PubkeyAcceptedAlgorithms. + .It Cm HostKeyAlias + Specifies an alias that should be used instead of the + real host name when looking up or saving the host key diff --git a/openssh.spec b/openssh.spec index c91f22a..91518ab 100644 --- a/openssh.spec +++ b/openssh.spec @@ -249,6 +249,9 @@ Patch1013: openssh-9.0p1-evp-fips-ecdh.patch Patch1014: openssh-8.7p1-nohostsha1proof.patch Patch1015: openssh-9.0p1-evp-pkcs11.patch +# clarify rhbz#2068423 on the man page of ssh_config +Patch1016: openssh-9.0p1-man-hostkeyalgos.patch + License: BSD Requires: /sbin/nologin @@ -463,6 +466,8 @@ popd %patch1014 -p1 -b .nosha1hostproof %patch1015 -p1 -b .evp-pkcs11 +%patch1016 -p1 -b .man-hostkeyalgos + %patch100 -p1 -b .coverity autoreconf @@ -772,6 +777,7 @@ test -f %{sysconfig_anaconda} && \ * Wed May 24 2023 Norbert Pocs - 9.0p1-18 - Fix pkcs11 issue with the recent changes - Add support for 'serial' in PKCS#11 URI +- Clarify HostKeyAlgorithms relation with crypto-policies * Fri Apr 14 2023 Dmitry Belyavskiy - 9.0p1-17 - In case when sha1 signatures are not supported, fallback to sha2 in hostproof