Don't propose disallowed algorithms during hostkey negotiation
Resolves: rhbz#2068423 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
parent
b17ff3bc91
commit
e8622f8c21
63
openssh-8.7p1-negotiate-supported-algs.patch
Normal file
63
openssh-8.7p1-negotiate-supported-algs.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
|
||||||
|
--- a/regress/hostkey-agent.sh 2021-08-20 06:03:49.000000000 +0200
|
||||||
|
+++ b/regress/hostkey-agent.sh 2022-07-14 11:58:12.172786060 +0200
|
||||||
|
@@ -13,8 +13,12 @@ r=$?
|
||||||
|
grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
|
||||||
|
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
|
||||||
|
|
||||||
|
+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
|
||||||
|
+ grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
|
||||||
|
+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
|
||||||
|
+
|
||||||
|
trace "load hostkeys"
|
||||||
|
-for k in $SSH_KEYTYPES ; do
|
||||||
|
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
||||||
|
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
|
||||||
|
(
|
||||||
|
printf 'localhost-with-alias,127.0.0.1,::1 '
|
||||||
|
@@ -31,7 +35,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_host
|
||||||
|
unset SSH_AUTH_SOCK
|
||||||
|
|
||||||
|
for ps in yes; do
|
||||||
|
- for k in $SSH_KEYTYPES ; do
|
||||||
|
+ for k in $SSH_ACCEPTED_KEYTYPES ; do
|
||||||
|
verbose "key type $k privsep=$ps"
|
||||||
|
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||||
|
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
|
||||||
|
diff --color -rup a/sshconnect2.c b/sshconnect2.c
|
||||||
|
--- a/sshconnect2.c 2022-07-14 10:10:07.262975710 +0200
|
||||||
|
+++ b/sshconnect2.c 2022-07-14 10:10:32.068452067 +0200
|
||||||
|
@@ -222,6 +222,7 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
{
|
||||||
|
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
|
||||||
|
char *s, *all_key;
|
||||||
|
+ char *hostkeyalgs = NULL, *pkalg = NULL;
|
||||||
|
char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
|
||||||
|
int r, use_known_hosts_order = 0;
|
||||||
|
|
||||||
|
@@ -264,14 +265,19 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||||
|
if (use_known_hosts_order) {
|
||||||
|
/* Query known_hosts and prefer algorithms that appear there */
|
||||||
|
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
|
||||||
|
- compat_pkalg_proposal(ssh,
|
||||||
|
- order_hostkeyalgs(host, hostaddr, port, cinfo));
|
||||||
|
+ if ((hostkeyalgs = order_hostkeyalgs(host, hostaddr, port, cinfo)) == NULL)
|
||||||
|
+ fatal_f("order_hostkeyalgs");
|
||||||
|
+ pkalg = match_filter_allowlist(hostkeyalgs, options.pubkey_accepted_algos);
|
||||||
|
+ free(hostkeyalgs);
|
||||||
|
} else {
|
||||||
|
- /* Use specified HostkeyAlgorithms exactly */
|
||||||
|
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
|
||||||
|
- compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
|
||||||
|
+ /* Use specified HostkeyAlgorithms */
|
||||||
|
+ pkalg = match_filter_allowlist(options.hostkeyalgorithms, options.pubkey_accepted_algos);
|
||||||
|
}
|
||||||
|
+ if (pkalg == NULL)
|
||||||
|
+ fatal_f("match_filter_allowlist");
|
||||||
|
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
|
||||||
|
+ compat_pkalg_proposal(ssh, pkalg);
|
||||||
|
+ free(pkalg);
|
||||||
|
|
||||||
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
|
if (options.gss_keyex) {
|
11
openssh.spec
11
openssh.spec
@ -51,7 +51,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.7p1
|
%global openssh_ver 8.7p1
|
||||||
%global openssh_rel 15
|
%global openssh_rel 16
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 4
|
%global pam_ssh_agent_rel 4
|
||||||
|
|
||||||
@ -246,6 +246,10 @@ Patch1004: openssh-8.7p1-gssapi-auth.patch
|
|||||||
# d9dbb5d9a0326e252d3c7bc13beb9c2434f59409
|
# d9dbb5d9a0326e252d3c7bc13beb9c2434f59409
|
||||||
# fdb1d58d0d3888b042e5a500f6ce524486aaf782
|
# fdb1d58d0d3888b042e5a500f6ce524486aaf782
|
||||||
Patch1005: openssh-8.7p1-host-based-auth.patch
|
Patch1005: openssh-8.7p1-host-based-auth.patch
|
||||||
|
# Don't propose disallowed algorithms during hostkey negotiation
|
||||||
|
# upstream MR:
|
||||||
|
# https://github.com/openssh/openssh-portable/pull/323
|
||||||
|
Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -440,6 +444,7 @@ popd
|
|||||||
%patch1003 -p1 -b .mem-leak
|
%patch1003 -p1 -b .mem-leak
|
||||||
%patch1004 -p1 -b .gssapi-auth
|
%patch1004 -p1 -b .gssapi-auth
|
||||||
%patch1005 -p1 -b .host-based-auth
|
%patch1005 -p1 -b .host-based-auth
|
||||||
|
%patch1006 -p1 -b .negotiate-supported-algs
|
||||||
|
|
||||||
%patch100 -p1 -b .coverity
|
%patch100 -p1 -b .coverity
|
||||||
|
|
||||||
@ -720,6 +725,10 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jul 14 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-16
|
||||||
|
- Don't propose disallowed algorithms during hostkey negotiation
|
||||||
|
Resolves: rhbz#2068423
|
||||||
|
|
||||||
* Thu Jul 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-15
|
* Thu Jul 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-15
|
||||||
- Disable ed25519 and ed25519-sk keys in FIPS mode
|
- Disable ed25519 and ed25519-sk keys in FIPS mode
|
||||||
Related: rhbz#2087915
|
Related: rhbz#2087915
|
||||||
|
Loading…
Reference in New Issue
Block a user