Unpatch Red Hat help message
This commit is contained in:
root
commit
f16816a3e5
@ -2093,7 +2093,7 @@ diff -up openssh-8.6p1/sshd-session.c.audit openssh-8.6p1/sshd-session.c
|
||||
+#endif /* WITH_OPENSSL */
|
||||
+ case KEY_ED25519_CERT:
|
||||
+ case KEY_ED25519:
|
||||
+ return (k->ed25519_pk != NULL);
|
||||
+ return (k->ed25519_sk != NULL);
|
||||
+ default:
|
||||
+ /* fatal("key_is_private: bad key type %d", k->type); */
|
||||
+ return 0;
|
||||
|
||||
@ -701,3 +701,29 @@ diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c
|
||||
if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
|
||||
"ext-info-s,kex-strict-s-v00@openssh.com" :
|
||||
"ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
|
||||
diff --color -ruNp a/ssh-keyscan.c b/ssh-keyscan.c
|
||||
--- a/ssh-keyscan.c 2026-03-18 13:58:55.708193373 +0100
|
||||
+++ b/ssh-keyscan.c 2026-03-18 15:34:35.495942538 +0100
|
||||
@@ -22,6 +22,7 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/bn.h>
|
||||
#endif
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
#include <limits.h>
|
||||
#include <netdb.h>
|
||||
@@ -239,6 +240,14 @@ keygrab_ssh2(con *c)
|
||||
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
|
||||
int r;
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS;
|
||||
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = KEX_FIPS_ENCRYPT;
|
||||
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
|
||||
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] = KEX_FIPS_MAC;
|
||||
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
|
||||
+ }
|
||||
+
|
||||
switch (c->c_keytype) {
|
||||
case KT_DSA:
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
|
||||
|
||||
@ -828,7 +828,7 @@ diff --color -ruNp a/sshd_config.5 b/sshd_config.5
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Cm no .
|
||||
+.It Cm GSSAPIS42UProxyServices
|
||||
+.It Cm GSSAPIProxyS4U2Services
|
||||
+Specifies a list of Kerberos service principals for which constrained
|
||||
+delegation (S4U2Proxy) tickets should be obtained after a successful
|
||||
+S4U2Self protocol transition.
|
||||
@ -883,14 +883,14 @@ diff --color -ruNp a/sshd-session.c b/sshd-session.c
|
||||
restore_uid();
|
||||
}
|
||||
+ /*
|
||||
+ * GSSAPIAllowS4U2Self / GSSAPIS42UProxyServices: if no credentials were stored
|
||||
+ * GSSAPIAllowS4U2Self / GSSAPIProxyS4U2Services: if no credentials were stored
|
||||
+ * above (i.e. no GSSAPI auth with delegation occurred), use S4U2Self
|
||||
+ * to obtain an impersonated credential for the user, then optionally
|
||||
+ * follow with S4U2Proxy for configured target services.
|
||||
+ *
|
||||
+ * GSSAPIAllowS4U2Self alone: store S4U2Self evidence ticket only;
|
||||
+ * the host TGT is removed.
|
||||
+ * GSSAPIS42UProxyServices alone: store host TGT and S4U2Proxy service
|
||||
+ * GSSAPIProxyS4U2Services alone: store host TGT and S4U2Proxy service
|
||||
+ * tickets; the S4U2Self evidence ticket
|
||||
+ * is removed.
|
||||
+ * Both: store host TGT, S4U2Self evidence ticket,
|
||||
@ -961,7 +961,7 @@ diff --color -ruNp a/sshd-session.c b/sshd-session.c
|
||||
+ * stay so that applications recognise the ccache as
|
||||
+ * holding live Kerberos credentials.
|
||||
+ * Remove the S4U2Self evidence ticket in proxy-only
|
||||
+ * mode (GSSAPIS42UProxyServices without GSSAPIAllowS4U2Self).
|
||||
+ * mode (GSSAPIProxyS4U2Services without GSSAPIAllowS4U2Self).
|
||||
+ */
|
||||
+ filter = 0;
|
||||
+ if (options.gss_allow_s4u2self &&
|
||||
|
||||
12
openssh.spec
12
openssh.spec
@ -43,7 +43,7 @@
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
Version: %{openssh_ver}
|
||||
Release: 22%{?dist}.alma.1
|
||||
Release: 23%{?dist}.alma.1
|
||||
URL: http://www.openssh.com/portable.html
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
@ -719,9 +719,17 @@ test -f %{sysconfig_anaconda} && \
|
||||
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
|
||||
|
||||
%changelog
|
||||
* Wed Mar 18 2026 Koichiro Iwao <meta@almalinux.org> - 9.9p1-22.alma.1
|
||||
* Wed Mar 25 2026 Koichiro Iwao <meta@almalinux.org> - 9.9p1-23.alma.1
|
||||
- Unpatch Red Hat help message
|
||||
|
||||
* Wed Mar 18 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-23
|
||||
- Don't negotiate non-FIPS algorithms in ssh-keyscan key exchange in FIPS mode
|
||||
Resolves: RHEL-88565
|
||||
- Fix duplicate audit log entry when destroying ed25519 private keys
|
||||
Resolves: RHEL-46782
|
||||
- Fix typo in GSSAPIProxyS4U2Services
|
||||
Related: RHEL-92932
|
||||
|
||||
* Thu Mar 12 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-22
|
||||
- Remove recommendation of p11-kit
|
||||
Resolves: RHEL-139070
|
||||
|
||||
Loading…
Reference in New Issue
Block a user