Commit Graph

90 Commits

Author SHA1 Message Date
Dmitry Belyavskiy
2a5b657c60 Possible remote code execution due to a race condition (CVE-2024-6409)
Resolves: RHEL-45741
2024-07-09 16:54:56 +02:00
Dmitry Belyavskiy
96149ae84f Possible remote code execution due to a race condition (CVE-2024-6387)
Resolves: RHEL-45348
2024-07-04 09:40:52 +02:00
Dmitry Belyavskiy
6ca18e235a Fix ssh multiplexing connect timeout processing
Resolves: RHEL-37748
2024-06-03 12:12:04 +02:00
Zoltan Fridrich
17e559c555 Add key size variables into sshd.sysconfig
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2024-05-10 10:39:36 +02:00
Zoltan Fridrich
01178d1eef Make default key sizes configurable in sshd-keygen
Resolves: RHEL-26454

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2024-05-09 12:53:59 +02:00
Zoltan Fridrich
7fedb4cdc0 Correctly audit hostname and IP address
Resolves: RHEL-22316

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2024-05-09 12:53:59 +02:00
Dmitry Belyavskiy
03eff3f0f1 Use FIPS-compatible API for key derivation
Resolves: RHEL-32809
2024-04-25 10:07:32 +02:00
Dmitry Belyavskiy
2c2ea1d489 Fix Terrapin attack
Resolves: CVE-2023-48795
2024-01-05 14:43:26 +01:00
Dmitry Belyavskiy
4c42338c08 Fix Terrapin attack
Resolves: CVE-2023-48795
2024-01-05 14:28:02 +01:00
Dmitry Belyavskiy
8a8fae36ce Rebuild
Related: RHEL-19789
2023-12-21 13:43:57 +01:00
Dmitry Belyavskiy
0521bb1a51 Forbid shell metasymbols in username/hostname
Resolves: CVE-2023-51385
2023-12-20 12:20:37 +01:00
Dmitry Belyavskiy
d18e1c1119 Relax OpenSSH build-time checks for OpenSSL version
Related: RHEL-4734
2023-12-20 11:31:43 +01:00
Dmitry Belyavskiy
54fc8050ff Fix Terrapin attack
Resolves: CVE-2023-48795
2023-12-20 11:26:41 +01:00
Dmitry Belyavskiy
5838d35972 Move users/groups creation logic to sysusers.d fragments
Resolves: RHEL-5222
2023-10-24 14:22:42 +02:00
Dmitry Belyavskiy
a43be164ec Limit artificial delays in sshd while login using AD user
Resolves: RHEL-2469
2023-10-23 13:33:49 +02:00
Dmitry Belyavskiy
d8b51e8341 Relax OpenSSH checks for OpenSSL version
Resolves: RHEL-4734
2023-10-23 12:59:46 +02:00
Dmitry Belyavskiy
edaf6c0fb4 Avoid remote code execution in ssh-agent PKCS#11 support
Resolves: CVE-2023-38408
2023-07-20 12:10:35 +02:00
Dmitry Belyavskiy
6fa799e1aa Avoid remote code execution in ssh-agent PKCS#11 support
Resolves: CVE-2023-38408
2023-07-20 12:02:42 +02:00
Dmitry Belyavskiy
c5140cafa3 Allow specifying validity interval in UTC
Resolves: rhbz#2115043
2023-06-14 11:15:41 +02:00
Norbert Pocs
415f8e730b Clarify rhbz#2068423 on the ssh_config man page
Resolves: rhbz#2209096

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-02 09:16:33 +02:00
Norbert Pocs
6b2353418c Fix regression in pkcs11 introduced in the previous patch
Resolves: rhbz#2207793

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-25 09:22:24 +02:00
Norbert Pocs
48718a1a72 Delete unneeded debug messages from fips-compl-dh patch
Related: rhbz#2091694

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-25 09:17:38 +02:00
Norbert Pocs
1490ffd3e0 Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch
- Check return values
- Use EVP API to get the size of DH

Related: rhbz#2091694

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-16 15:50:52 +02:00
Norbert Pocs
587d7b215f Add FIPS compliance efforts for dh, ecdh and signing
Resolves: rhbz#2091694

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-03 15:52:40 +02:00
Dmitry Belyavskiy
b5ba5af997 Eliminating remnants of SHA1 usage in OpenSSH
Resolves: rhbz#2070163
2023-04-28 16:04:07 +02:00
Dmitry Belyavskiy
cc7d7a5730 Some non-terminating processes were listening on ports.
Resolves: rhbz#2177768
2023-04-20 17:29:37 +02:00
Dmitry Belyavskiy
f7003be68c Resolve possible self-DoS with some clients
Resolves: rhbz#2186473
2023-04-13 14:24:35 +02:00
Dmitry Belyavskiy
42aa6f597e Do not try to use SHA1 for host key ownership proof when we don't support it server-side
Related: rhbz#2088750
2023-01-13 15:24:38 +01:00
Dmitry Belyavskiy
ebbbfce0aa Do not try to use SHA1 for host key ownership proof when we don't support it server-side
Resolves: rhbz#2088750
2023-01-12 16:16:08 +01:00
Zoltan Fridrich
5cfb97500b Add sk-dummy subpackage for test purposes
Resolves: rhbz#2092780

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2023-01-12 11:23:15 +01:00
Dmitry Belyavskiy
6f747825fa Minor cleanups from upstream
Fix one-byte overflow in SSH banner processing
Resolves: rhbz#2138345
Fix double free() in error path
Resolves: rhbz#2138347
2023-01-06 11:57:27 +01:00
Dmitry Belyavskiy
b0f3205a21 - Build fix after OpenSSL rebase
Resolves: rhbz#2153626
2022-12-16 11:52:54 +01:00
Dmitry Belyavskiy
ad9644f74c Set minimal value of RSA key length via configuration option
Added a support for our name as alias.

Resolves: rhbz#2128352
2022-09-23 11:14:03 +02:00
Dmitry Belyavskiy
d4ff0b8809 Set minimal value of RSA key length via configuration option
Resolves: rhbz#2128352
2022-09-22 14:48:29 +02:00
Dmitry Belyavskiy
d925600c40 Set minimal value of RSA key length via configuration option
Related: rhbz#2066882
2022-08-16 19:33:50 +02:00
Dmitry Belyavskiy
a0db6b2b7f Avoid spirous message on connecting to the machine with ssh-rsa keys
Related: rhbz#2115246
2022-08-16 14:32:50 +02:00
Dmitry Belyavskiy
b53c538acd IBMCA workaround
Related: rhbz#1976202
2022-08-04 14:37:20 +02:00
Zoltan Fridrich
1d30b84a88 Fix openssh-8.7p1-scp-clears-file.patch
Related: rhbz#2056884

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-07-26 16:14:15 +02:00
Dmitry Belyavskiy
9591af3b1d FIX pam_ssh_agent_auth auth for RSA keys
Related: rhbz#2070113
2022-07-15 16:52:19 +02:00
Zoltan Fridrich
9697eecfeb Fix new coverity issues
Related: rhbz#2068423

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-07-15 10:20:09 +02:00
Dmitry Belyavskiy
d23afae05f Disable ed25519 and ed25519-sk keys in FIPS mode
Related: rhbz#2087915
2022-07-14 16:15:05 +02:00
Zoltan Fridrich
e8622f8c21 Don't propose disallowed algorithms during hostkey negotiation
Resolves: rhbz#2068423

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-07-14 13:05:12 +02:00
Dmitry Belyavskiy
b17ff3bc91 Disable ed25519 and ed25519-sk keys in FIPS mode
Related: rhbz#2087915
2022-07-14 12:23:52 +02:00
Dmitry Belyavskiy
0d823b2f2a Disable ed25519 and ed25519-sk keys in FIPS mode
Related: rhbz#2087915
2022-07-13 16:24:55 +02:00
Zoltan Fridrich
821045a148 Add reference for policy customization in ssh/sshd_config manpages
Resolves: rhbz#1984575

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-07-12 15:32:37 +02:00
Dmitry Belyavskiy
3990967629 Disable ed25519 and ed25519-sk keys in FIPS mode
Related: rhbz#2087915
2022-07-12 13:37:26 +02:00
Dmitry Belyavskiy
32a82650cf Disable sntrup761x25519-sha512 in FIPS mode
Related: rhbz#2070628
2022-07-12 13:37:24 +02:00
Zoltan Fridrich
fd0d5a4f44 Fix host-based authentication with rsa keys
Resolves: rhbz#2088916

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-07-12 11:52:38 +02:00
Zoltan Fridrich
9bf7b4f39d Fix gssapi authentication failures
Resolves: rhbz#2091023

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-07-12 11:52:38 +02:00
Zoltan Fridrich
585620b0f1 Fix several memory leaks
Related: rhbz#2068423

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-07-12 11:52:38 +02:00