Commit Graph

1200 Commits

Author SHA1 Message Date
Troy Dawson
8f0ad5fe82 Bump release for June 2024 mass rebuild 2024-06-24 09:06:11 -07:00
Zoltan Fridrich
d23ed33031 Make default key sizes configurable in sshd-keygen
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2024-05-10 10:22:49 +02:00
Zoltan Fridrich
2e80dd6896 Correctly audit hostname and IP address
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2024-05-09 17:06:11 +02:00
Fedora Release Engineering
2f41ca7cd3 Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-25 11:29:57 +00:00
Fedora Release Engineering
d089d5f71b Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-21 11:22:01 +00:00
Dmitry Belyavskiy
f238307bdf Applying patches to rebase to OpenSSH 9.6p1
Based on Damien Milnes' PR
https://src.fedoraproject.org/rpms/openssh/pull-request/63

Also rebasing openssh-8.0p1-pkcs11-uri.patch to 9.6 by Dmitry Belyavskiy
2024-01-12 16:04:03 +01:00
Florian Weimer
87ae5d1d5a Fix type errors in downstream gssapi-keyex patch
Related to:

  <https://fedoraproject.org/wiki/Changes/PortingToModernC>
  <https://fedoraproject.org/wiki/Toolchain/PortingToModernC>
2023-12-22 17:01:38 +01:00
Mattias Ellert
5c1da775a9 Fix issue with read-only ssh buffer during gssapi key exchange
(rhbz#1938224)
https://github.com/openssh-gsskex/openssh-gsskex/pull/19
2023-10-16 22:26:16 +02:00
Mattias Ellert
4f07bfcfe1 Fix FTBFS due to implicit declarations (rhbz#2241211) 2023-10-15 06:42:32 +02:00
Dmitry Belyavskiy
d3cd3f2851 migrated to SPDX license 2023-09-19 12:19:43 +02:00
Timothée Ravier
f98acbdc5d Revert "Remove sshd.socket unit"
This reverts commit 8a294387d0.

This change has been pushed to Fedora 40 and is pending discussion /
voting from FESCo.

See: https://pagure.io/fesco/issue/3062
See: https://fedoraproject.org/wiki/Changes/Drop_Sshd_Socket
2023-09-15 10:22:41 +02:00
Jakub Jelen
d77b1b790a pkcs11: Add support for 'serial' in PKCS#11 URI
The patch was updated by the upstream MR
https://github.com/openssh/openssh-portable/pull/406
by npocs@redhat.com
2023-08-11 15:04:18 +02:00
Dmitry Belyavskiy
c7af8ecb76 Minor optimization of ssh_krb5_kuserok
Resolves: rhbz#2112501
2023-08-03 11:06:10 +02:00
Dmitry Belyavskiy
8a294387d0 Remove sshd.socket unit
Resolves: rhbz#2025716
2023-08-03 10:38:48 +02:00
Dmitry Belyavskiy
f4f5944e31 Disable forking of ssh-agent on startup
Resoves: rhbz#2148555
2023-08-03 10:32:24 +02:00
Dmitry Belyavskiy
ec2f61e2cf Split including crypto-policies to a separate config
Resolves: rhbz#1970566
2023-08-03 10:25:50 +02:00
Dmitry Belyavskiy
147ab2eb19 relax checks of the OpenSSL version 2023-08-01 14:19:16 +02:00
Dmitry Belyavskiy
eb1b5e6755 relax checks of the OpenSSL version 2023-08-01 14:18:18 +02:00
Mattias Ellert
c04e468b07 Update gssapi-keyex patch for OpenSSH 9.0+
userauth_gsskeyex must have the same argument as userauth_gssapi
method_gsskeyex must have the same members as method_gssapi
2023-07-26 23:28:39 +02:00
Dmitry Belyavskiy
c3494feffe Fix remote code execution in ssh-agent PKCS#11 support
Resolves: CVE-2023-38408
2023-07-21 17:00:23 +02:00
Fedora Release Engineering
9fd130d8eb Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-20 18:12:08 +00:00
Norbert Pocs
8f5b8fd2c5 Revert "pkcs11: Add support for 'serial' in PKCS#11 URI"
This reverts commit e39f11e77c.

The patch has some problems (the pkcs11 downstream test is failing)
and needs more investigation
2023-06-13 14:38:59 +02:00
Norbert Pocs
c5082a3f81 Merge gssapi-keyex and gssapi-auth
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 13:58:01 +02:00
Norbert Pocs
2b67ec48c2 Merge manpage crypto-policies related patches
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 13:57:42 +02:00
Norbert Pocs
fb40f0afda Merge evp related patches
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 13:57:23 +02:00
Norbert Pocs
141d7b2d4a Remove deprecated usage of %patchN
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 13:56:15 +02:00
Dmitry Belyavskiy
d5fd076ab3 Updating specfile 2023-06-07 12:15:31 +02:00
Dmitry Belyavskiy
18e9f31c42 Fix DSS verification problem
Resolves: rhbz#2212937
2023-06-07 12:12:46 +02:00
Dmitry Belyavskiy
29083ac442 Remove unused patch 2023-06-02 18:56:58 +02:00
Dmitry Belyavskiy
f561c68bdb Rebasing OpenSSH from 9.0 to 9.3 2023-06-02 15:38:27 +02:00
Norbert Pocs
b129d6336e Clarify HostKeyAlgorithms option on man page
Clarify HostkeyAlgorithms and crypto-policies relation on the ssh_config
man page

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-29 13:58:15 +02:00
Jakub Jelen
e39f11e77c pkcs11: Add support for 'serial' in PKCS#11 URI 2023-05-25 09:29:24 +02:00
Norbert Pocs
e8e01dc82e Fix regression in pkcs11 introduced in the previous patch
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-25 09:27:33 +02:00
Norbert Pocs
2341f1769d Fix minor issues with openssh-9.0p1-evp-fips-dh.patch
- Check return values
- Use EVP API to get the size of DH

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-25 09:27:33 +02:00
Dmitry Belyavskiy
6f7c765ed4 Audit logging patch was not applied
Resolves: rhbz#2177471
2023-04-14 10:38:37 +02:00
Dmitry Belyavskiy
1506e0825c If SHA1 signatures are not permitted, try to fallback to SHA2
SHA1 is insecure now, and is forbidden in RHEL and will be forbidden in
several crypto-policies in Fedora in some future. This patch adds
detection of SHA1 signatures availability and, if not available,
enforces fallback to SHA2.
2023-04-14 10:32:06 +02:00
Norbert Pocs
b63272d9eb Make the sign, dh, ecdh processes FIPS compliant
FIPS compliancy can be stated by using only compliant crypto
functions. This is achieved by using EVP API from openssl 3.0
version. The solution uses a non-intrusive approach - instead
of rewriting everything to use EVP API it converts the data
to it at the critical places.

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-04-13 19:12:46 +02:00
Dmitry Belyavskiy
745da74ea2 Fix self-DoS
Resolves: CVE-2023-25136
Remove too aggressive coverity fix causing native tests failure
2023-04-13 18:14:19 +02:00
Florian Weimer
d5591fb5ab C99 compatiblity fixes
Apply upstream patches from the portable OpenSSH project to fix
C99 compatibility issues in the configure script.

For the PAM agent integration, apply a custom downstream fix,
as the proposed upstream changes have not been merged yet.

Related to:

  <https://fedoraproject.org/wiki/Changes/PortingToModernC>
  <https://fedoraproject.org/wiki/Toolchain/PortingToModernC>
2023-04-12 12:07:21 +02:00
Timothée Ravier
e3597c03f1 Make sshd & sshd@ units want ssh-host-keys-migration.service
Enabling the unit via the presets does not enable it on
Silverblue/Kinoite/Sericea & IoT as we don't re-preset all units like
it's done in Fedora CoreOS.

See: https://pagure.io/workstation-ostree-config/pull-request/246

Instead, have the sshd & sshd@ service unit `Wants` the
ssh-host-keys-migration service unit so that it's pulled-in only when
sshd is effectively enabled and in all cases.

See: https://src.fedoraproject.org/rpms/fedora-release/pull-request/253

See: https://bugzilla.redhat.com/show_bug.cgi?id=2172956
See: https://src.fedoraproject.org/rpms/fedora-release/pull-request/252
2023-03-14 17:17:24 +01:00
Zoltan Fridrich
3a98e6f607 Add sk-dummy subpackage for test purposes
Resolves: rhbz#2176795

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2023-03-13 13:22:28 +01:00
Dusty Mabe
21fd6bef5b
Make ssh-host key migration less conditional
If there is a case where some host keys don't have correct
permissions then they won't get migrated. Let's make the
migration script attempt migration for the rest of the keys
too.
2023-03-06 09:55:13 -05:00
Dusty Mabe
1076e61bfd
Mark /var/lib/.ssh-host-keys-migration as %ghost file 2023-03-06 09:55:13 -05:00
Dusty Mabe
08d842d5e8
Use a service unit to strip ssh_keys group from host keys (rhbz#2172956)
Use a systemd service unit to strip the ssh_keys group and change the
mode for host keys. This ensure that this migration is done right before
the openssh server startup on all kind of systems, either RPM or
rpm-ostree based.

Use a marker file to only do this once. We need to keep this service
unit for two Fedora releases so we will be able to remove it in Fedora
40.

See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
Fixes: 7a21555 Get rid of ssh_keys group for new installations
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956

Co-authored-by: Timothée Ravier <tim@siosm.fr>
2023-03-03 09:56:51 -05:00
Dusty Mabe
937ee4760a
update date in changelog entry
This entry is out of chronological order, which means we get a
warning/error every time. I'm just updating here to the commitdate
of the commit, which puts everything back in chronological order.
2023-03-02 11:57:38 -05:00
Dmitry Belyavskiy
45028601a3 We dont install openssh.conf file 2023-01-23 16:01:47 +01:00
Dmitry Belyavskiy
7a21555354 Get rid of ssh_keys group for new installations 2023-01-23 16:01:47 +01:00
Dmitry Belyavskiy
b615362fd0 Restore upstream default host key permissions (rhbz#2141272) 2023-01-23 16:01:47 +01:00
Fedora Release Engineering
cc56e874e8 Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-19 22:57:59 +00:00
Dmitry Belyavskiy
c9904c7c8a Fix build against updated OpenSSL
Resolves: rhbz#2158966
2023-01-09 12:48:20 +01:00