Dmitry Belyavskiy
eb1b5e6755
relax checks of the OpenSSL version
2023-08-01 14:18:18 +02:00
Mattias Ellert
c04e468b07
Update gssapi-keyex patch for OpenSSH 9.0+
...
userauth_gsskeyex must have the same argument as userauth_gssapi
method_gsskeyex must have the same members as method_gssapi
2023-07-26 23:28:39 +02:00
Dmitry Belyavskiy
c3494feffe
Fix remote code execution in ssh-agent PKCS#11 support
...
Resolves: CVE-2023-38408
2023-07-21 17:00:23 +02:00
Fedora Release Engineering
9fd130d8eb
Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-20 18:12:08 +00:00
Norbert Pocs
8f5b8fd2c5
Revert "pkcs11: Add support for 'serial' in PKCS#11 URI"
...
This reverts commit e39f11e77c
.
The patch has some problems (the pkcs11 downstream test is failing)
and needs more investigation
2023-06-13 14:38:59 +02:00
Norbert Pocs
c5082a3f81
Merge gssapi-keyex and gssapi-auth
...
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 13:58:01 +02:00
Norbert Pocs
2b67ec48c2
Merge manpage crypto-policies related patches
...
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 13:57:42 +02:00
Norbert Pocs
fb40f0afda
Merge evp related patches
...
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 13:57:23 +02:00
Norbert Pocs
141d7b2d4a
Remove deprecated usage of %patchN
...
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-06-08 13:56:15 +02:00
Dmitry Belyavskiy
d5fd076ab3
Updating specfile
2023-06-07 12:15:31 +02:00
Dmitry Belyavskiy
18e9f31c42
Fix DSS verification problem
...
Resolves: rhbz#2212937
2023-06-07 12:12:46 +02:00
Dmitry Belyavskiy
29083ac442
Remove unused patch
2023-06-02 18:56:58 +02:00
Dmitry Belyavskiy
f561c68bdb
Rebasing OpenSSH from 9.0 to 9.3
2023-06-02 15:38:27 +02:00
Norbert Pocs
b129d6336e
Clarify HostKeyAlgorithms option on man page
...
Clarify HostkeyAlgorithms and crypto-policies relation on the ssh_config
man page
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-29 13:58:15 +02:00
Jakub Jelen
e39f11e77c
pkcs11: Add support for 'serial' in PKCS#11 URI
2023-05-25 09:29:24 +02:00
Norbert Pocs
e8e01dc82e
Fix regression in pkcs11 introduced in the previous patch
...
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-25 09:27:33 +02:00
Norbert Pocs
2341f1769d
Fix minor issues with openssh-9.0p1-evp-fips-dh.patch
...
- Check return values
- Use EVP API to get the size of DH
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-05-25 09:27:33 +02:00
Dmitry Belyavskiy
6f7c765ed4
Audit logging patch was not applied
...
Resolves: rhbz#2177471
2023-04-14 10:38:37 +02:00
Dmitry Belyavskiy
1506e0825c
If SHA1 signatures are not permitted, try to fallback to SHA2
...
SHA1 is insecure now, and is forbidden in RHEL and will be forbidden in
several crypto-policies in Fedora in some future. This patch adds
detection of SHA1 signatures availability and, if not available,
enforces fallback to SHA2.
2023-04-14 10:32:06 +02:00
Norbert Pocs
b63272d9eb
Make the sign, dh, ecdh processes FIPS compliant
...
FIPS compliancy can be stated by using only compliant crypto
functions. This is achieved by using EVP API from openssl 3.0
version. The solution uses a non-intrusive approach - instead
of rewriting everything to use EVP API it converts the data
to it at the critical places.
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-04-13 19:12:46 +02:00
Dmitry Belyavskiy
745da74ea2
Fix self-DoS
...
Resolves: CVE-2023-25136
Remove too aggressive coverity fix causing native tests failure
2023-04-13 18:14:19 +02:00
Florian Weimer
d5591fb5ab
C99 compatiblity fixes
...
Apply upstream patches from the portable OpenSSH project to fix
C99 compatibility issues in the configure script.
For the PAM agent integration, apply a custom downstream fix,
as the proposed upstream changes have not been merged yet.
Related to:
<https://fedoraproject.org/wiki/Changes/PortingToModernC >
<https://fedoraproject.org/wiki/Toolchain/PortingToModernC >
2023-04-12 12:07:21 +02:00
Timothée Ravier
e3597c03f1
Make sshd & sshd@ units want ssh-host-keys-migration.service
...
Enabling the unit via the presets does not enable it on
Silverblue/Kinoite/Sericea & IoT as we don't re-preset all units like
it's done in Fedora CoreOS.
See: https://pagure.io/workstation-ostree-config/pull-request/246
Instead, have the sshd & sshd@ service unit `Wants` the
ssh-host-keys-migration service unit so that it's pulled-in only when
sshd is effectively enabled and in all cases.
See: https://src.fedoraproject.org/rpms/fedora-release/pull-request/253
See: https://bugzilla.redhat.com/show_bug.cgi?id=2172956
See: https://src.fedoraproject.org/rpms/fedora-release/pull-request/252
2023-03-14 17:17:24 +01:00
Zoltan Fridrich
3a98e6f607
Add sk-dummy subpackage for test purposes
...
Resolves: rhbz#2176795
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2023-03-13 13:22:28 +01:00
Dusty Mabe
21fd6bef5b
Make ssh-host key migration less conditional
...
If there is a case where some host keys don't have correct
permissions then they won't get migrated. Let's make the
migration script attempt migration for the rest of the keys
too.
2023-03-06 09:55:13 -05:00
Dusty Mabe
1076e61bfd
Mark /var/lib/.ssh-host-keys-migration as %ghost file
2023-03-06 09:55:13 -05:00
Dusty Mabe
08d842d5e8
Use a service unit to strip ssh_keys group from host keys (rhbz#2172956)
...
Use a systemd service unit to strip the ssh_keys group and change the
mode for host keys. This ensure that this migration is done right before
the openssh server startup on all kind of systems, either RPM or
rpm-ostree based.
Use a marker file to only do this once. We need to keep this service
unit for two Fedora releases so we will be able to remove it in Fedora
40.
See: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit
Fixes: 7a21555
Get rid of ssh_keys group for new installations
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2172956
Co-authored-by: Timothée Ravier <tim@siosm.fr>
2023-03-03 09:56:51 -05:00
Dusty Mabe
937ee4760a
update date in changelog entry
...
This entry is out of chronological order, which means we get a
warning/error every time. I'm just updating here to the commitdate
of the commit, which puts everything back in chronological order.
2023-03-02 11:57:38 -05:00
Dmitry Belyavskiy
45028601a3
We dont install openssh.conf file
2023-01-23 16:01:47 +01:00
Dmitry Belyavskiy
7a21555354
Get rid of ssh_keys group for new installations
2023-01-23 16:01:47 +01:00
Dmitry Belyavskiy
b615362fd0
Restore upstream default host key permissions (rhbz#2141272)
2023-01-23 16:01:47 +01:00
Fedora Release Engineering
cc56e874e8
Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-19 22:57:59 +00:00
Dmitry Belyavskiy
c9904c7c8a
Fix build against updated OpenSSL
...
Resolves: rhbz#2158966
2023-01-09 12:48:20 +01:00
Norbert Pocs
ebc2a70dee
Add additional audit loggin
...
Additional information audited about the SSH key used to log in
Resolves: rhbz#2049947
Signed-off-by: Norbert Pocs <npocs@redhat.com>
2022-10-24 19:22:09 +02:00
Dmitry Belyavskiy
f79c122b0b
Check IP opts length
...
Resolves: rhbz#1960015
2022-10-21 17:53:00 +02:00
Anthony Rabbito
09b309fe0e
bump release after rebase
...
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
2022-10-05 20:01:41 -04:00
Anthony Rabbito
499c2eb7ec
fix: source order
...
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
2022-10-05 19:58:14 -04:00
Anthony Rabbito
11b8701db9
fix(ssh-agent): remove the socket in ExecStartPre
...
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
2022-10-05 19:58:14 -04:00
Anthony Rabbito
9417892cb7
openssh-clients: create a user socket unit for ssh-agent (rhbz#2125576)
...
Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
2022-10-05 19:58:11 -04:00
Dmitry Belyavskiy
aa843e85ee
RSAMinSize => RequiredRSASize
2022-09-29 15:42:34 +02:00
Luca BRUNO
26c275d66e
openssh: move users/groups creation logic to sysusers.d fragments
...
See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
2022-09-02 14:47:11 +00:00
Alexander Sosedkin
42b22d9ad2
Mark HostbasedAcceptedAlgorithms as governed by crypto-policies
2022-08-24 13:11:22 +02:00
Dmitry Belyavskiy
483723014e
Port patches from CentOS - RSAMinSize
...
Related: rhbz#2117264
2022-08-17 10:06:13 +02:00
Dmitry Belyavskiy
03150f6281
OpenSSH Rebase to 9.0p1
...
Related: rhbz#2057466
2022-08-15 09:28:25 +02:00
Dmitry Belyavskiy
9fd6981674
Add patches from CentOS/RHEL9.1
...
Related: rhbz#2117264
2022-08-10 19:58:47 +02:00
Luca BRUNO
14d7b86a50
openssh: use allocated static GID for 'ssh_keys' group (rhbz#2104595)
...
This uses the static GID 101 allocated for group `ssh_keys`.
See FPC ticket for discussion/approval.
Ref: https://pagure.io/packaging-committee/issue/1188
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2104595
2022-08-01 15:15:08 +00:00
Fedora Release Engineering
5b072577e1
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-22 02:14:56 +00:00
Dmitry Belyavskiy
ae82569b18
Disable locale forwarding in OpenSSH
...
Resolves: rhbz#2002739
2022-04-29 11:43:53 +02:00
Cedric Staniewski
95d45cee50
Build gnome-ssh-askpass against gtk3
2022-03-02 21:59:26 +01:00
Jay W
bffeef3c12
Update openssh.spec to allow flatpak builds
2022-02-09 16:10:10 +00:00