Accepting request 1155471 from home:pmonrealgonzalez:branches:network

- Add crypto-policies support [bsc#1211301] * Add patches: - openssh-9.6p1-crypto-policies.patch - openssh-9.6p1-crypto-policies-man.patch OBS-URL: https://build.opensuse.org/request/show/1155471 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=256
2024-04-04 09:11:25 +00:00 · 2024-04-04 09:11:25 +00:00 · 5252cd62e2
commit 5252cd62e2
parent b3ff99ae3c
4 changed files with 732 additions and 0 deletions
--- a/openssh-9.6p1-crypto-policies-man.patch
+++ b/openssh-9.6p1-crypto-policies-man.patch
@ -0,0 +1,648 @@
+Index: openssh-9.6p1/ssh_config.5
+===================================================================
+--- openssh-9.6p1.orig/ssh_config.5
+++ openssh-9.6p1/ssh_config.5
+@@ -403,17 +403,14 @@ A single argument of
+ causes no CNAMEs to be considered for canonicalization.
+ This is the default behaviour.
+ .It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies which algorithms are allowed for signing of certificates
+ by certificate authorities (CAs).
+-The default is:
+-.Bd -literal -offset indent
+-ssh-ed25519,ecdsa-sha2-nistp256,
+-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+-.Pp
+ If the specified list begins with a
+ .Sq +
+ character, then the specified algorithms will be appended to the default set
+@@ -542,20 +539,26 @@ If the option is set to
+ (the default),
+ the check will not be executed.
+ .It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the ciphers allowed and their order of preference.
+ Multiple ciphers must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified ciphers will be appended to the default set
+-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified ciphers (including wildcards) will be removed
+-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified ciphers will be placed at the head of the
+-default set.
+built-in openssh default set.
+ .Pp
+ The supported ciphers are:
+ .Bd -literal -offset indent
+@@ -571,13 +574,6 @@ aes256-gcm@openssh.com
+ chacha20-poly1305@openssh.com
+ .Ed
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-chacha20-poly1305@openssh.com,
+-aes128-ctr,aes192-ctr,aes256-ctr,
+-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+-.Ed
+-.Pp
+ The list of available ciphers may also be obtained using
+ .Qq ssh -Q cipher .
+ .It Cm ClearAllForwardings
+@@ -979,6 +975,12 @@ command line will be passed untouched to
+ The default is
+ .Dq no .
+ .It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ The list of key exchange algorithms that are offered for GSSAPI
+ key exchange. Possible values are
+ .Bd -literal -offset 3n
+@@ -991,9 +993,8 @@ gss-nistp256-sha256-,
+ gss-curve25519-sha256-
+ .Ed
+ .Pp
+-The default is
+-.Dq gss-gex-sha1-,gss-group14-sha1- .
+ This option only applies to protocol version 2 connections using GSSAPI.
+.Pp
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+@@ -1012,36 +1013,26 @@ will not be converted automatically,
+ but may be manually hashed using
+ .Xr ssh-keygen 1 .
+ .It Cm HostbasedAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the signature algorithms that will be used for hostbased
+ authentication as a comma-separated list of patterns.
+ Alternately if the specified list begins with a
+ .Sq +
+ character, then the specified signature algorithms will be appended
+-to the default set instead of replacing them.
+to the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified signature algorithms (including wildcards)
+-will be removed from the default set instead of replacing them.
+will be removed from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified signature algorithms will be placed
+-at the head of the default set.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+at the head of the built-in openssh default set.
+ .Pp
+ The
+ .Fl Q
+@@ -1094,6 +1085,17 @@ to prefer their algorithms.
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q HostKeyAlgorithms .
+.Pp
+The proposed
+.Cm HostKeyAlgorithms
+during KEX are limited to the set of algorithms that is defined in
+.Cm PubkeyAcceptedAlgorithms
+and therefore they are indirectly affected by system-wide
+.Xr crypto_policies 7 .
+.Xr crypto_policies 7 can not handle the list of host key algorithms directly
+as doing so would break the order given by the
+.Pa known_hosts
+file.
+ .It Cm HostKeyAlias
+ Specifies an alias that should be used instead of the
+ real host name when looking up or saving the host key
+@@ -1311,31 +1313,26 @@ it may be zero or more of:
+ and
+ .Cm pam .
+ .It Cm KexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the available KEX (Key Exchange) algorithms.
+ Multiple algorithms must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+-The default is:
+-.Bd -literal -offset indent
+-sntrup761x25519-sha512@openssh.com,
+-curve25519-sha256,curve25519-sha256@libssh.org,
+-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+-diffie-hellman-group-exchange-sha256,
+-diffie-hellman-group16-sha512,
+-diffie-hellman-group18-sha512,
+-diffie-hellman-group14-sha256,
+-diffie-hellman-group14-sha1
+-.Ed
+built-in openssh default set.
+ .Pp
+ The list of available key exchange algorithms may also be obtained using
+ .Qq ssh -Q kex .
+@@ -1445,37 +1442,34 @@ function, and all code in the
+ file.
+ This option is intended for debugging and no overrides are enabled by default.
+ .It Cm MACs
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the MAC (message authentication code) algorithms
+ in order of preference.
+ The MAC algorithm is used for data integrity protection.
+ Multiple algorithms must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+built-in openssh default set.
+ .Pp
+ The algorithms that contain
+ .Qq -etm
+ calculate the MAC after encryption (encrypt-then-mac).
+ These are considered safer and their use recommended.
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+-hmac-sha1-etm@openssh.com,
+-umac-64@openssh.com,umac-128@openssh.com,
+-hmac-sha2-256,hmac-sha2-512,hmac-sha1
+-.Ed
+-.Pp
+ The list of available MAC algorithms may also be obtained using
+ .Qq ssh -Q mac .
+ .It Cm NoHostAuthenticationForLocalhost
+@@ -1666,39 +1660,32 @@ instead of continuing to execute and pas
+ The default is
+ .Cm no .
+ .It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the signature algorithms that will be used for public key
+ authentication as a comma-separated list of patterns.
+ If the specified list begins with a
+ .Sq +
+-character, then the algorithms after it will be appended to the default
+-instead of replacing it.
+character, then the algorithms after it will be appended to the built-in
+openssh default instead of replacing it.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+built-in openssh default set.
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q PubkeyAcceptedAlgorithms .
+.Pp
+This option affects also
+.Cm HostKeyAlgorithms
+ .It Cm PubkeyAuthentication
+ Specifies whether to try public key authentication.
+ The argument to this keyword must be
+@@ -2395,7 +2382,9 @@ This file provides the vendor defaults a
+ configuration file does not exist.
+ .El
+ .Sh SEE ALSO
+-.Xr ssh 1
+.Xr ssh 1 ,
+.Xr crypto-policies 7 ,
+.Xr update-crypto-policies 8
+ .Sh AUTHORS
+ .An -nosplit
+ OpenSSH is a derivative of the original and free
+Index: openssh-9.6p1/sshd_config.5
+===================================================================
+--- openssh-9.6p1.orig/sshd_config.5
+++ openssh-9.6p1/sshd_config.5
+@@ -381,17 +381,14 @@ If the argument is
+ then no banner is displayed.
+ By default, no banner is displayed.
+ .It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies which algorithms are allowed for signing of certificates
+ by certificate authorities (CAs).
+-The default is:
+-.Bd -literal -offset indent
+-ssh-ed25519,ecdsa-sha2-nistp256,
+-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+-.Pp
+ If the specified list begins with a
+ .Sq +
+ character, then the specified algorithms will be appended to the default set
+@@ -527,20 +524,26 @@ The default is
+ indicating not to
+ .Xr chroot 2 .
+ .It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the ciphers allowed.
+ Multiple ciphers must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified ciphers will be appended to the default set
+-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified ciphers (including wildcards) will be removed
+-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified ciphers will be placed at the head of the
+-default set.
+built-in openssh default set.
+ .Pp
+ The supported ciphers are:
+ .Pp
+@@ -567,13 +570,6 @@ aes256-gcm@openssh.com
+ chacha20-poly1305@openssh.com
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-chacha20-poly1305@openssh.com,
+-aes128-ctr,aes192-ctr,aes256-ctr,
+-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+-.Ed
+-.Pp
+ The list of available ciphers may also be obtained using
+ .Qq ssh -Q cipher .
+ .It Cm ClientAliveCountMax
+@@ -764,52 +760,45 @@ For this to work
+ .Cm GSSAPIKeyExchange
+ needs to be enabled in the server and also used by the client.
+ .It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ The list of key exchange algorithms that are accepted by GSSAPI
+ key exchange. Possible values are
+ .Bd -literal -offset 3n
+-gss-gex-sha1-,
+-gss-group1-sha1-,
+-gss-group14-sha1-,
+-gss-group14-sha256-,
+-gss-group16-sha512-,
+-gss-nistp256-sha256-,
+gss-gex-sha1-
+gss-group1-sha1-
+gss-group14-sha1-
+gss-group14-sha256-
+gss-group16-sha512-
+gss-nistp256-sha256-
+ gss-curve25519-sha256-
+ .Ed
+-.Pp
+-The default is
+-.Dq gss-gex-sha1-,gss-group14-sha1- .
+ This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HostbasedAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the signature algorithms that will be accepted for hostbased
+ authentication as a list of comma-separated patterns.
+ Alternately if the specified list begins with a
+ .Sq +
+ character, then the specified signature algorithms will be appended to
+-the default set instead of replacing them.
+the built-in openssh set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified signature algorithms (including wildcards)
+-will be removed from the default set instead of replacing them.
+will be removed from the built-in openssh set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified signature algorithms will be placed at
+-the head of the default set.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+the head of the built-in openssh default set.
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q HostbasedAcceptedAlgorithms .
+@@ -876,25 +865,15 @@ is specified, the location of the socket
+ .Ev SSH_AUTH_SOCK
+ environment variable.
+ .It Cm HostKeyAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the host key signature algorithms
+ that the server offers.
+ The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+-.Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q HostKeyAlgorithms .
+ .It Cm IgnoreRhosts
+@@ -1027,20 +1006,26 @@ file on logout.
+ The default is
+ .Cm yes .
+ .It Cm KexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the available KEX (Key Exchange) algorithms.
+ Multiple algorithms must be comma-separated.
+ Alternately if the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+built-in openssh default set.
+ The supported algorithms are:
+ .Pp
+ .Bl -item -compact -offset indent
+@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
+ sntrup761x25519-sha512@openssh.com
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-sntrup761x25519-sha512@openssh.com,
+-curve25519-sha256,curve25519-sha256@libssh.org,
+-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+-diffie-hellman-group-exchange-sha256,
+-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
+-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+-.Ed
+-.Pp
+ The list of available key exchange algorithms may also be obtained using
+ .Qq ssh -Q KexAlgorithms .
+ .It Cm ListenAddress
+@@ -1167,21 +1142,27 @@ function, and all code in the
+ file.
+ This option is intended for debugging and no overrides are enabled by default.
+ .It Cm MACs
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the available MAC (message authentication code) algorithms.
+ The MAC algorithm is used for data integrity protection.
+ Multiple algorithms must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+built-in openssh default set.
+ .Pp
+ The algorithms that contain
+ .Qq -etm
+@@ -1224,15 +1205,6 @@ umac-64-etm@openssh.com
+ umac-128-etm@openssh.com
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+-hmac-sha1-etm@openssh.com,
+-umac-64@openssh.com,umac-128@openssh.com,
+-hmac-sha2-256,hmac-sha2-512,hmac-sha1
+-.Ed
+-.Pp
+ The list of available MAC algorithms may also be obtained using
+ .Qq ssh -Q mac .
+ .It Cm Match
+@@ -1614,36 +1586,26 @@ or equivalent.)
+ The default is
+ .Cm yes .
+ .It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+Information about defaults, how to modify the defaults and how to customize
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
+ Specifies the signature algorithms that will be accepted for public key
+ authentication as a list of comma-separated patterns.
+ Alternately if the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+built-in openssh default set.
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q PubkeyAcceptedAlgorithms .
+@@ -2122,7 +2084,9 @@ This file should be writable by root onl
+ .El
+ .Sh SEE ALSO
+ .Xr sftp-server 8 ,
+-.Xr sshd 8
+.Xr sshd 8 ,
+.Xr crypto-policies 7 ,
+.Xr update-crypto-policies 8
+ .Sh AUTHORS
+ .An -nosplit
+ OpenSSH is a derivative of the original and free
--- a/openssh-9.6p1-crypto-policies.patch
+++ b/openssh-9.6p1-crypto-policies.patch
@ -0,0 +1,58 @@
+Index: openssh-9.6p1/ssh_config
+===================================================================
+--- openssh-9.6p1.orig/ssh_config
+++ openssh-9.6p1/ssh_config
+@@ -17,6 +17,12 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
+# This system is following system-wide crypto policies.
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
+# file under /etc/ssh/ssh_config.d/ which will be automatically
+# included below. For more information, see the manual pages for
+# update-crypto-policies(8) and ssh_config(5).
+
+ # To modify the system-wide ssh configuration, create a "*.conf" file under
+ # "/etc/ssh/ssh_config.d/" which will be automatically included below.
+ # Don't edit this configuration file itself if possible to avoid update
+Index: openssh-9.6p1/ssh_config_suse
+===================================================================
+--- /dev/null
+++ openssh-9.6p1/ssh_config_suse
+@@ -0,0 +1,9 @@
+# The options here are in the "Match final block" to be applied as the last
+# options and could be potentially overwritten by the user configuration
+Match final all
+	# Follow system-wide Crypto Policy, if defined:
+	Include /etc/crypto-policies/back-ends/openssh.config
+
+# Uncomment this if you want to use .local domain
+# Host *.local
+
+Index: openssh-9.6p1/sshd_config
+===================================================================
+--- openssh-9.6p1.orig/sshd_config
+++ openssh-9.6p1/sshd_config
+@@ -17,6 +17,10 @@ Include /etc/ssh/sshd_config.d/*.conf
+ # default value.
+ Include /usr/etc/ssh/sshd_config.d/*.conf
+ 
+# To modify the system-wide sshd configuration, create a  *.conf  file under
+#  /etc/ssh/sshd_config.d/  which will be automatically included below
+Include /etc/ssh/sshd_config.d/*.conf
+
+ #Port 22
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+Index: openssh-9.6p1/sshd_config_suse_cp
+===================================================================
+--- /dev/null
+++ openssh-9.6p1/sshd_config_suse_cp
+@@ -0,0 +1,7 @@
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
+# this or following included files. To override some configuration option,
+# write it before this block or include it before this file.
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
+Include /etc/crypto-policies/back-ends/opensshserver.config
+
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Mar  4 09:57:06 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Add crypto-policies support [bsc#1211301]
+  * Add patches:
+    - openssh-9.6p1-crypto-policies.patch
+    - openssh-9.6p1-crypto-policies-man.patch
+
 -------------------------------------------------------------------
 Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>

--- a/openssh.spec
+++ b/openssh.spec
@ -122,6 +122,9 @@ Patch103:       openssh-6.6p1-privsep-selinux.patch
 Patch104:       openssh-6.6p1-keycat.patch
 Patch105:       openssh-6.6.1p1-selinux-contexts.patch
 Patch106:       openssh-7.6p1-cleanup-selinux.patch
+# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
+Patch107:       openssh-9.6p1-crypto-policies.patch
+Patch108:       openssh-9.6p1-crypto-policies-man.patch
 BuildRequires:  audit-devel
 BuildRequires:  automake
 BuildRequires:  groff
@ -209,6 +212,7 @@ securely connect to your server.
 %package server-config-rootlogin
 Summary:        Config to permit root logins to sshd
 Group:          Productivity/Networking/SSH
+Requires:       crypto-policies >= 20220824
 Requires:       %{name}-server = %{version}-%{release}

 %description server-config-rootlogin
@ -220,6 +224,7 @@ ssh-copy-id(1).
 %package clients
 Summary:        SSH (Secure Shell) client applications
 Group:          Productivity/Networking/SSH
+Requires:       crypto-policies >= 20220824
 Requires:       %{name}-common = %{version}-%{release}
 Provides:       openssh:%{_bindir}/ssh

@ -371,6 +376,13 @@ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 %endif

+install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
+%if %{defined _distconfdir}
+install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%else
+install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%endif
+
 %if 0%{?suse_version} < 1550
 # install firewall definitions
 mkdir -p %{buildroot}%{_fwdefdir}
@ -494,6 +506,11 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
 %endif
+%if %{defined _distconfdir}
+%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%else
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%endif
 %attr(0644,root,root) %{_unitdir}/sshd.service
 %attr(0644,root,root) %{_sysusersdir}/sshd.conf
 %attr(0444,root,root) %{_mandir}/man5/sshd_config*
@ -520,6 +537,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss

 %files clients
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 %if %{defined _distconfdir}
 %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
 %else