Accepting request 866139 from home:hpjansson:branches:network

- Improve robustness of sshd init detection when upgrading from
  a pre-systemd distribution.

- Add openssh-reenable-dh-group14-sha1-default.patch, which adds
  diffie-hellman-group14-sha1 key exchange back to the default
  list (bsc#1180958). This is needed for backwards compatibility
  with older platforms.

OBS-URL: https://build.opensuse.org/request/show/866139
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=224
This commit is contained in:
Dirk Mueller 2021-01-22 23:06:22 +00:00 committed by Git OBS Bridge
parent dcc585e9d2
commit f66af91814
3 changed files with 66 additions and 5 deletions

View File

@ -0,0 +1,41 @@
diff --git a/myproposal.h b/myproposal.h
index 5312e60..83fd62d 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -33,7 +33,8 @@
"diffie-hellman-group-exchange-sha256," \
"diffie-hellman-group16-sha512," \
"diffie-hellman-group18-sha512," \
- "diffie-hellman-group14-sha256"
+ "diffie-hellman-group14-sha256," \
+ "diffie-hellman-group14-sha1"
#define KEX_CLIENT_KEX KEX_SERVER_KEX
diff --git a/ssh_config.5 b/ssh_config.5
index d5888f2..100563e 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1170,7 +1170,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
+diffie-hellman-group14-sha256,
+diffie-hellman-group14-sha1
.Ed
.Pp
The list of available key exchange algorithms may also be obtained using
diff --git a/sshd_config.5 b/sshd_config.5
index 0f5fe53..97364f5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -986,7 +986,7 @@ curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
.Ed
.Pp
The list of available key exchange algorithms may also be obtained using

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Fri Jan 22 21:06:42 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
- Improve robustness of sshd init detection when upgrading from
a pre-systemd distribution.
-------------------------------------------------------------------
Fri Jan 22 03:30:59 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
- Add openssh-reenable-dh-group14-sha1-default.patch, which adds
diffie-hellman-group14-sha1 key exchange back to the default
list (bsc#1180958). This is needed for backwards compatibility
with older platforms.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson <hpj@suse.com> Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson <hpj@suse.com>

View File

@ -107,6 +107,7 @@ Patch39: openssh-8.1p1-use-openssl-kdf.patch
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
Patch41: openssh-fips-ensure-approved-moduli.patch Patch41: openssh-fips-ensure-approved-moduli.patch
Patch42: openssh-link-with-sk.patch Patch42: openssh-link-with-sk.patch
Patch43: openssh-reenable-dh-group14-sha1-default.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: automake BuildRequires: automake
BuildRequires: groff BuildRequires: groff
@ -129,6 +130,8 @@ BuildRequires: pkgconfig(krb5)
%else %else
BuildRequires: krb5-mini-devel BuildRequires: krb5-mini-devel
%endif %endif
Requires(pre): findutils
Requires(pre): grep
%description %description
SSH (Secure Shell) is a program for logging into and executing commands SSH (Secure Shell) is a program for logging into and executing commands
@ -166,6 +169,8 @@ Summary: SSH (Secure Shell) server
Group: Productivity/Networking/SSH Group: Productivity/Networking/SSH
Requires: %{name}-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release}
Recommends: audit Recommends: audit
Requires(pre): findutils
Requires(pre): grep
Requires(pre): shadow Requires(pre): shadow
Requires(post): %fillup_prereq Requires(post): %fillup_prereq
Requires(post): permissions Requires(post): permissions
@ -350,8 +355,9 @@ mkdir -p %{_tmpenableddir} || :
if [ -x %{_bindir}/systemctl ]; then if [ -x %{_bindir}/systemctl ]; then
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
else else
if [ x$(find %{_sysconfdir}/init.d/rc[35].d -name 'S*' -type l -exec readlink -f {} \; | grep sshd$ | uniq) \ if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \
== x%{_sysconfdir}/init.d/sshd ]; then echo "enabled" > %{_tmpenabledfile} || :; fi -exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1
then echo "enabled" > %{_tmpenabledfile} || :; fi
fi fi
%pre server %pre server
@ -362,14 +368,14 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstate
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||: test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
%endif %endif
# See %%pre. # See %%pre.
mkdir -p %{_tmpenableddir} || : mkdir -p %{_tmpenableddir} || :
if [ -x %{_bindir}/systemctl ]; then if [ -x %{_bindir}/systemctl ]; then
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || : %{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
else else
if [ x$(find %{_sysconfdir}/init.d/rc[35].d -name 'S*' -type l -exec readlink -f {} \; | grep sshd$ | uniq) \ if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \
== x%{_sysconfdir}/init.d/sshd ]; then echo "enabled" > %{_tmpenabledfile} || :; fi -exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1
then echo "enabled" > %{_tmpenabledfile} || :; fi
fi fi
%service_add_pre sshd.service %service_add_pre sshd.service