Accepting request 866139 from home:hpjansson:branches:network
- Improve robustness of sshd init detection when upgrading from a pre-systemd distribution. - Add openssh-reenable-dh-group14-sha1-default.patch, which adds diffie-hellman-group14-sha1 key exchange back to the default list (bsc#1180958). This is needed for backwards compatibility with older platforms. OBS-URL: https://build.opensuse.org/request/show/866139 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=224
This commit is contained in:
parent
dcc585e9d2
commit
f66af91814
41
openssh-reenable-dh-group14-sha1-default.patch
Normal file
41
openssh-reenable-dh-group14-sha1-default.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
diff --git a/myproposal.h b/myproposal.h
|
||||||
|
index 5312e60..83fd62d 100644
|
||||||
|
--- a/myproposal.h
|
||||||
|
+++ b/myproposal.h
|
||||||
|
@@ -33,7 +33,8 @@
|
||||||
|
"diffie-hellman-group-exchange-sha256," \
|
||||||
|
"diffie-hellman-group16-sha512," \
|
||||||
|
"diffie-hellman-group18-sha512," \
|
||||||
|
- "diffie-hellman-group14-sha256"
|
||||||
|
+ "diffie-hellman-group14-sha256," \
|
||||||
|
+ "diffie-hellman-group14-sha1"
|
||||||
|
|
||||||
|
#define KEX_CLIENT_KEX KEX_SERVER_KEX
|
||||||
|
|
||||||
|
diff --git a/ssh_config.5 b/ssh_config.5
|
||||||
|
index d5888f2..100563e 100644
|
||||||
|
--- a/ssh_config.5
|
||||||
|
+++ b/ssh_config.5
|
||||||
|
@@ -1170,7 +1170,8 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
|
diffie-hellman-group-exchange-sha256,
|
||||||
|
diffie-hellman-group16-sha512,
|
||||||
|
diffie-hellman-group18-sha512,
|
||||||
|
-diffie-hellman-group14-sha256
|
||||||
|
+diffie-hellman-group14-sha256,
|
||||||
|
+diffie-hellman-group14-sha1
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
diff --git a/sshd_config.5 b/sshd_config.5
|
||||||
|
index 0f5fe53..97364f5 100644
|
||||||
|
--- a/sshd_config.5
|
||||||
|
+++ b/sshd_config.5
|
||||||
|
@@ -986,7 +986,7 @@ curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
|
diffie-hellman-group-exchange-sha256,
|
||||||
|
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||||
|
-diffie-hellman-group14-sha256
|
||||||
|
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 22 21:06:42 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||||
|
|
||||||
|
- Improve robustness of sshd init detection when upgrading from
|
||||||
|
a pre-systemd distribution.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 22 03:30:59 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||||
|
|
||||||
|
- Add openssh-reenable-dh-group14-sha1-default.patch, which adds
|
||||||
|
diffie-hellman-group14-sha1 key exchange back to the default
|
||||||
|
list (bsc#1180958). This is needed for backwards compatibility
|
||||||
|
with older platforms.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
Fri Jan 22 02:54:02 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||||
|
|
||||||
|
16
openssh.spec
16
openssh.spec
@ -107,6 +107,7 @@ Patch39: openssh-8.1p1-use-openssl-kdf.patch
|
|||||||
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
|
Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch
|
||||||
Patch41: openssh-fips-ensure-approved-moduli.patch
|
Patch41: openssh-fips-ensure-approved-moduli.patch
|
||||||
Patch42: openssh-link-with-sk.patch
|
Patch42: openssh-link-with-sk.patch
|
||||||
|
Patch43: openssh-reenable-dh-group14-sha1-default.patch
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: groff
|
BuildRequires: groff
|
||||||
@ -129,6 +130,8 @@ BuildRequires: pkgconfig(krb5)
|
|||||||
%else
|
%else
|
||||||
BuildRequires: krb5-mini-devel
|
BuildRequires: krb5-mini-devel
|
||||||
%endif
|
%endif
|
||||||
|
Requires(pre): findutils
|
||||||
|
Requires(pre): grep
|
||||||
|
|
||||||
%description
|
%description
|
||||||
SSH (Secure Shell) is a program for logging into and executing commands
|
SSH (Secure Shell) is a program for logging into and executing commands
|
||||||
@ -166,6 +169,8 @@ Summary: SSH (Secure Shell) server
|
|||||||
Group: Productivity/Networking/SSH
|
Group: Productivity/Networking/SSH
|
||||||
Requires: %{name}-common = %{version}-%{release}
|
Requires: %{name}-common = %{version}-%{release}
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
|
Requires(pre): findutils
|
||||||
|
Requires(pre): grep
|
||||||
Requires(pre): shadow
|
Requires(pre): shadow
|
||||||
Requires(post): %fillup_prereq
|
Requires(post): %fillup_prereq
|
||||||
Requires(post): permissions
|
Requires(post): permissions
|
||||||
@ -350,8 +355,9 @@ mkdir -p %{_tmpenableddir} || :
|
|||||||
if [ -x %{_bindir}/systemctl ]; then
|
if [ -x %{_bindir}/systemctl ]; then
|
||||||
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
|
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
|
||||||
else
|
else
|
||||||
if [ x$(find %{_sysconfdir}/init.d/rc[35].d -name 'S*' -type l -exec readlink -f {} \; | grep sshd$ | uniq) \
|
if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \
|
||||||
== x%{_sysconfdir}/init.d/sshd ]; then echo "enabled" > %{_tmpenabledfile} || :; fi
|
-exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1
|
||||||
|
then echo "enabled" > %{_tmpenabledfile} || :; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%pre server
|
%pre server
|
||||||
@ -362,14 +368,14 @@ getent passwd sshd >/dev/null || %{_sbindir}/useradd -r -g sshd -d %{_localstate
|
|||||||
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
|
test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd.rpmsave.old ||:
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
# See %%pre.
|
# See %%pre.
|
||||||
mkdir -p %{_tmpenableddir} || :
|
mkdir -p %{_tmpenableddir} || :
|
||||||
if [ -x %{_bindir}/systemctl ]; then
|
if [ -x %{_bindir}/systemctl ]; then
|
||||||
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
|
%{_bindir}/systemctl is-enabled sshd > %{_tmpenabledfile} || :
|
||||||
else
|
else
|
||||||
if [ x$(find %{_sysconfdir}/init.d/rc[35].d -name 'S*' -type l -exec readlink -f {} \; | grep sshd$ | uniq) \
|
if find %{_sysconfdir}/init.d/rc[35].d -type l -regex '.*/S[0-9]+sshd' \
|
||||||
== x%{_sysconfdir}/init.d/sshd ]; then echo "enabled" > %{_tmpenabledfile} || :; fi
|
-exec readlink -f {} \; | grep '/etc/init.d/sshd$' >/dev/null 2>&1
|
||||||
|
then echo "enabled" > %{_tmpenabledfile} || :; fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%service_add_pre sshd.service
|
%service_add_pre sshd.service
|
||||||
|
Loading…
Reference in New Issue
Block a user