08f9072513
- Update of the underlying OpenSSH to 6.5p1 - Update to 6.5p1 Features since 6.4p1: * ssh(1), sshd(8): support for key exchange using ECDH in Daniel Bernstein's Curve25519; default when both the client and server support it. * ssh(1), sshd(8): support for Ed25519 as a public key type fo rboth server and client. Ed25519 is an EC signature offering better security than ECDSA and DSA and good performance. * Add a new private key format that uses a bcrypt KDF to better protect keys at rest. Used unconditionally for Ed25519 keys, on demand for other key types via the -o ssh-keygen(1) option. Intended to become default in the near future. Details documented in PROTOCOL.key. * ssh(1), sshd(8): new transport cipher "chacha20-poly1305@openssh.com" combining Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details documented PROTOCOL.chacha20poly1305. * ssh(1), sshd(8): refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release. * ssh(1), sshd(8): refuse old proprietary clients and servers that use a weaker key exchange hash calculation. * ssh(1): increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by OBS-URL: https://build.opensuse.org/request/show/222365 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
29 lines
1.1 KiB
Diff
29 lines
1.1 KiB
Diff
# identify hashed hosts in known_hosts and suggest command line for their
|
|
# removal
|
|
|
|
diff --git a/openssh-6.5p1/sshconnect.c b/openssh-6.5p1/sshconnect.c
|
|
--- a/openssh-6.5p1/sshconnect.c
|
|
+++ b/openssh-6.5p1/sshconnect.c
|
|
@@ -1067,16 +1067,21 @@ check_host_key(char *hostname, struct so
|
|
ip_found->file, ip_found->line);
|
|
}
|
|
/* The host key has changed. */
|
|
warn_changed_key(host_key);
|
|
error("Add correct host key in %.100s to get rid of this message.",
|
|
user_hostfiles[0]);
|
|
error("Offending %s key in %s:%lu", key_type(host_found->key),
|
|
host_found->file, host_found->line);
|
|
+ error("You can use following command to remove all keys for this IP:");
|
|
+ if (host_found->file)
|
|
+ error("ssh-keygen -R %s -f %s", hostname, host_found->file);
|
|
+ else
|
|
+ error("ssh-keygen -R %s", hostname);
|
|
|
|
/*
|
|
* If strict host key checking is in use, the user will have
|
|
* to edit the key manually and we can only abort.
|
|
*/
|
|
if (options.strict_host_key_checking) {
|
|
error("%s host key for %.200s has changed and you have "
|
|
"requested strict checking.", type, host);
|