6dac324cb7
- enable support for SSHv1 protocol and discourage its usage
(bsc#983307)
- enable DSA by default for backward compatibility and discourage
its usage (bsc#983784)
[openssh-7.2p2-allow_DSS_by_default.patch]
- upgrade to 7.2p2
upstream package without any SUSE patches
Distilled upstream log:
- OpenSSH 6.7
Potentially-incompatible changes:
* sshd(8): The default set of ciphers and MACs has been
altered to remove unsafe algorithms. In particular, CBC
ciphers and arcfour* are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.
* sshd(8): Support for tcpwrappers/libwrap has been removed.
* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of
connections using the curve25519-sha256@libssh.org KEX
exchange method to fail when connecting with something that
implements the specification correctly. OpenSSH 6.7 disables
this KEX method when speaking to one of the affected
versions.
New Features:
* ssh(1), sshd(8): Add support for Unix domain socket
forwarding. A remote TCP port may be forwarded to a local
Unix domain socket and vice versa or both ends may be a Unix
domain socket.
* ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
ED25519 key types.
OBS-URL: https://build.opensuse.org/request/show/407066
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=107
130 lines
4.0 KiB
Diff
130 lines
4.0 KiB
Diff
# HG changeset patch
|
|
# Parent 2730f36bee0d6e141d8391b414a702e1add5a853
|
|
Enable DSS authentication by default to maintain compatibility with older
|
|
versions.
|
|
|
|
bsc#983784
|
|
|
|
diff --git a/openssh-7.2p2/myproposal.h b/openssh-7.2p2/myproposal.h
|
|
--- a/openssh-7.2p2/myproposal.h
|
|
+++ b/openssh-7.2p2/myproposal.h
|
|
@@ -94,21 +94,23 @@
|
|
#define KEX_CLIENT_KEX KEX_COMMON_KEX \
|
|
"diffie-hellman-group-exchange-sha1," \
|
|
"diffie-hellman-group14-sha1"
|
|
|
|
#define KEX_DEFAULT_PK_ALG \
|
|
HOSTKEY_ECDSA_CERT_METHODS \
|
|
"ssh-ed25519-cert-v01@openssh.com," \
|
|
"ssh-rsa-cert-v01@openssh.com," \
|
|
+ "ssh-dss-cert-v01@openssh.com," \
|
|
HOSTKEY_ECDSA_METHODS \
|
|
"ssh-ed25519," \
|
|
"rsa-sha2-512," \
|
|
"rsa-sha2-256," \
|
|
- "ssh-rsa"
|
|
+ "ssh-rsa," \
|
|
+ "ssh-dss"
|
|
|
|
/* the actual algorithms */
|
|
|
|
#define KEX_SERVER_ENCRYPT \
|
|
"chacha20-poly1305@openssh.com," \
|
|
"aes128-ctr,aes192-ctr,aes256-ctr" \
|
|
AESGCM_CIPHER_MODES
|
|
|
|
diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5
|
|
--- a/openssh-7.2p2/ssh_config.5
|
|
+++ b/openssh-7.2p2/ssh_config.5
|
|
@@ -887,19 +887,19 @@ Alternately if the specified value begin
|
|
character, then the specified key types will be appended to the default set
|
|
instead of replacing them.
|
|
The default for this option is:
|
|
.Bd -literal -offset 3n
|
|
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
ssh-ed25519-cert-v01@openssh.com,
|
|
-ssh-rsa-cert-v01@openssh.com,
|
|
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
-ssh-ed25519,ssh-rsa
|
|
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
.Ed
|
|
.Pp
|
|
If hostkeys are known for the destination host then this default is modified
|
|
to prefer their algorithms.
|
|
.Pp
|
|
The list of available key types may also be obtained using the
|
|
.Fl Q
|
|
option of
|
|
@@ -1325,19 +1325,19 @@ Alternately if the specified value begin
|
|
character, then the key types after it will be appended to the default
|
|
instead of replacing it.
|
|
The default for this option is:
|
|
.Bd -literal -offset 3n
|
|
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
ssh-ed25519-cert-v01@openssh.com,
|
|
-ssh-rsa-cert-v01@openssh.com,
|
|
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
-ssh-ed25519,ssh-rsa
|
|
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
.Ed
|
|
.Pp
|
|
The
|
|
.Fl Q
|
|
option of
|
|
.Xr ssh 1
|
|
may be used to list supported key types.
|
|
.It Cm PubkeyAuthentication
|
|
diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
|
|
--- a/openssh-7.2p2/sshd_config.5
|
|
+++ b/openssh-7.2p2/sshd_config.5
|
|
@@ -651,19 +651,19 @@ Alternately if the specified value begin
|
|
character, then the specified key types will be appended to the default set
|
|
instead of replacing them.
|
|
The default for this option is:
|
|
.Bd -literal -offset 3n
|
|
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
ssh-ed25519-cert-v01@openssh.com,
|
|
-ssh-rsa-cert-v01@openssh.com,
|
|
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
-ssh-ed25519,ssh-rsa
|
|
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
.Ed
|
|
.Pp
|
|
The
|
|
.Fl Q
|
|
option of
|
|
.Xr ssh 1
|
|
may be used to list supported key types.
|
|
.It Cm HostbasedAuthentication
|
|
@@ -743,19 +743,19 @@ environment variable.
|
|
Specifies the host key algorithms
|
|
that the server offers.
|
|
The default for this option is:
|
|
.Bd -literal -offset 3n
|
|
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
ssh-ed25519-cert-v01@openssh.com,
|
|
-ssh-rsa-cert-v01@openssh.com,
|
|
+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
|
|
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
-ssh-ed25519,ssh-rsa
|
|
+ssh-ed25519,ssh-rsa,ssh-dss
|
|
.Ed
|
|
.Pp
|
|
The list of available key types may also be obtained using the
|
|
.Fl Q
|
|
option of
|
|
.Xr ssh 1
|
|
with an argument of
|
|
.Dq key .
|