d83100ae13
- upgrade to 7.6p1
see main package changelog for details
- Update to vanilla 7.6p1
Most important changes (more details below):
* complete removal of the ancient SSHv1 protocol
* sshd(8) cannot run without privilege separation
* removal of suport for arcfourm blowfish and CAST ciphers
and RIPE-MD160 HMAC
* refuse RSA keys shorter than 1024 bits
Distilled upstream log:
- OpenSSH 7.3
---- Security
* sshd(8): Mitigate a potential denial-of-service attack
against the system's crypt(3) function via sshd(8). An
attacker could send very long passwords that would cause
excessive CPU use in crypt(3). sshd(8) now refuses to accept
password authentication requests of length greater than 1024
characters. Independently reported by Tomas Kuthan (Oracle),
Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password
authentication that could be used to discern valid from
invalid account names when long passwords were sent and
particular password hashing algorithms are in use on the
server. CVE-2016-6210, reported by EddieEzra.Harari at
verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Reported by Jean Paul
Degabriele, Kenny Paterson, Torben Hansen and Martin
Albrecht. Note that CBC ciphers are disabled by default and
OBS-URL: https://build.opensuse.org/request/show/539322
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=122
697 lines
25 KiB
Diff
697 lines
25 KiB
Diff
# HG changeset patch
|
|
# Parent a5b0f249f564de9c9efd023c6430f607d9861acd
|
|
|
|
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
|
7.2. 1024b values are believed to be in breaking range for state adversaries
|
|
and the default moduli shipped with openssh have been around long enough to
|
|
make it more likely for them to be broken.
|
|
|
|
Also provide an option that allows the client to accept shorter (RFC4419
|
|
compliant) parameters.
|
|
|
|
CVE-2015-4000 (LOGJAM)
|
|
bsc#932483
|
|
|
|
diff --git a/openssh-7.6p1/dh.c b/openssh-7.6p1/dh.c
|
|
--- a/openssh-7.6p1/dh.c
|
|
+++ b/openssh-7.6p1/dh.c
|
|
@@ -37,16 +37,18 @@
|
|
#include <limits.h>
|
|
|
|
#include "dh.h"
|
|
#include "pathnames.h"
|
|
#include "log.h"
|
|
#include "misc.h"
|
|
#include "ssherr.h"
|
|
|
|
+int dh_grp_min = DH_GRP_MIN;
|
|
+
|
|
static int
|
|
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
|
{
|
|
char *cp, *arg;
|
|
char *strsize, *gen, *prime;
|
|
const char *errstr = NULL;
|
|
long long n;
|
|
|
|
diff --git a/openssh-7.6p1/dh.h b/openssh-7.6p1/dh.h
|
|
--- a/openssh-7.6p1/dh.h
|
|
+++ b/openssh-7.6p1/dh.h
|
|
@@ -45,16 +45,17 @@ int dh_gen_key(DH *, int);
|
|
int dh_pub_is_valid(DH *, BIGNUM *);
|
|
|
|
u_int dh_estimate(int);
|
|
|
|
/*
|
|
* Max value from RFC4419.
|
|
* Miniumum increased in light of DH precomputation attacks.
|
|
*/
|
|
+#define DH_GRP_MIN_RFC 1024
|
|
#define DH_GRP_MIN 2048
|
|
#define DH_GRP_MAX 8192
|
|
|
|
/*
|
|
* Values for "type" field of moduli(5)
|
|
* Specifies the internal structure of the prime modulus.
|
|
*/
|
|
#define MODULI_TYPE_UNKNOWN (0)
|
|
diff --git a/openssh-7.6p1/kexgexc.c b/openssh-7.6p1/kexgexc.c
|
|
--- a/openssh-7.6p1/kexgexc.c
|
|
+++ b/openssh-7.6p1/kexgexc.c
|
|
@@ -46,29 +46,32 @@
|
|
#include "dh.h"
|
|
#include "ssh2.h"
|
|
#include "compat.h"
|
|
#include "dispatch.h"
|
|
#include "ssherr.h"
|
|
#include "sshbuf.h"
|
|
#include "misc.h"
|
|
|
|
+/* import from dh.c */
|
|
+extern int dh_grp_min;
|
|
+
|
|
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
|
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
|
|
|
int
|
|
kexgex_client(struct ssh *ssh)
|
|
{
|
|
struct kex *kex = ssh->kex;
|
|
int r;
|
|
u_int nbits;
|
|
|
|
nbits = dh_estimate(kex->dh_need * 8);
|
|
|
|
- kex->min = DH_GRP_MIN;
|
|
+ kex->min = dh_grp_min;
|
|
kex->max = DH_GRP_MAX;
|
|
kex->nbits = nbits;
|
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
|
kex->nbits = MINIMUM(kex->nbits, 4096);
|
|
/* New GEX request */
|
|
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 ||
|
|
(r = sshpkt_put_u32(ssh, kex->min)) != 0 ||
|
|
(r = sshpkt_put_u32(ssh, kex->nbits)) != 0 ||
|
|
@@ -103,16 +106,22 @@ input_kex_dh_gex_group(int type, u_int32
|
|
goto out;
|
|
}
|
|
if ((r = sshpkt_get_bignum2(ssh, p)) != 0 ||
|
|
(r = sshpkt_get_bignum2(ssh, g)) != 0 ||
|
|
(r = sshpkt_get_end(ssh)) != 0)
|
|
goto out;
|
|
if ((bits = BN_num_bits(p)) < 0 ||
|
|
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
|
+ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
|
|
+ logit("DH parameter offered by the server (%d bits) "
|
|
+ "is considered insecure. "
|
|
+ "You can lower the accepted the minimum "
|
|
+ "via the KexDHMin option.",
|
|
+ bits);
|
|
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
|
goto out;
|
|
}
|
|
if ((kex->dh = dh_new_group(g, p)) == NULL) {
|
|
r = SSH_ERR_ALLOC_FAIL;
|
|
goto out;
|
|
}
|
|
p = g = NULL; /* belong to kex->dh now */
|
|
diff --git a/openssh-7.6p1/kexgexs.c b/openssh-7.6p1/kexgexs.c
|
|
--- a/openssh-7.6p1/kexgexs.c
|
|
+++ b/openssh-7.6p1/kexgexs.c
|
|
@@ -49,16 +49,19 @@
|
|
#include "ssh-gss.h"
|
|
#endif
|
|
#include "monitor_wrap.h"
|
|
#include "dispatch.h"
|
|
#include "ssherr.h"
|
|
#include "sshbuf.h"
|
|
#include "misc.h"
|
|
|
|
+/* import from dh.c */
|
|
+extern int dh_grp_min;
|
|
+
|
|
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
|
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
|
|
|
int
|
|
kexgex_server(struct ssh *ssh)
|
|
{
|
|
ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST,
|
|
&input_kex_dh_gex_request);
|
|
@@ -77,23 +80,29 @@ input_kex_dh_gex_request(int type, u_int
|
|
if ((r = sshpkt_get_u32(ssh, &min)) != 0 ||
|
|
(r = sshpkt_get_u32(ssh, &nbits)) != 0 ||
|
|
(r = sshpkt_get_u32(ssh, &max)) != 0 ||
|
|
(r = sshpkt_get_end(ssh)) != 0)
|
|
goto out;
|
|
kex->nbits = nbits;
|
|
kex->min = min;
|
|
kex->max = max;
|
|
- min = MAXIMUM(DH_GRP_MIN, min);
|
|
+ min = MAXIMUM(dh_grp_min, min);
|
|
max = MINIMUM(DH_GRP_MAX, max);
|
|
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
|
+ nbits = MAXIMUM(dh_grp_min, nbits);
|
|
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
|
|
|
if (kex->max < kex->min || kex->nbits < kex->min ||
|
|
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
|
|
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
|
+ logit("DH parameter requested by the client (%d bits) "
|
|
+ "is considered insecure. "
|
|
+ "You can lower the accepted minimum "
|
|
+ "via the KexDHMin option.",
|
|
+ kex->nbits);
|
|
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
|
goto out;
|
|
}
|
|
|
|
/* Contact privileged parent */
|
|
kex->dh = PRIVSEP(choose_dh(min, nbits, max));
|
|
if (kex->dh == NULL) {
|
|
sshpkt_disconnect(ssh, "no matching DH grp found");
|
|
diff --git a/openssh-7.6p1/readconf.c b/openssh-7.6p1/readconf.c
|
|
--- a/openssh-7.6p1/readconf.c
|
|
+++ b/openssh-7.6p1/readconf.c
|
|
@@ -61,16 +61,17 @@
|
|
#include "misc.h"
|
|
#include "readconf.h"
|
|
#include "match.h"
|
|
#include "kex.h"
|
|
#include "mac.h"
|
|
#include "uidswap.h"
|
|
#include "myproposal.h"
|
|
#include "digest.h"
|
|
+#include "dh.h"
|
|
|
|
/* Format of the configuration file:
|
|
|
|
# Configuration data is parsed as follows:
|
|
# 1. command line options
|
|
# 2. user-specific file
|
|
# 3. system-wide file
|
|
# Any configuration value is only changed the first time it is set.
|
|
@@ -161,17 +162,18 @@ typedef enum {
|
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
|
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
|
oHashKnownHosts,
|
|
oTunnel, oTunnelDevice,
|
|
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
|
oVisualHostKey,
|
|
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
+ oKexAlgorithms, oKexDHMin,
|
|
+ oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
|
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
|
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
|
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
|
oPubkeyAcceptedKeyTypes, oProxyJump,
|
|
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
|
} OpCodes;
|
|
|
|
@@ -283,16 +285,17 @@ static struct {
|
|
{ "include", oInclude },
|
|
{ "tunnel", oTunnel },
|
|
{ "tunneldevice", oTunnelDevice },
|
|
{ "localcommand", oLocalCommand },
|
|
{ "permitlocalcommand", oPermitLocalCommand },
|
|
{ "remotecommand", oRemoteCommand },
|
|
{ "visualhostkey", oVisualHostKey },
|
|
{ "kexalgorithms", oKexAlgorithms },
|
|
+ { "kexdhmin", oKexDHMin },
|
|
{ "ipqos", oIPQoS },
|
|
{ "requesttty", oRequestTTY },
|
|
{ "proxyusefdpass", oProxyUseFdpass },
|
|
{ "canonicaldomains", oCanonicalDomains },
|
|
{ "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
|
|
{ "canonicalizehostname", oCanonicalizeHostname },
|
|
{ "canonicalizemaxdots", oCanonicalizeMaxDots },
|
|
{ "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
|
|
@@ -304,16 +307,19 @@ static struct {
|
|
{ "hostbasedkeytypes", oHostbasedKeyTypes },
|
|
{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
|
|
{ "ignoreunknown", oIgnoreUnknown },
|
|
{ "proxyjump", oProxyJump },
|
|
|
|
{ NULL, oBadOption }
|
|
};
|
|
|
|
+/* import from dh.c */
|
|
+extern int dh_grp_min;
|
|
+
|
|
/*
|
|
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
|
* error.
|
|
*/
|
|
|
|
void
|
|
add_local_forward(Options *options, const struct Forward *newfwd)
|
|
{
|
|
@@ -1206,16 +1212,20 @@ parse_int:
|
|
if (*arg != '-' &&
|
|
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
|
fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
|
filename, linenum, arg ? arg : "<NONE>");
|
|
if (*activep && options->kex_algorithms == NULL)
|
|
options->kex_algorithms = xstrdup(arg);
|
|
break;
|
|
|
|
+ case oKexDHMin:
|
|
+ intptr = &options->kex_dhmin;
|
|
+ goto parse_int;
|
|
+
|
|
case oHostKeyAlgorithms:
|
|
charptr = &options->hostkeyalgorithms;
|
|
parse_keytypes:
|
|
arg = strdelim(&s);
|
|
if (!arg || *arg == '\0')
|
|
fatal("%.200s line %d: Missing argument.",
|
|
filename, linenum);
|
|
if (*arg != '-' &&
|
|
@@ -1803,16 +1813,17 @@ initialize_options(Options * options)
|
|
options->port = -1;
|
|
options->address_family = -1;
|
|
options->connection_attempts = -1;
|
|
options->connection_timeout = -1;
|
|
options->number_of_password_prompts = -1;
|
|
options->ciphers = NULL;
|
|
options->macs = NULL;
|
|
options->kex_algorithms = NULL;
|
|
+ options->kex_dhmin = -1;
|
|
options->hostkeyalgorithms = NULL;
|
|
options->num_identity_files = 0;
|
|
options->num_certificate_files = 0;
|
|
options->hostname = NULL;
|
|
options->host_key_alias = NULL;
|
|
options->proxy_command = NULL;
|
|
options->jump_user = NULL;
|
|
options->jump_host = NULL;
|
|
@@ -1951,16 +1962,23 @@ fill_default_options(Options * options)
|
|
if (options->port == -1)
|
|
options->port = 0; /* Filled in ssh_connect. */
|
|
if (options->address_family == -1)
|
|
options->address_family = AF_UNSPEC;
|
|
if (options->connection_attempts == -1)
|
|
options->connection_attempts = 1;
|
|
if (options->number_of_password_prompts == -1)
|
|
options->number_of_password_prompts = 3;
|
|
+ if (options->kex_dhmin == -1)
|
|
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
|
+ else {
|
|
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
|
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
|
+ }
|
|
+ dh_grp_min = options->kex_dhmin;
|
|
/* options->hostkeyalgorithms, default set in myproposals.h */
|
|
if (options->add_keys_to_agent == -1)
|
|
options->add_keys_to_agent = 0;
|
|
if (options->num_identity_files == 0) {
|
|
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_RSA, 0);
|
|
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
|
|
#ifdef OPENSSL_HAS_ECC
|
|
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ECDSA, 0);
|
|
diff --git a/openssh-7.6p1/readconf.h b/openssh-7.6p1/readconf.h
|
|
--- a/openssh-7.6p1/readconf.h
|
|
+++ b/openssh-7.6p1/readconf.h
|
|
@@ -64,16 +64,17 @@ typedef struct {
|
|
int connection_timeout; /* Max time (seconds) before
|
|
* aborting connection attempt */
|
|
int number_of_password_prompts; /* Max number of password
|
|
* prompts. */
|
|
char *ciphers; /* SSH2 ciphers in order of preference. */
|
|
char *macs; /* SSH2 macs in order of preference. */
|
|
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
|
char *hostname; /* Real host to connect. */
|
|
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
|
char *proxy_command; /* Proxy command for connecting the host. */
|
|
char *user; /* User to log in as. */
|
|
int escape_char; /* Escape character; -2 = none */
|
|
|
|
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
|
|
char *system_hostfiles[SSH_MAX_HOSTS_FILES];
|
|
diff --git a/openssh-7.6p1/servconf.c b/openssh-7.6p1/servconf.c
|
|
--- a/openssh-7.6p1/servconf.c
|
|
+++ b/openssh-7.6p1/servconf.c
|
|
@@ -52,16 +52,20 @@
|
|
#include "channels.h"
|
|
#include "groupaccess.h"
|
|
#include "canohost.h"
|
|
#include "packet.h"
|
|
#include "hostfile.h"
|
|
#include "auth.h"
|
|
#include "myproposal.h"
|
|
#include "digest.h"
|
|
+#include "dh.h"
|
|
+
|
|
+/* import from dh.c */
|
|
+extern int dh_grp_min;
|
|
|
|
static void add_listen_addr(ServerOptions *, char *, int);
|
|
static void add_one_listen_addr(ServerOptions *, char *, int);
|
|
|
|
/* Use of privilege separation or not */
|
|
extern int use_privsep;
|
|
extern Buffer cfg;
|
|
|
|
@@ -129,16 +133,17 @@ initialize_server_options(ServerOptions
|
|
options->allow_agent_forwarding = -1;
|
|
options->num_allow_users = 0;
|
|
options->num_deny_users = 0;
|
|
options->num_allow_groups = 0;
|
|
options->num_deny_groups = 0;
|
|
options->ciphers = NULL;
|
|
options->macs = NULL;
|
|
options->kex_algorithms = NULL;
|
|
+ options->kex_dhmin = -1;
|
|
options->fwd_opts.gateway_ports = -1;
|
|
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
|
options->fwd_opts.streamlocal_bind_unlink = -1;
|
|
options->num_subsystems = 0;
|
|
options->max_startups_begin = -1;
|
|
options->max_startups_rate = -1;
|
|
options->max_startups = -1;
|
|
options->max_authtries = -1;
|
|
@@ -195,16 +200,24 @@ fill_default_server_options(ServerOption
|
|
int i;
|
|
|
|
/* Portable-specific options */
|
|
if (options->use_pam == -1)
|
|
options->use_pam = 0;
|
|
if (options->use_pam_check_locks == -1)
|
|
options->use_pam_check_locks = 0;
|
|
|
|
+ if (options->kex_dhmin == -1)
|
|
+ options->kex_dhmin = DH_GRP_MIN_RFC;
|
|
+ else {
|
|
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
|
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
|
+ }
|
|
+ dh_grp_min = options->kex_dhmin;
|
|
+
|
|
/* Standard Options */
|
|
if (options->num_host_key_files == 0) {
|
|
/* fill default hostkeys for protocols */
|
|
options->host_key_files[options->num_host_key_files++] =
|
|
_PATH_HOST_RSA_KEY_FILE;
|
|
options->host_key_files[options->num_host_key_files++] =
|
|
_PATH_HOST_DSA_KEY_FILE;
|
|
#ifdef OPENSSL_HAS_ECC
|
|
@@ -414,17 +427,18 @@ typedef enum {
|
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
|
sAcceptEnv, sPermitTunnel,
|
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
|
sHostCertificate,
|
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
|
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
|
- sKexAlgorithms, sIPQoS, sVersionAddendum,
|
|
+ sKexAlgorithms, sKexDHMin,
|
|
+ sIPQoS, sVersionAddendum,
|
|
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
|
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
|
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
|
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
|
sExposeAuthInfo,
|
|
sDeprecated, sIgnore, sUnsupported
|
|
} ServerOpCodes;
|
|
|
|
@@ -553,16 +567,17 @@ static struct {
|
|
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
|
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
|
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
|
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
|
|
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
|
|
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
|
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
|
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
|
+ { "kexdhmin", sKexDHMin },
|
|
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
|
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
|
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
|
{ "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
|
|
{ "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
|
|
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
|
|
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
|
|
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
|
|
@@ -1502,16 +1517,20 @@ process_server_config_line(ServerOptions
|
|
if (*arg != '-' &&
|
|
!kex_names_valid(*arg == '+' ? arg + 1 : arg))
|
|
fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
|
|
filename, linenum, arg ? arg : "<NONE>");
|
|
if (options->kex_algorithms == NULL)
|
|
options->kex_algorithms = xstrdup(arg);
|
|
break;
|
|
|
|
+ case sKexDHMin:
|
|
+ intptr = &options->kex_dhmin;
|
|
+ goto parse_int;
|
|
+
|
|
case sSubsystem:
|
|
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
|
fatal("%s line %d: too many subsystems defined.",
|
|
filename, linenum);
|
|
}
|
|
arg = strdelim(&cp);
|
|
if (!arg || *arg == '\0')
|
|
fatal("%s line %d: Missing subsystem name.",
|
|
@@ -2285,16 +2304,17 @@ dump_config(ServerOptions *o)
|
|
#endif
|
|
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
|
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
|
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
|
dump_cfg_int(sMaxSessions, o->max_sessions);
|
|
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
|
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
|
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
|
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
|
|
|
|
/* formatted integer arguments */
|
|
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
|
dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
|
|
dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
|
|
dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
|
|
dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
|
|
o->hostbased_uses_name_from_packet_only);
|
|
diff --git a/openssh-7.6p1/servconf.h b/openssh-7.6p1/servconf.h
|
|
--- a/openssh-7.6p1/servconf.h
|
|
+++ b/openssh-7.6p1/servconf.h
|
|
@@ -93,16 +93,17 @@ typedef struct {
|
|
int permit_user_rc; /* If false, deny ~/.ssh/rc execution */
|
|
int strict_modes; /* If true, require string home dir modes. */
|
|
int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
|
|
int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */
|
|
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
|
|
char *ciphers; /* Supported SSH2 ciphers. */
|
|
char *macs; /* Supported SSH2 macs. */
|
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
|
struct ForwardOptions fwd_opts; /* forwarding options */
|
|
SyslogFacility log_facility; /* Facility for system logging. */
|
|
LogLevel log_level; /* Level for system logging. */
|
|
int hostbased_authentication; /* If true, permit ssh2 hostbased auth */
|
|
int hostbased_uses_name_from_packet_only; /* experimental */
|
|
char *hostbased_key_types; /* Key types allowed for hostbased */
|
|
char *hostkeyalgorithms; /* SSH2 server key types */
|
|
int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */
|
|
diff --git a/openssh-7.6p1/ssh_config b/openssh-7.6p1/ssh_config
|
|
--- a/openssh-7.6p1/ssh_config
|
|
+++ b/openssh-7.6p1/ssh_config
|
|
@@ -12,16 +12,21 @@
|
|
# Any configuration value is only changed the first time it is set.
|
|
# Thus, host-specific definitions should be at the beginning of the
|
|
# configuration file, and defaults at the end.
|
|
|
|
# Site-wide defaults for some commonly used options. For a comprehensive
|
|
# list of available options, their meanings and defaults, please see the
|
|
# ssh_config(5) man page.
|
|
|
|
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
|
+# to maintain compatibility with RFC4419, but should be set higher.
|
|
+# Upstream default is identical to setting this to 2048.
|
|
+#KexDHMin 1024
|
|
+
|
|
Host *
|
|
# ForwardAgent no
|
|
# ForwardX11 no
|
|
|
|
# If you do not trust your remote host (or its administrator), you
|
|
# should not forward X11 connections to your local X11-display for
|
|
# security reasons: Someone stealing the authentification data on the
|
|
# remote side (the "spoofed" X-server by the remote sshd) can read your
|
|
diff --git a/openssh-7.6p1/ssh_config.0 b/openssh-7.6p1/ssh_config.0
|
|
--- a/openssh-7.6p1/ssh_config.0
|
|
+++ b/openssh-7.6p1/ssh_config.0
|
|
@@ -584,16 +584,33 @@ DESCRIPTION
|
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
diffie-hellman-group-exchange-sha256,
|
|
diffie-hellman-group-exchange-sha1,
|
|
diffie-hellman-group14-sha1
|
|
|
|
The list of available key exchange algorithms may also be
|
|
obtained using "ssh -Q kex".
|
|
|
|
+ KexDHMin
|
|
+ Specifies the minimum accepted bit length of the DH group
|
|
+ parameter p.
|
|
+
|
|
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
|
+ been seen as insecure, which prompted the change to 2048 bits.
|
|
+ Setting this option allows the client to accept parameters shorter
|
|
+ than the current minimum, down to the RFC specified 1024 bits.
|
|
+ Using this option may be needed when connecting to servers that
|
|
+ only know short DH group parameters.
|
|
+
|
|
+ Note, that while by default this option is set to 1024 to maintain
|
|
+ maximum backward compatibility, using it can severly impact
|
|
+ security and thus should be viewed as a temporary fix of last
|
|
+ resort and all efforts should be made to fix the (broken)
|
|
+ counterparty.
|
|
+
|
|
LocalCommand
|
|
Specifies a command to execute on the local machine after
|
|
successfully connecting to the server. The command string
|
|
extends to the end of the line, and is executed with the user's
|
|
shell. Arguments to LocalCommand accept the tokens described in
|
|
the TOKENS section.
|
|
|
|
The command is run synchronously and does not have access to the
|
|
diff --git a/openssh-7.6p1/ssh_config.5 b/openssh-7.6p1/ssh_config.5
|
|
--- a/openssh-7.6p1/ssh_config.5
|
|
+++ b/openssh-7.6p1/ssh_config.5
|
|
@@ -1016,16 +1016,32 @@ curve25519-sha256,curve25519-sha256@libs
|
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
diffie-hellman-group-exchange-sha256,
|
|
diffie-hellman-group-exchange-sha1,
|
|
diffie-hellman-group14-sha1
|
|
.Ed
|
|
.Pp
|
|
The list of available key exchange algorithms may also be obtained using
|
|
.Qq ssh -Q kex .
|
|
+.It Cm KexDHMin
|
|
+Specifies the minimum accepted bit length of the DH group
|
|
+parameter p.
|
|
+.Pp
|
|
+As per RFC4419, this is 1024 bits, however this has increasingly
|
|
+been seen as insecure, which prompted the change to 2048 bits.
|
|
+Setting this option allows the client to accept parameters shorter
|
|
+than the current minimum, down to the RFC specified 1024 bits.
|
|
+Using this option may be needed when connecting to servers that
|
|
+only know short DH group parameters.
|
|
+.Pp
|
|
+Note, that while by default this option is set to 1024 to maintain
|
|
+maximum backward compatibility, using it can severly impact
|
|
+security and thus should be viewed as a temporary fix of last
|
|
+resort and all efforts should be made to fix the (broken)
|
|
+counterparty.
|
|
.It Cm LocalCommand
|
|
Specifies a command to execute on the local machine after successfully
|
|
connecting to the server.
|
|
The command string extends to the end of the line, and is executed with
|
|
the user's shell.
|
|
Arguments to
|
|
.Cm LocalCommand
|
|
accept the tokens described in the
|
|
diff --git a/openssh-7.6p1/sshd_config b/openssh-7.6p1/sshd_config
|
|
--- a/openssh-7.6p1/sshd_config
|
|
+++ b/openssh-7.6p1/sshd_config
|
|
@@ -15,16 +15,21 @@
|
|
#ListenAddress 0.0.0.0
|
|
#ListenAddress ::
|
|
|
|
#HostKey /etc/ssh/ssh_host_rsa_key
|
|
#HostKey /etc/ssh/ssh_host_dsa_key
|
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
#HostKey /etc/ssh/ssh_host_ed25519_key
|
|
|
|
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
|
+# to maintain compatibility with RFC4419, but should be set higher.
|
|
+# Upstream default is identical to setting this to 2048.
|
|
+#KexDHMin 1024
|
|
+
|
|
# Ciphers and keying
|
|
#RekeyLimit default none
|
|
|
|
# Logging
|
|
#SyslogFacility AUTH
|
|
#LogLevel INFO
|
|
|
|
# Authentication:
|
|
diff --git a/openssh-7.6p1/sshd_config.0 b/openssh-7.6p1/sshd_config.0
|
|
--- a/openssh-7.6p1/sshd_config.0
|
|
+++ b/openssh-7.6p1/sshd_config.0
|
|
@@ -532,16 +532,33 @@ DESCRIPTION
|
|
curve25519-sha256,curve25519-sha256@libssh.org,
|
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
diffie-hellman-group-exchange-sha256,
|
|
diffie-hellman-group14-sha1
|
|
|
|
The list of available key exchange algorithms may also be
|
|
obtained using "ssh -Q kex".
|
|
|
|
+ KexDHMin
|
|
+ Specifies the minimum accepted bit length of the DH group
|
|
+ parameter p.
|
|
+
|
|
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
|
+ been seen as insecure, which prompted the change to 2048 bits.
|
|
+ Setting this option allows the server to accept parameters shorter
|
|
+ than the current minimum, down to the RFC specified 1024 bits.
|
|
+ Using this option may be needed when some of the connectiong
|
|
+ clients only know short DH group parameters.
|
|
+
|
|
+ Note, that while by default this option is set to 1024 to maintain
|
|
+ maximum backward compatibility, using it can severly impact
|
|
+ security and thus should be viewed as a temporary fix of last
|
|
+ resort and all efforts should be made to fix the (broken)
|
|
+ counterparty.
|
|
+
|
|
ListenAddress
|
|
Specifies the local addresses sshd(8) should listen on. The
|
|
following forms may be used:
|
|
|
|
ListenAddress host|IPv4_addr|IPv6_addr
|
|
ListenAddress host|IPv4_addr:port
|
|
ListenAddress [host|IPv6_addr]:port
|
|
|
|
diff --git a/openssh-7.6p1/sshd_config.5 b/openssh-7.6p1/sshd_config.5
|
|
--- a/openssh-7.6p1/sshd_config.5
|
|
+++ b/openssh-7.6p1/sshd_config.5
|
|
@@ -893,16 +893,32 @@ The default is:
|
|
curve25519-sha256,curve25519-sha256@libssh.org,
|
|
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
diffie-hellman-group-exchange-sha256,
|
|
diffie-hellman-group14-sha1
|
|
.Ed
|
|
.Pp
|
|
The list of available key exchange algorithms may also be obtained using
|
|
.Qq ssh -Q kex .
|
|
+.It Cm KexDHMin
|
|
+Specifies the minimum accepted bit length of the DH group
|
|
+parameter p.
|
|
+.Pp
|
|
+As per RFC4419, this is 1024 bits, however this has increasingly
|
|
+been seen as insecure, which prompted the change to 2048 bits.
|
|
+Setting this option allows the server to accept parameters shorter
|
|
+than the current minimum, down to the RFC specified 1024 bits.
|
|
+Using this option may be needed when some of the connectiong
|
|
+clients only know short DH group parameters.
|
|
+.Pp
|
|
+Note, that while by default this option is set to 1024 to maintain
|
|
+maximum backward compatibility, using it can severly impact
|
|
+security and thus should be viewed as a temporary fix of last
|
|
+resort and all efforts should be made to fix the (broken)
|
|
+counterparty.
|
|
.It Cm ListenAddress
|
|
Specifies the local addresses
|
|
.Xr sshd 8
|
|
should listen on.
|
|
The following forms may be used:
|
|
.Pp
|
|
.Bl -item -offset indent -compact
|
|
.It
|