b21be4c6b4
- Version update to 7.9p1 * No actual changes for the askpass * See main package changelog for details - Version update to 7.9p1 * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option (see below) bans the use of DSA keys as certificate authorities. * sshd(8): the authentication success/failure log message has changed format slightly. It now includes the certificate fingerprint (previously it included only key ID and CA key fingerprint). * ssh(1), sshd(8): allow most port numbers to be specified using service names from getservbyname(3) (typically /etc/services). * sshd(8): support signalling sessions via the SSH protocol. A limited subset of signals is supported and only for login or command sessions (i.e. not subsystems) that were not subject to a forced command via authorized_keys or sshd_config. bz#1424 * ssh(1): support "ssh -Q sig" to list supported signature options. Also "ssh -Q help" to show the full set of supported queries. * ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and server configs to allow control over which signature formats are allowed for CAs to sign certificates. For example, this allows banning CAs that sign certificates using the RSA-SHA1 signature algorithm. * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash. * ssh-keygen(1): allow creation of key revocation lists directly from base64-encoded SHA256 fingerprints. This supports revoking keys using only the information contained in sshd(8) OBS-URL: https://build.opensuse.org/request/show/643660 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=159
426 lines
16 KiB
Diff
426 lines
16 KiB
Diff
# HG changeset patch
|
|
# Parent 681914438b1a02c1940d19204138e9b8eacfda7b
|
|
|
|
Raise minimal size of DH group parameters to 2048 bits like upstream did in
|
|
7.2. 1024b values are believed to be in breaking range for state adversaries
|
|
and the default moduli shipped with openssh have been around long enough to
|
|
make it more likely for them to be broken.
|
|
|
|
Also provide an option that allows the client to accept shorter (RFC4419
|
|
compliant) parameters.
|
|
|
|
CVE-2015-4000 (LOGJAM)
|
|
bsc#932483
|
|
|
|
Index: openssh-7.9p1/dh.c
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/dh.c
|
|
+++ openssh-7.9p1/dh.c
|
|
@@ -45,6 +45,8 @@
|
|
|
|
#include "openbsd-compat/openssl-compat.h"
|
|
|
|
+int dh_grp_min = DH_GRP_MIN;
|
|
+
|
|
static int
|
|
parse_prime(int linenum, char *line, struct dhgroup *dhg)
|
|
{
|
|
Index: openssh-7.9p1/dh.h
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/dh.h
|
|
+++ openssh-7.9p1/dh.h
|
|
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
|
|
* Max value from RFC4419.
|
|
* Miniumum increased in light of DH precomputation attacks.
|
|
*/
|
|
+#define DH_GRP_MIN_RFC 1024
|
|
#define DH_GRP_MIN 2048
|
|
#define DH_GRP_MAX 8192
|
|
|
|
Index: openssh-7.9p1/kexgexc.c
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/kexgexc.c
|
|
+++ openssh-7.9p1/kexgexc.c
|
|
@@ -53,6 +53,9 @@
|
|
#include "sshbuf.h"
|
|
#include "misc.h"
|
|
|
|
+/* import from dh.c */
|
|
+extern int dh_grp_min;
|
|
+
|
|
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
|
|
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
|
|
|
|
@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
|
|
|
|
nbits = dh_estimate(kex->dh_need * 8);
|
|
|
|
- kex->min = DH_GRP_MIN;
|
|
+ kex->min = dh_grp_min;
|
|
kex->max = DH_GRP_MAX;
|
|
kex->nbits = nbits;
|
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
|
@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
|
|
goto out;
|
|
if ((bits = BN_num_bits(p)) < 0 ||
|
|
(u_int)bits < kex->min || (u_int)bits > kex->max) {
|
|
+ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC)
|
|
+ logit("DH parameter offered by the server (%d bits) "
|
|
+ "is considered insecure. "
|
|
+ "You can lower the accepted the minimum "
|
|
+ "via the KexDHMin option.",
|
|
+ bits);
|
|
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
|
goto out;
|
|
}
|
|
Index: openssh-7.9p1/kexgexs.c
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/kexgexs.c
|
|
+++ openssh-7.9p1/kexgexs.c
|
|
@@ -56,6 +56,9 @@
|
|
#include "sshbuf.h"
|
|
#include "misc.h"
|
|
|
|
+/* import from dh.c */
|
|
+extern int dh_grp_min;
|
|
+
|
|
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
|
|
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
|
|
|
|
@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
|
|
kex->nbits = nbits;
|
|
kex->min = min;
|
|
kex->max = max;
|
|
- min = MAXIMUM(DH_GRP_MIN, min);
|
|
+ min = MAXIMUM(dh_grp_min, min);
|
|
max = MINIMUM(DH_GRP_MAX, max);
|
|
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
|
+ nbits = MAXIMUM(dh_grp_min, nbits);
|
|
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
|
|
|
if (kex->max < kex->min || kex->nbits < kex->min ||
|
|
kex->max < kex->nbits || kex->max < DH_GRP_MIN) {
|
|
+ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC)
|
|
+ logit("DH parameter requested by the client (%d bits) "
|
|
+ "is considered insecure. "
|
|
+ "You can lower the accepted minimum "
|
|
+ "via the KexDHMin option.",
|
|
+ kex->nbits);
|
|
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
|
|
goto out;
|
|
}
|
|
Index: openssh-7.9p1/readconf.c
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/readconf.c
|
|
+++ openssh-7.9p1/readconf.c
|
|
@@ -67,6 +67,7 @@
|
|
#include "uidswap.h"
|
|
#include "myproposal.h"
|
|
#include "digest.h"
|
|
+#include "dh.h"
|
|
|
|
/* Format of the configuration file:
|
|
|
|
@@ -167,7 +168,7 @@ typedef enum {
|
|
oTunnel, oTunnelDevice,
|
|
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
|
|
oVisualHostKey,
|
|
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
+ oKexAlgorithms, oKexDHMin, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
|
|
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
|
|
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
|
|
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
|
|
@@ -292,6 +293,7 @@ static struct {
|
|
{ "remotecommand", oRemoteCommand },
|
|
{ "visualhostkey", oVisualHostKey },
|
|
{ "kexalgorithms", oKexAlgorithms },
|
|
+ { "kexdhmin", oKexDHMin },
|
|
{ "ipqos", oIPQoS },
|
|
{ "requesttty", oRequestTTY },
|
|
{ "proxyusefdpass", oProxyUseFdpass },
|
|
@@ -313,6 +315,9 @@ static struct {
|
|
{ NULL, oBadOption }
|
|
};
|
|
|
|
+/* import from dh.c */
|
|
+extern int dh_grp_min;
|
|
+
|
|
/*
|
|
* Adds a local TCP/IP port forward to options. Never returns if there is an
|
|
* error.
|
|
@@ -1216,6 +1221,10 @@ parse_int:
|
|
options->kex_algorithms = xstrdup(arg);
|
|
break;
|
|
|
|
+ case oKexDHMin:
|
|
+ intptr = &options->kex_dhmin;
|
|
+ goto parse_int;
|
|
+
|
|
case oHostKeyAlgorithms:
|
|
charptr = &options->hostkeyalgorithms;
|
|
parse_keytypes:
|
|
@@ -1860,6 +1869,7 @@ initialize_options(Options * options)
|
|
options->ciphers = NULL;
|
|
options->macs = NULL;
|
|
options->kex_algorithms = NULL;
|
|
+ options->kex_dhmin = -1;
|
|
options->hostkeyalgorithms = NULL;
|
|
options->ca_sign_algorithms = NULL;
|
|
options->num_identity_files = 0;
|
|
@@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
|
|
options->connection_attempts = 1;
|
|
if (options->number_of_password_prompts == -1)
|
|
options->number_of_password_prompts = 3;
|
|
+ if (options->kex_dhmin == -1)
|
|
+ options->kex_dhmin = DH_GRP_MIN;
|
|
+ else {
|
|
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
|
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
|
+ }
|
|
+ dh_grp_min = options->kex_dhmin;
|
|
/* options->hostkeyalgorithms, default set in myproposals.h */
|
|
if (options->add_keys_to_agent == -1)
|
|
options->add_keys_to_agent = 0;
|
|
Index: openssh-7.9p1/readconf.h
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/readconf.h
|
|
+++ openssh-7.9p1/readconf.h
|
|
@@ -68,6 +68,7 @@ typedef struct {
|
|
char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */
|
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
|
char *ca_sign_algorithms; /* Allowed CA signature algorithms */
|
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
|
char *hostname; /* Real host to connect. */
|
|
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
|
|
char *proxy_command; /* Proxy command for connecting the host. */
|
|
Index: openssh-7.9p1/servconf.c
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/servconf.c
|
|
+++ openssh-7.9p1/servconf.c
|
|
@@ -64,6 +64,10 @@
|
|
#include "auth.h"
|
|
#include "myproposal.h"
|
|
#include "digest.h"
|
|
+#include "dh.h"
|
|
+
|
|
+/* import from dh.c */
|
|
+extern int dh_grp_min;
|
|
|
|
static void add_listen_addr(ServerOptions *, const char *,
|
|
const char *, int);
|
|
@@ -146,6 +150,7 @@ initialize_server_options(ServerOptions
|
|
options->ciphers = NULL;
|
|
options->macs = NULL;
|
|
options->kex_algorithms = NULL;
|
|
+ options->kex_dhmin = -1;
|
|
options->ca_sign_algorithms = NULL;
|
|
options->fwd_opts.gateway_ports = -1;
|
|
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
|
|
@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
|
|
if (options->use_pam_check_locks == -1)
|
|
options->use_pam_check_locks = 0;
|
|
|
|
+ if (options->kex_dhmin == -1)
|
|
+ options->kex_dhmin = DH_GRP_MIN;
|
|
+ else {
|
|
+ options->kex_dhmin = MAXIMUM(options->kex_dhmin, DH_GRP_MIN_RFC);
|
|
+ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
|
|
+ }
|
|
+ dh_grp_min = options->kex_dhmin;
|
|
+
|
|
/* Standard Options */
|
|
if (options->num_host_key_files == 0) {
|
|
/* fill default hostkeys for protocols */
|
|
@@ -494,7 +507,7 @@ typedef enum {
|
|
sHostCertificate,
|
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
|
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
|
- sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
|
+ sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
|
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
|
|
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
|
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
|
@@ -635,6 +648,7 @@ static struct {
|
|
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
|
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
|
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
|
+ { "kexdhmin", sKexDHMin },
|
|
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
|
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
|
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
|
@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
|
|
options->kex_algorithms = xstrdup(arg);
|
|
break;
|
|
|
|
+ case sKexDHMin:
|
|
+ intptr = &options->kex_dhmin;
|
|
+ goto parse_int;
|
|
+
|
|
case sSubsystem:
|
|
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
|
|
fatal("%s line %d: too many subsystems defined.",
|
|
@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
|
|
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
|
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
|
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
|
+ dump_cfg_int(sKexDHMin, o->kex_dhmin);
|
|
|
|
/* formatted integer arguments */
|
|
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
|
Index: openssh-7.9p1/servconf.h
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/servconf.h
|
|
+++ openssh-7.9p1/servconf.h
|
|
@@ -103,6 +103,7 @@ typedef struct {
|
|
char *ciphers; /* Supported SSH2 ciphers. */
|
|
char *macs; /* Supported SSH2 macs. */
|
|
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
|
|
+ int kex_dhmin; /* minimum bit length of the DH group parameter */
|
|
struct ForwardOptions fwd_opts; /* forwarding options */
|
|
SyslogFacility log_facility; /* Facility for system logging. */
|
|
LogLevel log_level; /* Level for system logging. */
|
|
Index: openssh-7.9p1/ssh_config
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/ssh_config
|
|
+++ openssh-7.9p1/ssh_config
|
|
@@ -17,6 +17,11 @@
|
|
# list of available options, their meanings and defaults, please see the
|
|
# ssh_config(5) man page.
|
|
|
|
+# Minimum accepted size of the DH parameter p. By default this is set to 1024
|
|
+# to maintain compatibility with RFC4419, but should be set higher.
|
|
+# Upstream default is identical to setting this to 2048.
|
|
+#KexDHMin 1024
|
|
+
|
|
Host *
|
|
# ForwardAgent no
|
|
# ForwardX11 no
|
|
Index: openssh-7.9p1/ssh_config.0
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/ssh_config.0
|
|
+++ openssh-7.9p1/ssh_config.0
|
|
@@ -610,6 +610,23 @@ DESCRIPTION
|
|
The list of available key exchange algorithms may also be
|
|
obtained using "ssh -Q kex".
|
|
|
|
+ KexDHMin
|
|
+ Specifies the minimum accepted bit length of the DH group
|
|
+ parameter p.
|
|
+
|
|
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
|
+ been seen as insecure, which prompted the change to 2048 bits.
|
|
+ Setting this option allows the client to accept parameters shorter
|
|
+ than the current minimum, down to the RFC specified 1024 bits.
|
|
+ Using this option may be needed when connecting to servers that
|
|
+ only know short DH group parameters.
|
|
+
|
|
+ Note, that while by default this option is set to 1024 to maintain
|
|
+ maximum backward compatibility, using it can severly impact
|
|
+ security and thus should be viewed as a temporary fix of last
|
|
+ resort and all efforts should be made to fix the (broken)
|
|
+ counterparty.
|
|
+
|
|
LocalCommand
|
|
Specifies a command to execute on the local machine after
|
|
successfully connecting to the server. The command string
|
|
Index: openssh-7.9p1/ssh_config.5
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/ssh_config.5
|
|
+++ openssh-7.9p1/ssh_config.5
|
|
@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
|
|
.Pp
|
|
The list of available key exchange algorithms may also be obtained using
|
|
.Qq ssh -Q kex .
|
|
+.It Cm KexDHMin
|
|
+Specifies the minimum accepted bit length of the DH group
|
|
+parameter p.
|
|
+.Pp
|
|
+As per RFC4419, this is 1024 bits, however this has increasingly
|
|
+been seen as insecure, which prompted the change to 2048 bits.
|
|
+Setting this option allows the client to accept parameters shorter
|
|
+than the current minimum, down to the RFC specified 1024 bits.
|
|
+Using this option may be needed when connecting to servers that
|
|
+only know short DH group parameters.
|
|
+.Pp
|
|
+Note, that while by default this option is set to 1024 to maintain
|
|
+maximum backward compatibility, using it can severly impact
|
|
+security and thus should be viewed as a temporary fix of last
|
|
+resort and all efforts should be made to fix the (broken)
|
|
+counterparty.
|
|
.It Cm LocalCommand
|
|
Specifies a command to execute on the local machine after successfully
|
|
connecting to the server.
|
|
Index: openssh-7.9p1/sshd_config
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/sshd_config
|
|
+++ openssh-7.9p1/sshd_config
|
|
@@ -19,6 +19,13 @@
|
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
#HostKey /etc/ssh/ssh_host_ed25519_key
|
|
|
|
+# Minimum accepted size of the DH parameter p. The default, which replicates
|
|
+# upstream behaviour, is 2048. To maintain compatibility with RFC4419 it should
|
|
+# be set to 1024.
|
|
+# You will also need to add a HostKey directive to load a DSA key (typically
|
|
+# located in /etc/ssh/ssh_host_dsa_key), which is not loaded by default.
|
|
+#KexDHMin 2048
|
|
+
|
|
# Ciphers and keying
|
|
#RekeyLimit default none
|
|
|
|
Index: openssh-7.9p1/sshd_config.0
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/sshd_config.0
|
|
+++ openssh-7.9p1/sshd_config.0
|
|
@@ -555,6 +555,23 @@ DESCRIPTION
|
|
The list of available key exchange algorithms may also be
|
|
obtained using "ssh -Q kex".
|
|
|
|
+ KexDHMin
|
|
+ Specifies the minimum accepted bit length of the DH group
|
|
+ parameter p.
|
|
+
|
|
+ As per RFC4419, this is 1024 bits, however this has increasingly
|
|
+ been seen as insecure, which prompted the change to 2048 bits.
|
|
+ Setting this option allows the server to accept parameters shorter
|
|
+ than the current minimum, down to the RFC specified 1024 bits.
|
|
+ Using this option may be needed when some of the connectiong
|
|
+ clients only know short DH group parameters.
|
|
+
|
|
+ Note, that while by default this option is set to 1024 to maintain
|
|
+ maximum backward compatibility, using it can severly impact
|
|
+ security and thus should be viewed as a temporary fix of last
|
|
+ resort and all efforts should be made to fix the (broken)
|
|
+ counterparty.
|
|
+
|
|
ListenAddress
|
|
Specifies the local addresses sshd(8) should listen on. The
|
|
following forms may be used:
|
|
Index: openssh-7.9p1/sshd_config.5
|
|
===================================================================
|
|
--- openssh-7.9p1.orig/sshd_config.5
|
|
+++ openssh-7.9p1/sshd_config.5
|
|
@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
|
|
.Pp
|
|
The list of available key exchange algorithms may also be obtained using
|
|
.Qq ssh -Q kex .
|
|
+.It Cm KexDHMin
|
|
+Specifies the minimum accepted bit length of the DH group
|
|
+parameter p.
|
|
+.Pp
|
|
+As per RFC4419, this is 1024 bits, however this has increasingly
|
|
+been seen as insecure, which prompted the change to 2048 bits.
|
|
+Setting this option allows the server to accept parameters shorter
|
|
+than the current minimum, down to the RFC specified 1024 bits.
|
|
+Using this option may be needed when some of the connectiong
|
|
+clients only know short DH group parameters.
|
|
+.Pp
|
|
+Note, that while by default this option is set to 1024 to maintain
|
|
+maximum backward compatibility, using it can severly impact
|
|
+security and thus should be viewed as a temporary fix of last
|
|
+resort and all efforts should be made to fix the (broken)
|
|
+counterparty.
|
|
.It Cm ListenAddress
|
|
Specifies the local addresses
|
|
.Xr sshd 8
|