From 6a0769945432900cc01b395e5ba52cba33a2edee Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 19 Nov 2020 14:39:49 +0100 Subject: [PATCH] Compatibility with Debian's openssh-7.4p1 (#1881301) This only version does incorrectly reports server_sig_algorithms extension and in Fedora 33 with disabled SHA1, clients are unable to connect to Debian servers --- openssh-8.4p1-debian-compat.patch | 57 +++++++++++++++++++++++++++++++ openssh.spec | 3 ++ 2 files changed, 60 insertions(+) create mode 100644 openssh-8.4p1-debian-compat.patch diff --git a/openssh-8.4p1-debian-compat.patch b/openssh-8.4p1-debian-compat.patch new file mode 100644 index 0000000..0af1d3d --- /dev/null +++ b/openssh-8.4p1-debian-compat.patch @@ -0,0 +1,57 @@ +--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700 ++++ compat.h 2020-10-05 10:10:17.587733113 -0700 +@@ -34,7 +34,7 @@ + + #define SSH_BUG_UTF8TTYMODE 0x00000001 + #define SSH_BUG_SIGTYPE 0x00000002 +-/* #define unused 0x00000004 */ ++#define SSH_BUG_SIGTYPE74 0x00000004 + /* #define unused 0x00000008 */ + #define SSH_OLD_SESSIONID 0x00000010 + /* #define unused 0x00000020 */ +--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700 ++++ compat.c 2020-10-05 10:13:11.637282492 -0700 +@@ -65,11 +65,12 @@ + { "OpenSSH_6.5*," + "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD| + SSH_BUG_SIGTYPE}, ++ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE| ++ SSH_BUG_SIGTYPE74}, + { "OpenSSH_7.0*," + "OpenSSH_7.1*," + "OpenSSH_7.2*," + "OpenSSH_7.3*," +- "OpenSSH_7.4*," + "OpenSSH_7.5*," + "OpenSSH_7.6*," + "OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE}, +--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700 ++++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700 +@@ -1305,6 +1305,26 @@ + break; + } + free(oallowed); ++ /* ++ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its ++ * support. For that release, check the local policy against the ++ * SHA2 signature types. ++ */ ++ if (alg == NULL && ++ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) { ++ oallowed = allowed = xstrdup(options.pubkey_key_types); ++ while ((cp = strsep(&allowed, ",")) != NULL) { ++ if (sshkey_type_from_name(cp) != key->type) ++ continue; ++ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL); ++ if (tmp != NULL) ++ alg = xstrdup(cp); ++ free(tmp); ++ if (alg != NULL) ++ break; ++ } ++ free(oallowed); ++ } + return alg; + } + + diff --git a/openssh.spec b/openssh.spec index a712857..d88dd7b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -199,6 +199,8 @@ Patch966: openssh-8.2p1-x11-without-ipv6.patch Patch967: openssh-8.4p1-ssh-copy-id.patch # https://bugzilla.mindrot.org/show_bug.cgi?id=3232 Patch968: openssh-8.4p1-sandbox-seccomp.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=3213 +Patch969: openssh-8.4p1-debian-compat.patch License: BSD Requires: /sbin/nologin @@ -384,6 +386,7 @@ popd %patch966 -p1 -b .x11-ipv6 %patch967 -p1 -b .ssh-copy-id %patch968 -p1 -b .seccomp +%patch969 -p0 -b .debian %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race