Merge remote-tracking branch 'origin/master' into f21

openssh-5.8p1-localdomain.patch

@@ -1,14 +0,0 @@
-diff -up openssh-5.8p1/sshd_config.localdomain openssh-5.8p1/sshd_config
---- openssh-5.8p1/sshd_config.localdomain	2011-04-22 11:37:49.273648812 +0200
-+++ openssh-5.8p1/sshd_config	2011-04-22 11:39:31.758648401 +0200
-@@ -130,6 +130,10 @@ X11Forwarding yes
- # override default of no subsystems
- Subsystem	sftp	/usr/libexec/sftp-server
- 
-+# Uncomment this if you want to use .local domain
-+#Host *.local
-+#	CheckHostIP no
-+
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- #	X11Forwarding no

openssh-6.6.1p1-cisco-dh-keys.patch

@@ -0,0 +1,70 @@
+diff --git a/compat.c b/compat.c
+index 2709dc5..7412a54 100644
+--- a/compat.c
++++ b/compat.c
+@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
+ 					SSH_BUG_SCANNER },
+ 		{ "Probe-*",
+ 					SSH_BUG_PROBE },
++		{ "Cisco-*",		SSH_BUG_MAX4096DH },
+ 		{ NULL,			0 }
+ 	};
+ 
+diff --git a/compat.h b/compat.h
+index a6c3f3d..d8def7d 100644
+--- a/compat.h
++++ b/compat.h
+@@ -60,6 +60,7 @@
+ #define SSH_NEW_OPENSSH		0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT	0x08000000
+ #define SSH_BUG_CURVE25519PAD	0x10000000
++#define SSH_BUG_MAX4096DH       0x20000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+diff --git a/kexgexc.c b/kexgexc.c
+index 355b7ba..0a91bdd 100644
+--- a/kexgexc.c
++++ b/kexgexc.c
+@@ -58,20 +58,37 @@ kexgex_client(Kex *kex)
+ 	int min, max, nbits;
+ 	DH *dh;
+ 
++	min = DH_GRP_MIN;
++	max = DH_GRP_MAX;
++
++	/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
++ 	 * We need to also ensure that min < nbits < max */
++
++	if (datafellows & SSH_BUG_MAX4096DH) {
++		/* The largest min for these servers is 4096 */
++		min = MIN(min, 4096);
++	}
++
+ 	nbits = dh_estimate(kex->dh_need * 8);
++	nbits = MIN(nbits, max);
++	nbits = MAX(nbits, min);
++
++	if (datafellows & SSH_BUG_MAX4096DH) {
++		/* Cannot have a nbits > 4096 for these servers */
++		nbits = MIN(nbits, 4096);
++		/* nbits has to be powers of two */
++		if (nbits == 3072)
++			nbits = 4096;
++	}
+ 
+ 	if (datafellows & SSH_OLD_DHGEX) {
+ 		/* Old GEX request */
+ 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
+ 		packet_put_int(nbits);
+-		min = DH_GRP_MIN;
+-		max = DH_GRP_MAX;
+ 
+ 		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
+ 	} else {
+ 		/* New GEX request */
+-		min = DH_GRP_MIN;
+-		max = DH_GRP_MAX;
+ 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
+ 		packet_put_int(min);
+ 		packet_put_int(nbits);

openssh-6.6.1p1-localdomain.patch

@@ -0,0 +1,12 @@
+diff --git a/ssh_config b/ssh_config
+index 03a228f..49a4f6c 100644
+--- a/ssh_config
++++ b/ssh_config
+@@ -46,3 +46,7 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
++#
++# Uncomment this if you want to use .local domain
++# Host *.local
++#   CheckHostIP no

openssh-6.6p1-fips.patch

@@ -325,22 +325,15 @@ index 355b7ba..427e11f 100644
  #include <sys/types.h>
  
  #include <openssl/dh.h>
-@@ -64,13 +66,13 @@ kexgex_client(Kex *kex)
- 		/* Old GEX request */
- 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
- 		packet_put_int(nbits);
--		min = DH_GRP_MIN;
-+		min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
- 		max = DH_GRP_MAX;
+@@ -58,7 +60,7 @@ kexgex_client(Kex *kex)
+ 	int min, max, nbits;
+ 	DH *dh;
  
- 		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
- 	} else {
- 		/* New GEX request */
--		min = DH_GRP_MIN;
-+		min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
- 		max = DH_GRP_MAX;
- 		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
- 		packet_put_int(min);
+-	min = DH_GRP_MIN;
++	min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+ 	max = DH_GRP_MAX;
+ 
+ 	/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
 diff --git a/kexgexs.c b/kexgexs.c
 index 770ad28..9d4fc6d 100644
 --- a/kexgexs.c

openssh-6.6p1-redhat.patch

@@ -1,11 +1,12 @@
 diff --git a/ssh_config b/ssh_config
-index 03a228f..6d1abaf 100644
+index 49a4f6c..3f83c40 100644
 --- a/ssh_config
 +++ b/ssh_config
-@@ -46,3 +46,14 @@
- #   VisualHostKey no
- #   ProxyCommand ssh -q -W %h:%p gateway.example.com
- #   RekeyLimit 1G 1h
+@@ -50,3 +50,15 @@
+ # Uncomment this if you want to use .local domain
+ # Host *.local
+ #   CheckHostIP no
++
 +Host *
 +	GSSAPIAuthentication yes
 +# If this option is set to yes then remote X11 clients will have full access

openssh.spec

@@ -64,7 +64,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 6.6.1p1
-%define openssh_rel 8
+%define openssh_rel 9
 %define pam_ssh_agent_ver 0.9.3
 %define pam_ssh_agent_rel 3
 
@@ -152,7 +152,7 @@ Patch703: openssh-4.3p2-askpass-grab-info.patch
 #?
 Patch705: openssh-5.1p1-scp-manpage.patch
 #?
-Patch706: openssh-5.8p1-localdomain.patch
+Patch706: openssh-6.6.1p1-localdomain.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
 Patch707: openssh-6.6p1-redhat.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
@@ -209,7 +209,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch
 Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
 # privsep_preauth: use SELinux context from selinux-policy (#1008580)
 Patch916: openssh-6.6.1p1-selinux-contexts.patch
-
+# use different values for DH for Cisco servers (#1026430)
+Patch917: openssh-6.6.1p1-cisco-dh-keys.patch
 
 License: BSD
 Group: Applications/Internet
@@ -419,6 +420,7 @@ popd
 %patch914 -p1 -b .servconf
 %patch915 -p1 -b .SIGXFSZ
 %patch916 -p1 -b .contexts
+%patch917 -p1 -b .cisco-dh
 
 %patch200 -p1 -b .audit
 %patch700 -p1 -b .fips
@@ -732,6 +734,10 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Wed Dec 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-9 + 0.9.3-3
+- the .local domain example should be in ssh_config, not in sshd_config
+- use different values for DH for Cisco servers (#1026430)
+
 * Thu Nov 13 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-8 + 0.9.3-3
 - fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)