Merge remote-tracking branch 'origin/master' into f21
This commit is contained in:
commit
e3dc63b806
|
@ -1,14 +0,0 @@
|
||||||
diff -up openssh-5.8p1/sshd_config.localdomain openssh-5.8p1/sshd_config
|
|
||||||
--- openssh-5.8p1/sshd_config.localdomain 2011-04-22 11:37:49.273648812 +0200
|
|
||||||
+++ openssh-5.8p1/sshd_config 2011-04-22 11:39:31.758648401 +0200
|
|
||||||
@@ -130,6 +130,10 @@ X11Forwarding yes
|
|
||||||
# override default of no subsystems
|
|
||||||
Subsystem sftp /usr/libexec/sftp-server
|
|
||||||
|
|
||||||
+# Uncomment this if you want to use .local domain
|
|
||||||
+#Host *.local
|
|
||||||
+# CheckHostIP no
|
|
||||||
+
|
|
||||||
# Example of overriding settings on a per-user basis
|
|
||||||
#Match User anoncvs
|
|
||||||
# X11Forwarding no
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
diff --git a/compat.c b/compat.c
|
||||||
|
index 2709dc5..7412a54 100644
|
||||||
|
--- a/compat.c
|
||||||
|
+++ b/compat.c
|
||||||
|
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
|
||||||
|
SSH_BUG_SCANNER },
|
||||||
|
{ "Probe-*",
|
||||||
|
SSH_BUG_PROBE },
|
||||||
|
+ { "Cisco-*", SSH_BUG_MAX4096DH },
|
||||||
|
{ NULL, 0 }
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/compat.h b/compat.h
|
||||||
|
index a6c3f3d..d8def7d 100644
|
||||||
|
--- a/compat.h
|
||||||
|
+++ b/compat.h
|
||||||
|
@@ -60,6 +60,7 @@
|
||||||
|
#define SSH_NEW_OPENSSH 0x04000000
|
||||||
|
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
||||||
|
#define SSH_BUG_CURVE25519PAD 0x10000000
|
||||||
|
+#define SSH_BUG_MAX4096DH 0x20000000
|
||||||
|
|
||||||
|
void enable_compat13(void);
|
||||||
|
void enable_compat20(void);
|
||||||
|
diff --git a/kexgexc.c b/kexgexc.c
|
||||||
|
index 355b7ba..0a91bdd 100644
|
||||||
|
--- a/kexgexc.c
|
||||||
|
+++ b/kexgexc.c
|
||||||
|
@@ -58,20 +58,37 @@ kexgex_client(Kex *kex)
|
||||||
|
int min, max, nbits;
|
||||||
|
DH *dh;
|
||||||
|
|
||||||
|
+ min = DH_GRP_MIN;
|
||||||
|
+ max = DH_GRP_MAX;
|
||||||
|
+
|
||||||
|
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||||
|
+ * We need to also ensure that min < nbits < max */
|
||||||
|
+
|
||||||
|
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||||
|
+ /* The largest min for these servers is 4096 */
|
||||||
|
+ min = MIN(min, 4096);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
nbits = dh_estimate(kex->dh_need * 8);
|
||||||
|
+ nbits = MIN(nbits, max);
|
||||||
|
+ nbits = MAX(nbits, min);
|
||||||
|
+
|
||||||
|
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||||
|
+ /* Cannot have a nbits > 4096 for these servers */
|
||||||
|
+ nbits = MIN(nbits, 4096);
|
||||||
|
+ /* nbits has to be powers of two */
|
||||||
|
+ if (nbits == 3072)
|
||||||
|
+ nbits = 4096;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (datafellows & SSH_OLD_DHGEX) {
|
||||||
|
/* Old GEX request */
|
||||||
|
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
||||||
|
packet_put_int(nbits);
|
||||||
|
- min = DH_GRP_MIN;
|
||||||
|
- max = DH_GRP_MAX;
|
||||||
|
|
||||||
|
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
|
||||||
|
} else {
|
||||||
|
/* New GEX request */
|
||||||
|
- min = DH_GRP_MIN;
|
||||||
|
- max = DH_GRP_MAX;
|
||||||
|
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
|
||||||
|
packet_put_int(min);
|
||||||
|
packet_put_int(nbits);
|
|
@ -0,0 +1,12 @@
|
||||||
|
diff --git a/ssh_config b/ssh_config
|
||||||
|
index 03a228f..49a4f6c 100644
|
||||||
|
--- a/ssh_config
|
||||||
|
+++ b/ssh_config
|
||||||
|
@@ -46,3 +46,7 @@
|
||||||
|
# VisualHostKey no
|
||||||
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||||
|
# RekeyLimit 1G 1h
|
||||||
|
+#
|
||||||
|
+# Uncomment this if you want to use .local domain
|
||||||
|
+# Host *.local
|
||||||
|
+# CheckHostIP no
|
|
@ -325,22 +325,15 @@ index 355b7ba..427e11f 100644
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
@@ -64,13 +66,13 @@ kexgex_client(Kex *kex)
|
@@ -58,7 +60,7 @@ kexgex_client(Kex *kex)
|
||||||
/* Old GEX request */
|
int min, max, nbits;
|
||||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
DH *dh;
|
||||||
packet_put_int(nbits);
|
|
||||||
- min = DH_GRP_MIN;
|
|
||||||
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
|
||||||
max = DH_GRP_MAX;
|
|
||||||
|
|
||||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
|
- min = DH_GRP_MIN;
|
||||||
} else {
|
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||||
/* New GEX request */
|
max = DH_GRP_MAX;
|
||||||
- min = DH_GRP_MIN;
|
|
||||||
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||||
max = DH_GRP_MAX;
|
|
||||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
|
|
||||||
packet_put_int(min);
|
|
||||||
diff --git a/kexgexs.c b/kexgexs.c
|
diff --git a/kexgexs.c b/kexgexs.c
|
||||||
index 770ad28..9d4fc6d 100644
|
index 770ad28..9d4fc6d 100644
|
||||||
--- a/kexgexs.c
|
--- a/kexgexs.c
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
diff --git a/ssh_config b/ssh_config
|
diff --git a/ssh_config b/ssh_config
|
||||||
index 03a228f..6d1abaf 100644
|
index 49a4f6c..3f83c40 100644
|
||||||
--- a/ssh_config
|
--- a/ssh_config
|
||||||
+++ b/ssh_config
|
+++ b/ssh_config
|
||||||
@@ -46,3 +46,14 @@
|
@@ -50,3 +50,15 @@
|
||||||
# VisualHostKey no
|
# Uncomment this if you want to use .local domain
|
||||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
# Host *.local
|
||||||
# RekeyLimit 1G 1h
|
# CheckHostIP no
|
||||||
|
+
|
||||||
+Host *
|
+Host *
|
||||||
+ GSSAPIAuthentication yes
|
+ GSSAPIAuthentication yes
|
||||||
+# If this option is set to yes then remote X11 clients will have full access
|
+# If this option is set to yes then remote X11 clients will have full access
|
||||||
|
|
12
openssh.spec
12
openssh.spec
|
@ -64,7 +64,7 @@
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 6.6.1p1
|
%define openssh_ver 6.6.1p1
|
||||||
%define openssh_rel 8
|
%define openssh_rel 9
|
||||||
%define pam_ssh_agent_ver 0.9.3
|
%define pam_ssh_agent_ver 0.9.3
|
||||||
%define pam_ssh_agent_rel 3
|
%define pam_ssh_agent_rel 3
|
||||||
|
|
||||||
|
@ -152,7 +152,7 @@ Patch703: openssh-4.3p2-askpass-grab-info.patch
|
||||||
#?
|
#?
|
||||||
Patch705: openssh-5.1p1-scp-manpage.patch
|
Patch705: openssh-5.1p1-scp-manpage.patch
|
||||||
#?
|
#?
|
||||||
Patch706: openssh-5.8p1-localdomain.patch
|
Patch706: openssh-6.6.1p1-localdomain.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
||||||
Patch707: openssh-6.6p1-redhat.patch
|
Patch707: openssh-6.6p1-redhat.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
||||||
|
@ -209,7 +209,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch
|
||||||
Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
|
Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
|
||||||
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
|
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
|
||||||
Patch916: openssh-6.6.1p1-selinux-contexts.patch
|
Patch916: openssh-6.6.1p1-selinux-contexts.patch
|
||||||
|
# use different values for DH for Cisco servers (#1026430)
|
||||||
|
Patch917: openssh-6.6.1p1-cisco-dh-keys.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
|
@ -419,6 +420,7 @@ popd
|
||||||
%patch914 -p1 -b .servconf
|
%patch914 -p1 -b .servconf
|
||||||
%patch915 -p1 -b .SIGXFSZ
|
%patch915 -p1 -b .SIGXFSZ
|
||||||
%patch916 -p1 -b .contexts
|
%patch916 -p1 -b .contexts
|
||||||
|
%patch917 -p1 -b .cisco-dh
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch700 -p1 -b .fips
|
%patch700 -p1 -b .fips
|
||||||
|
@ -732,6 +734,10 @@ getent passwd sshd >/dev/null || \
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-9 + 0.9.3-3
|
||||||
|
- the .local domain example should be in ssh_config, not in sshd_config
|
||||||
|
- use different values for DH for Cisco servers (#1026430)
|
||||||
|
|
||||||
* Thu Nov 13 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-8 + 0.9.3-3
|
* Thu Nov 13 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-8 + 0.9.3-3
|
||||||
- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)
|
- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue