Merge remote-tracking branch 'origin/master' into f21
This commit is contained in:
commit
e3dc63b806
|
@ -1,14 +0,0 @@
|
|||
diff -up openssh-5.8p1/sshd_config.localdomain openssh-5.8p1/sshd_config
|
||||
--- openssh-5.8p1/sshd_config.localdomain 2011-04-22 11:37:49.273648812 +0200
|
||||
+++ openssh-5.8p1/sshd_config 2011-04-22 11:39:31.758648401 +0200
|
||||
@@ -130,6 +130,10 @@ X11Forwarding yes
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
+# Uncomment this if you want to use .local domain
|
||||
+#Host *.local
|
||||
+# CheckHostIP no
|
||||
+
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
|
@ -0,0 +1,70 @@
|
|||
diff --git a/compat.c b/compat.c
|
||||
index 2709dc5..7412a54 100644
|
||||
--- a/compat.c
|
||||
+++ b/compat.c
|
||||
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
|
||||
SSH_BUG_SCANNER },
|
||||
{ "Probe-*",
|
||||
SSH_BUG_PROBE },
|
||||
+ { "Cisco-*", SSH_BUG_MAX4096DH },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
diff --git a/compat.h b/compat.h
|
||||
index a6c3f3d..d8def7d 100644
|
||||
--- a/compat.h
|
||||
+++ b/compat.h
|
||||
@@ -60,6 +60,7 @@
|
||||
#define SSH_NEW_OPENSSH 0x04000000
|
||||
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
||||
#define SSH_BUG_CURVE25519PAD 0x10000000
|
||||
+#define SSH_BUG_MAX4096DH 0x20000000
|
||||
|
||||
void enable_compat13(void);
|
||||
void enable_compat20(void);
|
||||
diff --git a/kexgexc.c b/kexgexc.c
|
||||
index 355b7ba..0a91bdd 100644
|
||||
--- a/kexgexc.c
|
||||
+++ b/kexgexc.c
|
||||
@@ -58,20 +58,37 @@ kexgex_client(Kex *kex)
|
||||
int min, max, nbits;
|
||||
DH *dh;
|
||||
|
||||
+ min = DH_GRP_MIN;
|
||||
+ max = DH_GRP_MAX;
|
||||
+
|
||||
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||
+ * We need to also ensure that min < nbits < max */
|
||||
+
|
||||
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||
+ /* The largest min for these servers is 4096 */
|
||||
+ min = MIN(min, 4096);
|
||||
+ }
|
||||
+
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
+ nbits = MIN(nbits, max);
|
||||
+ nbits = MAX(nbits, min);
|
||||
+
|
||||
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||
+ /* Cannot have a nbits > 4096 for these servers */
|
||||
+ nbits = MIN(nbits, 4096);
|
||||
+ /* nbits has to be powers of two */
|
||||
+ if (nbits == 3072)
|
||||
+ nbits = 4096;
|
||||
+ }
|
||||
|
||||
if (datafellows & SSH_OLD_DHGEX) {
|
||||
/* Old GEX request */
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
||||
packet_put_int(nbits);
|
||||
- min = DH_GRP_MIN;
|
||||
- max = DH_GRP_MAX;
|
||||
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
|
||||
} else {
|
||||
/* New GEX request */
|
||||
- min = DH_GRP_MIN;
|
||||
- max = DH_GRP_MAX;
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
|
||||
packet_put_int(min);
|
||||
packet_put_int(nbits);
|
|
@ -0,0 +1,12 @@
|
|||
diff --git a/ssh_config b/ssh_config
|
||||
index 03a228f..49a4f6c 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -46,3 +46,7 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
+#
|
||||
+# Uncomment this if you want to use .local domain
|
||||
+# Host *.local
|
||||
+# CheckHostIP no
|
|
@ -325,22 +325,15 @@ index 355b7ba..427e11f 100644
|
|||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@@ -64,13 +66,13 @@ kexgex_client(Kex *kex)
|
||||
/* Old GEX request */
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
|
||||
packet_put_int(nbits);
|
||||
@@ -58,7 +60,7 @@ kexgex_client(Kex *kex)
|
||||
int min, max, nbits;
|
||||
DH *dh;
|
||||
|
||||
- min = DH_GRP_MIN;
|
||||
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
max = DH_GRP_MAX;
|
||||
|
||||
debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
|
||||
} else {
|
||||
/* New GEX request */
|
||||
- min = DH_GRP_MIN;
|
||||
+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
max = DH_GRP_MAX;
|
||||
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
|
||||
packet_put_int(min);
|
||||
/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||
diff --git a/kexgexs.c b/kexgexs.c
|
||||
index 770ad28..9d4fc6d 100644
|
||||
--- a/kexgexs.c
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
diff --git a/ssh_config b/ssh_config
|
||||
index 03a228f..6d1abaf 100644
|
||||
index 49a4f6c..3f83c40 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -46,3 +46,14 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
@@ -50,3 +50,15 @@
|
||||
# Uncomment this if you want to use .local domain
|
||||
# Host *.local
|
||||
# CheckHostIP no
|
||||
+
|
||||
+Host *
|
||||
+ GSSAPIAuthentication yes
|
||||
+# If this option is set to yes then remote X11 clients will have full access
|
||||
|
|
12
openssh.spec
12
openssh.spec
|
@ -64,7 +64,7 @@
|
|||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 6.6.1p1
|
||||
%define openssh_rel 8
|
||||
%define openssh_rel 9
|
||||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 3
|
||||
|
||||
|
@ -152,7 +152,7 @@ Patch703: openssh-4.3p2-askpass-grab-info.patch
|
|||
#?
|
||||
Patch705: openssh-5.1p1-scp-manpage.patch
|
||||
#?
|
||||
Patch706: openssh-5.8p1-localdomain.patch
|
||||
Patch706: openssh-6.6.1p1-localdomain.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
||||
Patch707: openssh-6.6p1-redhat.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
||||
|
@ -209,7 +209,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch
|
|||
Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
|
||||
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
|
||||
Patch916: openssh-6.6.1p1-selinux-contexts.patch
|
||||
|
||||
# use different values for DH for Cisco servers (#1026430)
|
||||
Patch917: openssh-6.6.1p1-cisco-dh-keys.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
|
@ -419,6 +420,7 @@ popd
|
|||
%patch914 -p1 -b .servconf
|
||||
%patch915 -p1 -b .SIGXFSZ
|
||||
%patch916 -p1 -b .contexts
|
||||
%patch917 -p1 -b .cisco-dh
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch700 -p1 -b .fips
|
||||
|
@ -732,6 +734,10 @@ getent passwd sshd >/dev/null || \
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 03 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-9 + 0.9.3-3
|
||||
- the .local domain example should be in ssh_config, not in sshd_config
|
||||
- use different values for DH for Cisco servers (#1026430)
|
||||
|
||||
* Thu Nov 13 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-8 + 0.9.3-3
|
||||
- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)
|
||||
|
||||
|
|
Loading…
Reference in New Issue