Commit Graph

1067 Commits

Author SHA1 Message Date
Jakub Jelen
f726e51d86 Use OpenSSL KDF
Resolves: rhbz#1631761
2019-05-14 13:35:14 +02:00
Jakub Jelen
751cd9acc7 Use OpenSSL high-level API to produce and verify signatures
Resolves: rhbz#1707485
2019-05-14 13:32:04 +02:00
Jakub Jelen
6caa973459 Mention crypto-policies in the manual pages instead of the hardcoded defaults
Resolves: rhbz#1668325
2019-05-13 14:22:21 +02:00
Jakub Jelen
4feb6a973f Verify SCP vulnerabilities are fixed in the package testsuite 2019-05-10 14:34:35 +02:00
Jakub Jelen
b33caef080 Drop unused patch 2019-05-07 13:45:34 +02:00
Jakub Jelen
f660e11adc FIPS: Do not fail if FIPS-unsupported algorithm is provided in configuration or on command line
This effectively allows to use some previously denied algorithms
in FIPS mode, but they are not enabled in default hardcoded configuration
and disabled by FIPS crypto policy.

Additionally, there is no guarantee they will work in underlying OpenSSL.

Resolves: rhbz#1625318
2019-05-07 11:57:30 +02:00
Jakub Jelen
ec02bb9685 tests: Make sure the user gets removed after the test 2019-04-29 15:16:44 +02:00
Jakub Jelen
def1debf2e openssh-8.0p1-1 + 0.10.3-7
Resolves rhbz#1701072
2019-04-29 14:12:13 +02:00
Jakub Jelen
f51d092120 Remove unused parts of spec file 2019-03-27 13:20:32 +01:00
Jakub Jelen
cb35953bec The FIPS_mode() is in different header file 2019-03-21 17:02:28 +01:00
Jakub Jelen
91aa3d4921 openssh-7.9p1-5 + 0.10.3.6 2019-03-12 15:16:35 +01:00
Jakub Jelen
81a703d751 Do not allow negotiation of unknown primes with DG GEX in FIPS mode 2019-03-12 15:16:35 +01:00
Jakub Jelen
c53a1d4e90 Ignore PKCS#11 label if no key is found with it (#1671262) 2019-03-12 15:16:35 +01:00
Jakub Jelen
c694548168 Do not segfault when multiple pkcs11 providers is specified 2019-03-12 15:16:35 +01:00
Jakub Jelen
3339efd12d Do not fallback to sshd_net_t SELinux context 2019-03-12 15:16:35 +01:00
Jakub Jelen
586cf149b5 Reformat SELinux patch 2019-03-11 17:17:49 +01:00
Jakub Jelen
1341391c78 Update cached passwd structure after PAM authentication 2019-03-11 17:17:49 +01:00
Jakub Jelen
3722267e80 Make sure the kerberos cleanup procedures are properly invoked 2019-03-11 17:17:49 +01:00
Jakub Jelen
ae07017120 Use correct function name in the debug log 2019-03-01 11:33:25 +01:00
Jakub Jelen
7295e97cd1 openssh-7.9p1-4 + 0.10.3.6 2019-02-06 17:19:52 +01:00
Jakub Jelen
d711f557f7 Log when a client requests an interactive session and only sftp is allowed 2019-02-06 17:18:30 +01:00
Jakub Jelen
e8524ac3f4 ssh-copy-id: Minor issues found by shellcheck 2019-02-06 17:18:30 +01:00
Jakub Jelen
8622e384ef ssh-copy-id: Do not fail in case remote system is out of space 2019-02-06 17:18:30 +01:00
Jakub Jelen
ffb1787c07 Enclose redhat specific configuration with Match final block
This allows users to specify options in user configuration files overwriting
the defaults we propose without ovewriting them in the shipped configuration
file and without opting out from the crypto policy altogether.

Resolves: rhbz#1438326 rhbz#1630166
2019-02-06 17:18:30 +01:00
Fedora Release Engineering
4e5f61c2a0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-02-01 17:32:05 +00:00
Igor Gnatenko
7c726e0a13 Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:24:24 +01:00
Björn Esser
018ac8d1d9
Rebuilt for libcrypt.so.2 (#1666033) 2019-01-14 19:11:16 +01:00
Jakub Jelen
311908c042 openssh-7.9p1-3 + 0.10.3-6 2019-01-14 15:39:08 +01:00
Jakub Jelen
1b0cc8ff3b Correctly initialize ECDSA key structures from PKCS#11 2019-01-14 15:39:08 +01:00
Jakub Jelen
ba99e00fe8 tests: Do not expect /var/log/secure to be there 2019-01-14 15:39:08 +01:00
Jakub Jelen
40d2a04909 CVE-2018-20685 (#1665786) 2019-01-14 11:05:35 +01:00
Jakub Jelen
322896958a Backport several fixes from 7_9 branch (#1665611) 2019-01-14 11:05:35 +01:00
Jakub Jelen
661c7c0582 gsskex: Dump correct option 2018-11-26 12:50:16 +01:00
Jakub Jelen
d6cc5f4740 Backport Match final so the crypto-policies do not break canonicalization (#1630166) 2018-11-26 10:16:35 +01:00
Jakub Jelen
a4c0a26cd4 openssh-7.9p1-2 + 0.10.3-6 2018-11-14 09:57:17 +01:00
Jakub Jelen
57e280d1f4 Allow to disable RSA signatures with SHA-1 2018-11-14 09:54:54 +01:00
Jakub Jelen
3ae9c1b0c1 Dump missing GSS options from client configuration 2018-11-14 09:44:48 +01:00
Jakub Jelen
03264b16f7 Reference the correct file in configuration file (#1643274) 2018-10-26 14:03:00 +02:00
Jakub Jelen
0b6cc18df0 Avoid segfault on kerberos authentication failure 2018-10-26 14:03:00 +02:00
Mattias Ellert
be6a344dcd Fix LDAP configure test (#1642414) 2018-10-26 14:03:00 +02:00
Jakub Jelen
9f2c8b948c openssh-7.9p1-1 + 0.10.3-6 2018-10-19 11:46:02 +02:00
Jakub Jelen
e8876f1b1f Honor GSSAPIServerIdentity for GSSAPI Key Exchange (#1637167) 2018-10-19 11:41:34 +02:00
Jakub Jelen
6666c19414 Do not break gssapi-kex authentication method 2018-10-19 11:41:34 +02:00
Jakub Jelen
eaa7af2e41 rebase patches to openssh-7.9p1 2018-10-19 11:41:07 +02:00
Jakub Jelen
8089081fa9 Improve the naming of the new kerberos configuration option 2018-10-19 10:19:42 +02:00
Jakub Jelen
6c9d993869 Follow the system-wide PATH settings
https://fedoraproject.org/wiki/Features/SbinSanity
2018-10-03 11:00:12 +02:00
Jakub Jelen
f3715e62da auth-krb5: Avoid memory leaks and unread assignments 2018-09-25 16:34:19 +02:00
Jakub Jelen
97ee52c0a3 openssh-7.8p1-3 + 0.10.3-5 2018-09-24 15:25:57 +02:00
Jakub Jelen
8ebb9915a3 Cleanup specfile comments 2018-09-24 15:25:40 +02:00
Jakub Jelen
84d3ff9306 Do not let OpenSSH control our hardening flags 2018-09-21 17:22:35 +02:00