rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone

Blame SOURCES/openssh-8.0p1-crypto-policies.patch

943807
diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
943807
--- openssh-8.6p1/ssh_config.5.crypto-policies	2021-04-19 15:18:32.071920379 +0200
943807
+++ openssh-8.6p1/ssh_config.5	2021-04-19 15:21:18.400179265 +0200
943807
@@ -368,15 +368,13 @@ or
943807
 .Qq *.c.example.com
943807
 domains.
943807
 .It Cm CASignatureAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies which algorithms are allowed for signing of certificates
943807
 by certificate authorities (CAs).
943807
-The default is:
943807
-.Bd -literal -offset indent
943807
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
943807
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
943807
-rsa-sha2-512,rsa-sha2-256
943807
-.Ed
943807
-.Pp
943807
 .Xr ssh 1
943807
 will not accept host certificates signed using algorithms other than those
943807
 specified.
943807
@@ -436,20 +434,25 @@ If the option is set to
943807
 (the default),
943807
 the check will not be executed.
943807
 .It Cm Ciphers
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the ciphers allowed and their order of preference.
943807
 Multiple ciphers must be comma-separated.
943807
 If the specified list begins with a
943807
 .Sq +
943807
-character, then the specified ciphers will be appended to the default set
943807
-instead of replacing them.
943807
+character, then the specified ciphers will be appended to the built-in
943807
+openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq -
943807
 character, then the specified ciphers (including wildcards) will be removed
943807
-from the default set instead of replacing them.
943807
+from the built-in openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq ^
943807
 character, then the specified ciphers will be placed at the head of the
943807
-default set.
943807
+built-in openssh default set.
943807
 .Pp
943807
 The supported ciphers are:
943807
 .Bd -literal -offset indent
943807
@@ -465,13 +468,6 @@ aes256-gcm@openssh.com
943807
 chacha20-poly1305@openssh.com
943807
 .Ed
943807
 .Pp
943807
-The default is:
943807
-.Bd -literal -offset indent
943807
-chacha20-poly1305@openssh.com,
943807
-aes128-ctr,aes192-ctr,aes256-ctr,
943807
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
943807
-.Ed
943807
-.Pp
943807
 The list of available ciphers may also be obtained using
943807
 .Qq ssh -Q cipher .
943807
 .It Cm ClearAllForwardings
943807
@@ -826,6 +822,11 @@ command line will be passed untouched to
943807
 The default is
943807
 .Dq no .
943807
 .It Cm GSSAPIKexAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 The list of key exchange algorithms that are offered for GSSAPI
943807
 key exchange. Possible values are
943807
 .Bd -literal -offset 3n
943807
@@ -838,10 +839,8 @@ gss-nistp256-sha256-,
943807
 gss-curve25519-sha256-
943807
 .Ed
943807
 .Pp
943807
-The default is
943807
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
943807
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
943807
 This option only applies to connections using GSSAPI.
943807
+.Pp
943807
 .It Cm HashKnownHosts
943807
 Indicates that
943807
 .Xr ssh 1
943807
@@ -1169,29 +1168,25 @@ it may be zero or more of:
943807
 and
943807
 .Cm pam .
943807
 .It Cm KexAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the available KEX (Key Exchange) algorithms.
943807
 Multiple algorithms must be comma-separated.
943807
 If the specified list begins with a
943807
 .Sq +
943807
-character, then the specified methods will be appended to the default set
943807
-instead of replacing them.
943807
+character, then the specified methods will be appended to the built-in
943807
+openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq -
943807
 character, then the specified methods (including wildcards) will be removed
943807
-from the default set instead of replacing them.
943807
+from the built-in openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq ^
943807
 character, then the specified methods will be placed at the head of the
943807
-default set.
943807
-The default is:
943807
-.Bd -literal -offset indent
943807
-curve25519-sha256,curve25519-sha256@libssh.org,
943807
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
943807
-diffie-hellman-group-exchange-sha256,
943807
-diffie-hellman-group16-sha512,
943807
-diffie-hellman-group18-sha512,
943807
-diffie-hellman-group14-sha256
943807
-.Ed
943807
+built-in openssh default set.
943807
 .Pp
943807
 The list of available key exchange algorithms may also be obtained using
943807
 .Qq ssh -Q kex .
943807
@@ -1301,37 +1296,33 @@ function, and all code in the
943807
 file.
943807
 This option is intended for debugging and no overrides are enabled by default.
943807
 .It Cm MACs
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the MAC (message authentication code) algorithms
943807
 in order of preference.
943807
 The MAC algorithm is used for data integrity protection.
943807
 Multiple algorithms must be comma-separated.
943807
 If the specified list begins with a
943807
 .Sq +
943807
-character, then the specified algorithms will be appended to the default set
943807
-instead of replacing them.
943807
+character, then the specified algorithms will be appended to the built-in
943807
+openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq -
943807
 character, then the specified algorithms (including wildcards) will be removed
943807
-from the default set instead of replacing them.
943807
+from the built-in openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq ^
943807
 character, then the specified algorithms will be placed at the head of the
943807
-default set.
943807
+built-in openssh default set.
943807
 .Pp
943807
 The algorithms that contain
943807
 .Qq -etm
943807
 calculate the MAC after encryption (encrypt-then-mac).
943807
 These are considered safer and their use recommended.
943807
 .Pp
943807
-The default is:
943807
-.Bd -literal -offset indent
943807
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
943807
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
943807
-hmac-sha1-etm@openssh.com,
943807
-umac-64@openssh.com,umac-128@openssh.com,
943807
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
943807
-.Ed
943807
-.Pp
943807
 The list of available MAC algorithms may also be obtained using
943807
 .Qq ssh -Q mac .
943807
 .It Cm NoHostAuthenticationForLocalhost
943807
@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
943807
 The default is
943807
 .Cm no .
943807
 .It Cm PubkeyAcceptedAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the signature algorithms that will be used for public key
943807
 authentication as a comma-separated list of patterns.
943807
 If the specified list begins with a
943807
 .Sq +
943807
-character, then the algorithms after it will be appended to the default
943807
-instead of replacing it.
943807
+character, then the algorithms after it will be appended to the built-in
943807
+openssh default instead of replacing it.
943807
 If the specified list begins with a
943807
 .Sq -
943807
 character, then the specified algorithms (including wildcards) will be removed
943807
-from the default set instead of replacing them.
943807
+from the built-in openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq ^
943807
 character, then the specified algorithms will be placed at the head of the
943807
-default set.
943807
-The default for this option is:
943807
-.Bd -literal -offset 3n
943807
-ssh-ed25519-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
943807
-sk-ssh-ed25519-cert-v01@openssh.com,
943807
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
943807
-rsa-sha2-512-cert-v01@openssh.com,
943807
-rsa-sha2-256-cert-v01@openssh.com,
943807
-ssh-rsa-cert-v01@openssh.com,
943807
-ssh-ed25519,
943807
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
943807
-sk-ssh-ed25519@openssh.com,
943807
-sk-ecdsa-sha2-nistp256@openssh.com,
943807
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
943807
-.Ed
943807
+built-in openssh default set.
943807
 .Pp
943807
 The list of available signature algorithms may also be obtained using
943807
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
943807
diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
943807
--- openssh-8.6p1/sshd_config.5.crypto-policies	2021-04-19 15:18:32.062920311 +0200
943807
+++ openssh-8.6p1/sshd_config.5	2021-04-19 15:20:42.591908243 +0200
943807
@@ -373,15 +373,13 @@ If the argument is
943807
 then no banner is displayed.
943807
 By default, no banner is displayed.
943807
 .It Cm CASignatureAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies which algorithms are allowed for signing of certificates
943807
 by certificate authorities (CAs).
943807
-The default is:
943807
-.Bd -literal -offset indent
943807
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
943807
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
943807
-rsa-sha2-512,rsa-sha2-256
943807
-.Ed
943807
-.Pp
943807
 Certificates signed using other algorithms will not be accepted for
943807
 public key or host-based authentication.
943807
 .It Cm ChallengeResponseAuthentication
943807
@@ -445,20 +443,25 @@ The default is
943807
 indicating not to
943807
 .Xr chroot 2 .
943807
 .It Cm Ciphers
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the ciphers allowed.
943807
 Multiple ciphers must be comma-separated.
943807
 If the specified list begins with a
943807
 .Sq +
943807
-character, then the specified ciphers will be appended to the default set
943807
-instead of replacing them.
943807
+character, then the specified ciphers will be appended to the built-in
943807
+openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq -
943807
 character, then the specified ciphers (including wildcards) will be removed
943807
-from the default set instead of replacing them.
943807
+from the built-in openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq ^
943807
 character, then the specified ciphers will be placed at the head of the
943807
-default set.
943807
+built-in openssh default set.
943807
 .Pp
943807
 The supported ciphers are:
943807
 .Pp
943807
@@ -485,13 +488,6 @@ aes256-gcm@openssh.com
943807
 chacha20-poly1305@openssh.com
943807
 .El
943807
 .Pp
943807
-The default is:
943807
-.Bd -literal -offset indent
943807
-chacha20-poly1305@openssh.com,
943807
-aes128-ctr,aes192-ctr,aes256-ctr,
943807
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
943807
-.Ed
943807
-.Pp
943807
 The list of available ciphers may also be obtained using
943807
 .Qq ssh -Q cipher .
943807
 .It Cm ClientAliveCountMax
943807
@@ -680,21 +676,22 @@ For this to work
943807
 .Cm GSSAPIKeyExchange
943807
 needs to be enabled in the server and also used by the client.
943807
 .It Cm GSSAPIKexAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 The list of key exchange algorithms that are accepted by GSSAPI
943807
 key exchange. Possible values are
943807
 .Bd -literal -offset 3n
943807
-gss-gex-sha1-,
943807
-gss-group1-sha1-,
943807
-gss-group14-sha1-,
943807
-gss-group14-sha256-,
943807
-gss-group16-sha512-,
943807
-gss-nistp256-sha256-,
943807
+gss-gex-sha1-
943807
+gss-group1-sha1-
943807
+gss-group14-sha1-
943807
+gss-group14-sha256-
943807
+gss-group16-sha512-
943807
+gss-nistp256-sha256-
943807
 gss-curve25519-sha256-
943807
 .Ed
943807
-.Pp
943807
-The default is
943807
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
943807
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
943807
 This option only applies to connections using GSSAPI.
943807
 .It Cm HostbasedAcceptedAlgorithms
943807
 Specifies the signature algorithms that will be accepted for hostbased
943807
@@ -794,26 +791,13 @@ is specified, the location of the socket
943807
 .Ev SSH_AUTH_SOCK
943807
 environment variable.
943807
 .It Cm HostKeyAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the host key signature algorithms
943807
 that the server offers.
943807
-The default for this option is:
943807
-.Bd -literal -offset 3n
943807
-ssh-ed25519-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
943807
-sk-ssh-ed25519-cert-v01@openssh.com,
943807
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
943807
-rsa-sha2-512-cert-v01@openssh.com,
943807
-rsa-sha2-256-cert-v01@openssh.com,
943807
-ssh-rsa-cert-v01@openssh.com,
943807
-ssh-ed25519,
943807
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
943807
-sk-ssh-ed25519@openssh.com,
943807
-sk-ecdsa-sha2-nistp256@openssh.com,
943807
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
943807
-.Ed
943807
-.Pp
943807
 The list of available signature algorithms may also be obtained using
943807
 .Qq ssh -Q HostKeyAlgorithms .
943807
 .It Cm IgnoreRhosts
943807
@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
943807
 The default is
943807
 .Cm yes .
943807
 .It Cm KexAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the available KEX (Key Exchange) algorithms.
943807
 Multiple algorithms must be comma-separated.
943807
 Alternately if the specified list begins with a
943807
 .Sq +
943807
-character, then the specified methods will be appended to the default set
943807
-instead of replacing them.
943807
+character, then the specified methods will be appended to the built-in
943807
+openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq -
943807
 character, then the specified methods (including wildcards) will be removed
943807
-from the default set instead of replacing them.
943807
+from the built-in openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq ^
943807
 character, then the specified methods will be placed at the head of the
943807
-default set.
943807
+built-in openssh default set.
943807
 The supported algorithms are:
943807
 .Pp
943807
 .Bl -item -compact -offset indent
943807
@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
943807
 sntrup761x25519-sha512@openssh.com
943807
 .El
943807
 .Pp
943807
-The default is:
943807
-.Bd -literal -offset indent
943807
-curve25519-sha256,curve25519-sha256@libssh.org,
943807
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
943807
-diffie-hellman-group-exchange-sha256,
943807
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
943807
-diffie-hellman-group14-sha256
943807
-.Ed
943807
-.Pp
943807
 The list of available key exchange algorithms may also be obtained using
943807
 .Qq ssh -Q KexAlgorithms .
943807
 .It Cm ListenAddress
943807
@@ -1097,21 +1077,26 @@ function, and all code in the
943807
 file.
943807
 This option is intended for debugging and no overrides are enabled by default.
943807
 .It Cm MACs
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the available MAC (message authentication code) algorithms.
943807
 The MAC algorithm is used for data integrity protection.
943807
 Multiple algorithms must be comma-separated.
943807
 If the specified list begins with a
943807
 .Sq +
943807
-character, then the specified algorithms will be appended to the default set
943807
-instead of replacing them.
943807
+character, then the specified algorithms will be appended to the built-in
943807
+openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq -
943807
 character, then the specified algorithms (including wildcards) will be removed
943807
-from the default set instead of replacing them.
943807
+from the built-in openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq ^
943807
 character, then the specified algorithms will be placed at the head of the
943807
-default set.
943807
+built-in openssh default set.
943807
 .Pp
943807
 The algorithms that contain
943807
 .Qq -etm
943807
@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
943807
 umac-128-etm@openssh.com
943807
 .El
943807
 .Pp
943807
-The default is:
943807
-.Bd -literal -offset indent
943807
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
943807
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
943807
-hmac-sha1-etm@openssh.com,
943807
-umac-64@openssh.com,umac-128@openssh.com,
943807
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
943807
-.Ed
943807
-.Pp
943807
 The list of available MAC algorithms may also be obtained using
943807
 .Qq ssh -Q mac .
943807
 .It Cm Match
943807
@@ -1541,37 +1517,25 @@ or equivalent.)
943807
 The default is
943807
 .Cm yes .
943807
 .It Cm PubkeyAcceptedAlgorithms
943807
+The default is handled system-wide by
943807
+.Xr crypto-policies 7 .
943807
+To see the defaults and how to modify this default, see manual page
943807
+.Xr update-crypto-policies 8 .
943807
+.Pp
943807
 Specifies the signature algorithms that will be accepted for public key
943807
 authentication as a list of comma-separated patterns.
943807
 Alternately if the specified list begins with a
943807
 .Sq +
943807
-character, then the specified algorithms will be appended to the default set
943807
-instead of replacing them.
943807
+character, then the specified algorithms will be appended to the built-in
943807
+openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq -
943807
 character, then the specified algorithms (including wildcards) will be removed
943807
-from the default set instead of replacing them.
943807
+from the built-in openssh default set instead of replacing them.
943807
 If the specified list begins with a
943807
 .Sq ^
943807
 character, then the specified algorithms will be placed at the head of the
943807
-default set.
943807
-The default for this option is:
943807
-.Bd -literal -offset 3n
943807
-ssh-ed25519-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
943807
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
943807
-sk-ssh-ed25519-cert-v01@openssh.com,
943807
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
943807
-rsa-sha2-512-cert-v01@openssh.com,
943807
-rsa-sha2-256-cert-v01@openssh.com,
943807
-ssh-rsa-cert-v01@openssh.com,
943807
-ssh-ed25519,
943807
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
943807
-sk-ssh-ed25519@openssh.com,
943807
-sk-ecdsa-sha2-nistp256@openssh.com,
943807
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
943807
-.Ed
943807
+built-in openssh default set.
943807
 .Pp
943807
 The list of available signature algorithms may also be obtained using
943807
 .Qq ssh -Q PubkeyAcceptedAlgorithms .