public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ssh: Fix support for ssh-dss host keys

Browse Source
This commit is contained in:
Eelco Dolstra 2016-04-01 15:52:59 +02:00
parent 882d0b35b8
commit 3fb1708427
3 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/modules/programs/ssh.nix
View File

@ -189,6 +189,7 @@ in
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
PubkeyAcceptedKeyTypes +ssh-dss PubkeyAcceptedKeyTypes +ssh-dss
HostKeyAlgorithms +ssh-dss
${cfg.extraConfig} ${cfg.extraConfig}
''; '';

4
pkgs/tools/networking/openssh/default.nix
View File

@ -41,7 +41,9 @@ stdenv.mkDerivation rec {
''; '';
patches = patches =
[ ./locale_archive.patch ] [ ./locale_archive.patch
./fix-host-key-algorithms-plus.patch
]
++ optional withGssapiPatches gssapiSrc; ++ optional withGssapiPatches gssapiSrc;
buildInputs = [ zlib openssl libedit pkgconfig pam ] buildInputs = [ zlib openssl libedit pkgconfig pam ]

52
pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch Normal file
View File

@ -0,0 +1,52 @@
Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because
setting any value for HostKeyAlgorithms causes the known host keys to
be ignored for the purpose of determining the priority of algorithms.
This was fixed upstream for HostKeyAlgorithms in sshd_config, but not
in ssh_config. The fix is to apply order_hostkeyalgs() if the user
specifies a HostKeyAlgorithms starting with "+".
diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c
--- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200
@@ -100,7 +100,7 @@
}
static char *
-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs)
{
char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
size_t maxlen;
@@ -116,7 +116,7 @@
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+ oavail = avail = xstrdup(algs);
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
@@ -181,18 +181,21 @@
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
if (options.hostkeyalgorithms != NULL) {
+ int append = options.hostkeyalgorithms[0] == '+';
if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options.hostkeyalgorithms) != 0)
fatal("%s: kex_assemble_namelist", __func__);
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- compat_pkalg_proposal(options.hostkeyalgorithms);
+ compat_pkalg_proposal(append
+ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms)
+ : options.hostkeyalgorithms);
} else {
/* Enforce default */
options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
- order_hostkeyalgs(host, hostaddr, port));
+ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
}
if (options.rekey_limit || options.rekey_interval)