Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
O
openssh
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
SIG
security
rpms
openssh
Commits
e02b04a0
Commit
e02b04a0
authored
1 year ago
by
Rocky Automation
Browse files
Options
Downloads
Patches
Plain Diff
import imports/r9/openssh-8.7p1-34.3.el9_3.security.0.3
parent
155ac55b
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
SOURCES/openssh-8.7p1-rocky-no-gssapi.patch
+54
-0
54 additions, 0 deletions
SOURCES/openssh-8.7p1-rocky-no-gssapi.patch
SPECS/openssh.spec
+8
-1
8 additions, 1 deletion
SPECS/openssh.spec
with
62 additions
and
1 deletion
SOURCES/openssh-8.7p1-rocky-no-gssapi.patch
0 → 100644
+
54
−
0
View file @
e02b04a0
diff -ur openssh-8.7p1-34.el9_3.3-tree.orig/readconf.c openssh-8.7p1-34.el9_3.3-tree/readconf.c
--- openssh-8.7p1-34.el9_3.3-tree.orig/readconf.c 2024-03-16 21:52:13.434915561 +0100
+++ openssh-8.7p1-34.el9_3.3-tree/readconf.c 2024-03-16 22:14:02.938740770 +0100
@@ -225,7 +225,8 @@
{ "gssapiclientidentity", oUnsupported },
{ "gssapiserveridentity", oUnsupported },
{ "gssapirenewalforcesrekey", oUnsupported },
- { "gssapikexalgorithms", oUnsupported },
+ /* Found in /etc/crypto-policies/back-ends/openssh.config, silently ignore */
+ { "gssapikexalgorithms", oIgnore },
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
diff -ur openssh-8.7p1-34.el9_3.3-tree.orig/servconf.c openssh-8.7p1-34.el9_3.3-tree/servconf.c
--- openssh-8.7p1-34.el9_3.3-tree.orig/servconf.c 2024-03-16 21:52:13.435915524 +0100
+++ openssh-8.7p1-34.el9_3.3-tree/servconf.c 2024-03-16 22:13:18.963357857 +0100
@@ -640,7 +640,8 @@
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
- { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
+ /* Found in /etc/crypto-policies/back-ends/opensshserver.config, silently ignore */
+ { "gssapikexalgorithms", sIgnore, SSHCFG_GLOBAL },
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
diff -ur openssh-8.7p1-34.el9_3.3-tree.orig/ssh_config_redhat openssh-8.7p1-34.el9_3.3-tree/ssh_config_redhat
--- openssh-8.7p1-34.el9_3.3-tree.orig/ssh_config_redhat 2024-03-16 21:52:13.240922699 +0100
+++ openssh-8.7p1-34.el9_3.3-tree/ssh_config_redhat 2024-03-16 21:56:20.219834357 +0100
@@ -4,7 +4,8 @@
# Follow system-wide Crypto Policy, if defined:
Include /etc/crypto-policies/back-ends/openssh.config
- GSSAPIAuthentication yes
+# Kerberos/GSSAPI is supported in upstream EL, but unsupported in this build
+# GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
diff -ur openssh-8.7p1-34.el9_3.3-tree.orig/sshd_config_redhat openssh-8.7p1-34.el9_3.3-tree/sshd_config_redhat
--- openssh-8.7p1-34.el9_3.3-tree.orig/sshd_config_redhat 2024-03-16 21:52:13.241922663 +0100
+++ openssh-8.7p1-34.el9_3.3-tree/sshd_config_redhat 2024-03-16 21:56:51.919667866 +0100
@@ -9,8 +9,9 @@
ChallengeResponseAuthentication no
-GSSAPIAuthentication yes
-GSSAPICleanupCredentials no
+# Kerberos/GSSAPI is supported in upstream EL, but unsupported in this build
+#GSSAPIAuthentication yes
+#GSSAPICleanupCredentials no
UsePAM yes
This diff is collapsed.
Click to expand it.
SPECS/openssh.spec
+
8
−
1
View file @
e02b04a0
...
...
@@ -54,7 +54,7 @@
%global openssh_rel 34.3
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 5
%global security_rel 0.
2
%global security_rel 0.
3
Summary: An open source implementation of SSH protocol version 2
Name: openssh
...
...
@@ -289,6 +289,7 @@ Patch1018: openssh-9.6p1-CVE-2023-48795.patch
Patch1019: openssh-9.6p1-CVE-2023-51385.patch
Patch9000: openssh-8.7p1-rocky-systemd.patch
Patch9001: openssh-8.7p1-rocky-no-gssapi.patch
License: BSD
Requires: /sbin/nologin
...
...
@@ -513,6 +514,7 @@ popd
%patch1019 -p1 -b .cve-2023-51385
%patch9000 -p1 -b .rocky-systemd
%patch9001 -p1 -b .rocky-no-gssapi
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
...
...
@@ -799,6 +801,11 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
* Sat Mar 16 2024 Solar Designer <solar@openwall.com> 8.7p1-34.3.el9_3.security.0.3
- Comment out GSSAPI* lines in /etc/ssh/ssh*_config.d/50-redhat.conf and patch
the code to silently ignore GSSAPIKexAlgorithms when unsupported (like it is
in our new without-Kerberos build)
* Mon Mar 11 2024 Solar Designer <solar@openwall.com> 8.7p1-34.3.el9_3.security.0.2
- Rebase 8.7p1-34.el9_3.security.0.1 on 8.7p1-34.3
- Build without Kerberos support (shortens "ldd sshd" from 20 to 13 lines)
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
