diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-04-01 15:52:59 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-04-01 15:54:52 +0200 |
| commit | 3fb170842736c9c3c10cd53675f98aa3912bf6ad (patch) | |
| tree | 73863bc5263a6d446b669cb991360545b9da3bf4 /pkgs/tools | |
| parent | 882d0b35b8392b516e5cd42b9292f245ef693a6c (diff) | |
| download | nixlib-3fb170842736c9c3c10cd53675f98aa3912bf6ad.tar nixlib-3fb170842736c9c3c10cd53675f98aa3912bf6ad.tar.gz nixlib-3fb170842736c9c3c10cd53675f98aa3912bf6ad.tar.bz2 nixlib-3fb170842736c9c3c10cd53675f98aa3912bf6ad.tar.lz nixlib-3fb170842736c9c3c10cd53675f98aa3912bf6ad.tar.xz nixlib-3fb170842736c9c3c10cd53675f98aa3912bf6ad.tar.zst nixlib-3fb170842736c9c3c10cd53675f98aa3912bf6ad.zip | |
ssh: Fix support for ssh-dss host keys
Diffstat (limited to 'pkgs/tools')
| -rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 4 | ||||
| -rw-r--r-- | pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch | 52 |
2 files changed, 55 insertions, 1 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 957d5e715e78..19b96fdc8dd5 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -41,7 +41,9 @@ stdenv.mkDerivation rec { ''; patches = - [ ./locale_archive.patch ] + [ ./locale_archive.patch + ./fix-host-key-algorithms-plus.patch + ] ++ optional withGssapiPatches gssapiSrc; buildInputs = [ zlib openssl libedit pkgconfig pam ] diff --git a/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch new file mode 100644 index 000000000000..02846e9bdad2 --- /dev/null +++ b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch @@ -0,0 +1,52 @@ +Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because +setting any value for HostKeyAlgorithms causes the known host keys to +be ignored for the purpose of determining the priority of algorithms. +This was fixed upstream for HostKeyAlgorithms in sshd_config, but not +in ssh_config. The fix is to apply order_hostkeyalgs() if the user +specifies a HostKeyAlgorithms starting with "+". + +diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c +--- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100 ++++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200 +@@ -100,7 +100,7 @@ + } + + static char * +-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) ++order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs) + { + char *oavail, *avail, *first, *last, *alg, *hostname, *ret; + size_t maxlen; +@@ -116,7 +116,7 @@ + for (i = 0; i < options.num_system_hostfiles; i++) + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); + +- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); ++ oavail = avail = xstrdup(algs); + maxlen = strlen(avail) + 1; + first = xmalloc(maxlen); + last = xmalloc(maxlen); +@@ -181,18 +181,21 @@ + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + if (options.hostkeyalgorithms != NULL) { ++ int append = options.hostkeyalgorithms[0] == '+'; + if (kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options.hostkeyalgorithms) != 0) + fatal("%s: kex_assemble_namelist", __func__); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = +- compat_pkalg_proposal(options.hostkeyalgorithms); ++ compat_pkalg_proposal(append ++ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms) ++ : options.hostkeyalgorithms); + } else { + /* Enforce default */ + options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); + /* Prefer algorithms that we already have keys for */ + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + compat_pkalg_proposal( +- order_hostkeyalgs(host, hostaddr, port)); ++ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG)); + } + + if (options.rekey_limit || options.rekey_interval) |