diff options
Diffstat (limited to 'pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch')
-rw-r--r-- | pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch new file mode 100644 index 000000000000..02846e9bdad2 --- /dev/null +++ b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch @@ -0,0 +1,52 @@ +Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because +setting any value for HostKeyAlgorithms causes the known host keys to +be ignored for the purpose of determining the priority of algorithms. +This was fixed upstream for HostKeyAlgorithms in sshd_config, but not +in ssh_config. The fix is to apply order_hostkeyalgs() if the user +specifies a HostKeyAlgorithms starting with "+". + +diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c +--- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100 ++++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200 +@@ -100,7 +100,7 @@ + } + + static char * +-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) ++order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs) + { + char *oavail, *avail, *first, *last, *alg, *hostname, *ret; + size_t maxlen; +@@ -116,7 +116,7 @@ + for (i = 0; i < options.num_system_hostfiles; i++) + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); + +- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); ++ oavail = avail = xstrdup(algs); + maxlen = strlen(avail) + 1; + first = xmalloc(maxlen); + last = xmalloc(maxlen); +@@ -181,18 +181,21 @@ + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + if (options.hostkeyalgorithms != NULL) { ++ int append = options.hostkeyalgorithms[0] == '+'; + if (kex_assemble_names(KEX_DEFAULT_PK_ALG, + &options.hostkeyalgorithms) != 0) + fatal("%s: kex_assemble_namelist", __func__); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = +- compat_pkalg_proposal(options.hostkeyalgorithms); ++ compat_pkalg_proposal(append ++ ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms) ++ : options.hostkeyalgorithms); + } else { + /* Enforce default */ + options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); + /* Prefer algorithms that we already have keys for */ + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + compat_pkalg_proposal( +- order_hostkeyalgs(host, hostaddr, port)); ++ order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG)); + } + + if (options.rekey_limit || options.rekey_interval) |