commit 3fb170842736c9c3c10cd53675f98aa3912bf6ad

pyrox.dev / nixpkgs

lol

fork atom

ssh: Fix support for ssh-dss host keys

Eelco Dolstra 10 years ago 3fb17084 882d0b35

+56 -1

3 changed files

expand all

unified split

nixos

modules

programs

ssh.nix

pkgs

tools

networking

openssh

default.nix

fix-host-key-algorithms-plus.patch

nixos/modules/programs/ssh.nix

··· 189 190 # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) 191 PubkeyAcceptedKeyTypes +ssh-dss 192 193 ${cfg.extraConfig} 194 '';

··· 189 190 # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) 191 PubkeyAcceptedKeyTypes +ssh-dss 192 + HostKeyAlgorithms +ssh-dss 193 194 ${cfg.extraConfig} 195 '';

+3 -1

pkgs/tools/networking/openssh/default.nix

··· 41 ''; 42 43 patches = 44 - [ ./locale_archive.patch ] 45 ++ optional withGssapiPatches gssapiSrc; 46 47 buildInputs = [ zlib openssl libedit pkgconfig pam ]

··· 41 ''; 42 43 patches = 44 + [ ./locale_archive.patch 45 + ./fix-host-key-algorithms-plus.patch 46 + ] 47 ++ optional withGssapiPatches gssapiSrc; 48 49 buildInputs = [ zlib openssl libedit pkgconfig pam ]

+52

pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch

···

··· 1 + Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because 2 + setting any value for HostKeyAlgorithms causes the known host keys to 3 + be ignored for the purpose of determining the priority of algorithms. 4 + This was fixed upstream for HostKeyAlgorithms in sshd_config, but not 5 + in ssh_config. The fix is to apply order_hostkeyalgs() if the user 6 + specifies a HostKeyAlgorithms starting with "+". 7 + 8 + diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c 9 + --- openssh-7.2p2-orig/sshconnect2.c 2016-03-09 19:04:48.000000000 +0100 10 + +++ openssh-7.2p2/sshconnect2.c 2016-04-01 15:39:45.140945902 +0200 11 + @@ -100,7 +100,7 @@ 12 + } 13 + 14 + static char * 15 + -order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) 16 + +order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs) 17 + { 18 + char *oavail, *avail, *first, *last, *alg, *hostname, *ret; 19 + size_t maxlen; 20 + @@ -116,7 +116,7 @@ 21 + for (i = 0; i < options.num_system_hostfiles; i++) 22 + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); 23 + 24 + - oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); 25 + + oavail = avail = xstrdup(algs); 26 + maxlen = strlen(avail) + 1; 27 + first = xmalloc(maxlen); 28 + last = xmalloc(maxlen); 29 + @@ -181,18 +181,21 @@ 30 + myproposal[PROPOSAL_MAC_ALGS_CTOS] = 31 + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; 32 + if (options.hostkeyalgorithms != NULL) { 33 + + int append = options.hostkeyalgorithms[0] == '+'; 34 + if (kex_assemble_names(KEX_DEFAULT_PK_ALG, 35 + &options.hostkeyalgorithms) != 0) 36 + fatal("%s: kex_assemble_namelist", __func__); 37 + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 38 + - compat_pkalg_proposal(options.hostkeyalgorithms); 39 + + compat_pkalg_proposal(append 40 + + ? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms) 41 + + : options.hostkeyalgorithms); 42 + } else { 43 + /* Enforce default */ 44 + options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); 45 + /* Prefer algorithms that we already have keys for */ 46 + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 47 + compat_pkalg_proposal( 48 + - order_hostkeyalgs(host, hostaddr, port)); 49 + + order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG)); 50 + } 51 + 52 + if (options.rekey_limit || options.rekey_interval)