diff options
author | Colin Watson <cjwatson@debian.org> | 2017-01-16 13:58:16 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-01-16 13:58:19 +0000 |
commit | d85ee41ea27ccceb97f1fb042f8efc94514e0948 (patch) | |
tree | 1407b12337b607c2191922f7729c18132b6438bd /debian/patches | |
parent | fb87db8aa47d3508be8e5bb1d21897fa1f2eca90 (diff) | |
parent | 79d4110c92f82de854b10b2d96df9daaaaeaec3a (diff) |
Remove ssh_host_dsa_key from HostKey default (closes: #850614).
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/no-dsa-host-key-by-default.patch | 83 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 84 insertions, 0 deletions
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch new file mode 100644 index 000000000..cd5bd34a4 --- /dev/null +++ b/debian/patches/no-dsa-host-key-by-default.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | From 79d4110c92f82de854b10b2d96df9daaaaeaec3a Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Mon, 16 Jan 2017 13:53:04 +0000 | ||
4 | Subject: Remove ssh_host_dsa_key from HostKey default | ||
5 | |||
6 | The client no longer accepts DSA host keys, and servers using the | ||
7 | default HostKey setting should have better host keys available. | ||
8 | |||
9 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662 | ||
10 | Bug-Debian: https://bugs.debian.org/850614 | ||
11 | Last-Update: 2017-01-16 | ||
12 | |||
13 | Patch-Name: no-dsa-host-key-by-default.patch | ||
14 | --- | ||
15 | servconf.c | 2 -- | ||
16 | sshd.8 | 7 +++---- | ||
17 | sshd_config | 1 - | ||
18 | sshd_config.5 | 7 +++---- | ||
19 | 4 files changed, 6 insertions(+), 11 deletions(-) | ||
20 | |||
21 | diff --git a/servconf.c b/servconf.c | ||
22 | index 1cee3d6c..202c4506 100644 | ||
23 | --- a/servconf.c | ||
24 | +++ b/servconf.c | ||
25 | @@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options) | ||
26 | /* fill default hostkeys for protocols */ | ||
27 | options->host_key_files[options->num_host_key_files++] = | ||
28 | _PATH_HOST_RSA_KEY_FILE; | ||
29 | - options->host_key_files[options->num_host_key_files++] = | ||
30 | - _PATH_HOST_DSA_KEY_FILE; | ||
31 | #ifdef OPENSSL_HAS_ECC | ||
32 | options->host_key_files[options->num_host_key_files++] = | ||
33 | _PATH_HOST_ECDSA_KEY_FILE; | ||
34 | diff --git a/sshd.8 b/sshd.8 | ||
35 | index 38a72540..e8f1fde8 100644 | ||
36 | --- a/sshd.8 | ||
37 | +++ b/sshd.8 | ||
38 | @@ -167,11 +167,10 @@ This option must be given if | ||
39 | is not run as root (as the normal | ||
40 | host key files are normally not readable by anyone but root). | ||
41 | The default is | ||
42 | -.Pa /etc/ssh/ssh_host_dsa_key , | ||
43 | -.Pa /etc/ssh/ssh_host_ecdsa_key , | ||
44 | -.Pa /etc/ssh/ssh_host_ed25519_key | ||
45 | +.Pa /etc/ssh/ssh_host_rsa_key , | ||
46 | +.Pa /etc/ssh/ssh_host_ecdsa_key | ||
47 | and | ||
48 | -.Pa /etc/ssh/ssh_host_rsa_key . | ||
49 | +.Pa /etc/ssh/ssh_host_ed25519_key . | ||
50 | It is possible to have multiple host key files for | ||
51 | the different host key algorithms. | ||
52 | .It Fl i | ||
53 | diff --git a/sshd_config b/sshd_config | ||
54 | index 13cbe2c6..4aea6c72 100644 | ||
55 | --- a/sshd_config | ||
56 | +++ b/sshd_config | ||
57 | @@ -16,7 +16,6 @@ | ||
58 | #ListenAddress :: | ||
59 | |||
60 | #HostKey /etc/ssh/ssh_host_rsa_key | ||
61 | -#HostKey /etc/ssh/ssh_host_dsa_key | ||
62 | #HostKey /etc/ssh/ssh_host_ecdsa_key | ||
63 | #HostKey /etc/ssh/ssh_host_ed25519_key | ||
64 | |||
65 | diff --git a/sshd_config.5 b/sshd_config.5 | ||
66 | index 703a9cdd..8f8fbb66 100644 | ||
67 | --- a/sshd_config.5 | ||
68 | +++ b/sshd_config.5 | ||
69 | @@ -733,11 +733,10 @@ is not to load any certificates. | ||
70 | Specifies a file containing a private host key | ||
71 | used by SSH. | ||
72 | The defaults are | ||
73 | -.Pa /etc/ssh/ssh_host_dsa_key , | ||
74 | -.Pa /etc/ssh/ssh_host_ecdsa_key , | ||
75 | -.Pa /etc/ssh/ssh_host_ed25519_key | ||
76 | +.Pa /etc/ssh/ssh_host_rsa_key , | ||
77 | +.Pa /etc/ssh/ssh_host_ecdsa_key | ||
78 | and | ||
79 | -.Pa /etc/ssh/ssh_host_rsa_key . | ||
80 | +.Pa /etc/ssh/ssh_host_ed25519_key . | ||
81 | .Pp | ||
82 | Note that | ||
83 | .Xr sshd 8 | ||
diff --git a/debian/patches/series b/debian/patches/series index 7edc511b8..6eae81080 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -28,3 +28,4 @@ regress-integrity-robust.patch | |||
28 | regress-forwarding-race.patch | 28 | regress-forwarding-race.patch |
29 | regress-mktemp.patch | 29 | regress-mktemp.patch |
30 | sandbox-x32-workaround.patch | 30 | sandbox-x32-workaround.patch |
31 | no-dsa-host-key-by-default.patch | ||