summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2017-01-16 13:58:16 +0000
committerColin Watson <cjwatson@debian.org>2017-01-16 13:58:19 +0000
commitd85ee41ea27ccceb97f1fb042f8efc94514e0948 (patch)
tree1407b12337b607c2191922f7729c18132b6438bd /debian/patches
parentfb87db8aa47d3508be8e5bb1d21897fa1f2eca90 (diff)
parent79d4110c92f82de854b10b2d96df9daaaaeaec3a (diff)
Remove ssh_host_dsa_key from HostKey default (closes: #850614).
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/no-dsa-host-key-by-default.patch83
-rw-r--r--debian/patches/series1
2 files changed, 84 insertions, 0 deletions
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch
new file mode 100644
index 000000000..cd5bd34a4
--- /dev/null
+++ b/debian/patches/no-dsa-host-key-by-default.patch
@@ -0,0 +1,83 @@
1From 79d4110c92f82de854b10b2d96df9daaaaeaec3a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 16 Jan 2017 13:53:04 +0000
4Subject: Remove ssh_host_dsa_key from HostKey default
5
6The client no longer accepts DSA host keys, and servers using the
7default HostKey setting should have better host keys available.
8
9Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
10Bug-Debian: https://bugs.debian.org/850614
11Last-Update: 2017-01-16
12
13Patch-Name: no-dsa-host-key-by-default.patch
14---
15 servconf.c | 2 --
16 sshd.8 | 7 +++----
17 sshd_config | 1 -
18 sshd_config.5 | 7 +++----
19 4 files changed, 6 insertions(+), 11 deletions(-)
20
21diff --git a/servconf.c b/servconf.c
22index 1cee3d6c..202c4506 100644
23--- a/servconf.c
24+++ b/servconf.c
25@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
26 /* fill default hostkeys for protocols */
27 options->host_key_files[options->num_host_key_files++] =
28 _PATH_HOST_RSA_KEY_FILE;
29- options->host_key_files[options->num_host_key_files++] =
30- _PATH_HOST_DSA_KEY_FILE;
31 #ifdef OPENSSL_HAS_ECC
32 options->host_key_files[options->num_host_key_files++] =
33 _PATH_HOST_ECDSA_KEY_FILE;
34diff --git a/sshd.8 b/sshd.8
35index 38a72540..e8f1fde8 100644
36--- a/sshd.8
37+++ b/sshd.8
38@@ -167,11 +167,10 @@ This option must be given if
39 is not run as root (as the normal
40 host key files are normally not readable by anyone but root).
41 The default is
42-.Pa /etc/ssh/ssh_host_dsa_key ,
43-.Pa /etc/ssh/ssh_host_ecdsa_key ,
44-.Pa /etc/ssh/ssh_host_ed25519_key
45+.Pa /etc/ssh/ssh_host_rsa_key ,
46+.Pa /etc/ssh/ssh_host_ecdsa_key
47 and
48-.Pa /etc/ssh/ssh_host_rsa_key .
49+.Pa /etc/ssh/ssh_host_ed25519_key .
50 It is possible to have multiple host key files for
51 the different host key algorithms.
52 .It Fl i
53diff --git a/sshd_config b/sshd_config
54index 13cbe2c6..4aea6c72 100644
55--- a/sshd_config
56+++ b/sshd_config
57@@ -16,7 +16,6 @@
58 #ListenAddress ::
59
60 #HostKey /etc/ssh/ssh_host_rsa_key
61-#HostKey /etc/ssh/ssh_host_dsa_key
62 #HostKey /etc/ssh/ssh_host_ecdsa_key
63 #HostKey /etc/ssh/ssh_host_ed25519_key
64
65diff --git a/sshd_config.5 b/sshd_config.5
66index 703a9cdd..8f8fbb66 100644
67--- a/sshd_config.5
68+++ b/sshd_config.5
69@@ -733,11 +733,10 @@ is not to load any certificates.
70 Specifies a file containing a private host key
71 used by SSH.
72 The defaults are
73-.Pa /etc/ssh/ssh_host_dsa_key ,
74-.Pa /etc/ssh/ssh_host_ecdsa_key ,
75-.Pa /etc/ssh/ssh_host_ed25519_key
76+.Pa /etc/ssh/ssh_host_rsa_key ,
77+.Pa /etc/ssh/ssh_host_ecdsa_key
78 and
79-.Pa /etc/ssh/ssh_host_rsa_key .
80+.Pa /etc/ssh/ssh_host_ed25519_key .
81 .Pp
82 Note that
83 .Xr sshd 8
diff --git a/debian/patches/series b/debian/patches/series
index 7edc511b8..6eae81080 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ regress-integrity-robust.patch
28regress-forwarding-race.patch 28regress-forwarding-race.patch
29regress-mktemp.patch 29regress-mktemp.patch
30sandbox-x32-workaround.patch 30sandbox-x32-workaround.patch
31no-dsa-host-key-by-default.patch