ssh: Fix support for ssh-dss host keys

2016-04-01 15:52:59 +02:00 · 2016-04-01 15:52:59 +02:00 · 3fb1708427
commit 3fb1708427
parent 882d0b35b8
3 changed files with 56 additions and 1 deletions
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -189,6 +189,7 @@ in

        # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
        PubkeyAcceptedKeyTypes +ssh-dss
+        HostKeyAlgorithms +ssh-dss

        ${cfg.extraConfig}
      '';
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@ -41,7 +41,9 @@ stdenv.mkDerivation rec {
    '';

  patches =
-    [ ./locale_archive.patch ]
+    [ ./locale_archive.patch
+      ./fix-host-key-algorithms-plus.patch
+    ]
    ++ optional withGssapiPatches gssapiSrc;

  buildInputs = [ zlib openssl libedit pkgconfig pam ]
--- a/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch
+++ b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch
@ -0,0 +1,52 @@
+Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because
+setting any value for HostKeyAlgorithms causes the known host keys to
+be ignored for the purpose of determining the priority of algorithms.
+This was fixed upstream for HostKeyAlgorithms in sshd_config, but not
+in ssh_config. The fix is to apply order_hostkeyalgs() if the user
+specifies a HostKeyAlgorithms starting with "+".
+
+diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c
+--- openssh-7.2p2-orig/sshconnect2.c	2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/sshconnect2.c	2016-04-01 15:39:45.140945902 +0200
+@@ -100,7 +100,7 @@
+ }
+ 
+ static char *
+-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs)
+ {
+ 	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
+ 	size_t maxlen;
+@@ -116,7 +116,7 @@
+ 	for (i = 0; i < options.num_system_hostfiles; i++)
+ 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
+ 
+-	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+	oavail = avail = xstrdup(algs);
+ 	maxlen = strlen(avail) + 1;
+ 	first = xmalloc(maxlen);
+ 	last = xmalloc(maxlen);
+@@ -181,18 +181,21 @@
+ 	myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ 	    myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ 	if (options.hostkeyalgorithms != NULL) {
+		int append = options.hostkeyalgorithms[0] == '+';
+ 		if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ 		    &options.hostkeyalgorithms) != 0)
+ 			fatal("%s: kex_assemble_namelist", __func__);
+ 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+-		    compat_pkalg_proposal(options.hostkeyalgorithms);
+		    compat_pkalg_proposal(append
+			? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms)
+			: options.hostkeyalgorithms);
+ 	} else {
+ 		/* Enforce default */
+ 		options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
+ 		/* Prefer algorithms that we already have keys for */
+ 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ 		    compat_pkalg_proposal(
+-		    order_hostkeyalgs(host, hostaddr, port));
+		    order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
+ 	}
+ 
+ 	if (options.rekey_limit || options.rekey_interval)