webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 11:05:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
fc2a771c97ee6ddfeb8ef7baaf28bb9977c19e63
bpfire/lfs/openssh
Adolf Belka 2aebd3a8c5 openssh: Update to 8.5p1 
- Update Openssh from 8.4p1 to 8.5p1
- rootfiles not changed
- ssh access by keys tested with 8.5p1 and successfully worked
- Full Release notes can be read at https://www.openssh.com/releasenotes.html
- Future deprecation notice
   It is now possible[1] to perform chosen-prefix attacks against the
   SHA-1 algorithm for less than USD$50K.
   In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
   hash algorithm in conjunction with the RSA public key algorithm.
   OpenSSH will disable this signature scheme by default in the near
   future.
   Note that the deactivation of "ssh-rsa" signatures does not necessarily
   require cessation of use for RSA keys. In the SSH protocol, keys may be
   capable of signing using multiple algorithms. In particular, "ssh-rsa"
   keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
   "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
   these is being turned off by default.
- Checked if the weak ssh-rsa public key algorithm was being used with
   openssh8.4p1 by running
    ssh -oHostKeyAlgorithms=-ssh-rsa user@host
   host verification was successful with no issue so IPFire will not be
   affected by this deprecation when it happens
- Potentially-incompatible changes
    * ssh(1), sshd(8): this release changes the first-preference signature
      algorithm from ECDSA to ED25519.
   This did not affect my use of ssh login but I use ED25519 as the only
    key algorithm that I use. It might be good to get it tested by
    someone who has ECDSA and ED25519 keys and prefers ECDSA
   Remaining changes don't look likely to affect IPFire users
- Bugfixes
 * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
   make it easier to determine which connection they are associated
   with in cases like scp -3, ProxyJump, etc. bz#3224
 * sshd(8): fix sshd_config SetEnv directives located inside Match
   blocks. GHPR201
 * ssh(1): when requesting a FIDO token touch on stderr, inform the
   user once the touch has been recorded.
 * ssh(1): prevent integer overflow when ridiculously large
   ConnectTimeout values are specified, capping the effective value
   (for most platforms) at 24 days. bz#3229
 * ssh(1): consider the ECDSA key subtype when ordering host key
   algorithms in the client.
 * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
   PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
   that it control allowed key algorithms, when this option actually
   specifies the signature algorithms that are accepted. The previous
   name remains available as an alias. bz#3253
 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
   HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
 * sftp-server(8): add missing lsetstat@openssh.com documentation
   and advertisement in the server's SSH2_FXP_VERSION hello packet.
 * ssh(1), sshd(8): more strictly enforce KEX state-machine by
   banning packet types once they are received. Fixes memleak caused
   by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
 * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
   platforms instead of being limited by LONG_MAX. bz#3206
 * Minor man page fixes (capitalization, commas, etc.) bz#3223
 * sftp(1): when doing an sftp recursive upload or download of a
   read-only directory, ensure that the directory is created with
   write and execute permissions in the interim so that the transfer
   can actually complete, then set the directory permission as the
   final step. bz#3222
 * ssh-keygen(1): document the -Z, check the validity of its argument
   earlier and provide a better error message if it's not correct.
   bz#2879
 * ssh(1): ignore comments at the end of config lines in ssh_config,
   similar to what we already do for sshd_config. bz#2320
 * sshd_config(5): mention that DisableForwarding is valid in a
   sshd_config Match block. bz3239
 * sftp(1): fix incorrect sorting of "ls -ltr" under some
   circumstances. bz3248.
 * ssh(1), sshd(8): fix potential integer truncation of (unlikely)
   timeout values. bz#3250
 * ssh(1): make hostbased authentication send the signature algorithm
   in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
   This make HostbasedAcceptedAlgorithms do what it is supposed to -
   filter on signature algorithm and not key type.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2021-03-06 11:16:07 +00:00

96 lines
3.6 KiB
Plaintext
Raw Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 8.5p1
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 9eb9420cf587edc26f8998ab679ad390
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/lib/openssh \
--with-md5-passwords \
--with-privsep-path=/var/empty \
--with-superuser-path=/sbin:/usr/sbin:/bin:/usr/bin
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
# install custom OpenSSH server configuration
install -v -m 644 $(DIR_SRC)/config/ssh/sshd_config \
/etc/ssh/sshd_config
# install custom OpenSSH client configuration
install -v -m 644 $(DIR_SRC)/config/ssh/ssh_config \
/etc/ssh/ssh_config
@rm -rf $(DIR_APP)
@$(POSTBUILD)
Reference in New Issue View Git Blame Copy Permalink