URL: https://github.com/freeipa/freeipa/pull/3889 Author: tiran Title: #3889: [Backport][ipa-4-8] Use default ssh host key algorithms Action: opened
PR body: """ This PR was opened automatically because PR #3887 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3889/head:pr3889 git checkout pr3889
From 4517f668b2f698461da5ee234d1e9e9d3e401126 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 12 Nov 2019 09:51:02 +0100 Subject: [PATCH] Use default ssh host key algorithms ipa-client-install no longer overrides SSH client settings for HostKeyAlgorithms. It's no longer necessary to configure HostKeyAlgorithms. The setting was disabling modern algorithms and enabled a weak algorithm that is blocked in FIPS code. The ipa-client package removes IPA's custom HostKeyAlgorithm from /etc/ssh/ssh_config during package update. Non-IPA settings are not touched. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432 Fixes: https://pagure.io/freeipa/issue/8082 Signed-off-by: Christian Heimes <chei...@redhat.com> --- freeipa.spec.in | 4 ++++ ipaclient/install/client.py | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 27d19909b1..d46df7f96d 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -963,6 +963,10 @@ if [ $1 -gt 1 ] ; then if [ $restore -ge 2 ]; then %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 fi + + if [ $restore -ge 2 ]; then + sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config + fi fi diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index cc830f1ffe..34b2d1a6e7 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -1116,7 +1116,6 @@ def configure_ssh_config(fstore, options): changes['GlobalKnownHostsFile'] = paths.SSSD_PUBCONF_KNOWN_HOSTS if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' - changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' change_ssh_config(paths.SSH_CONFIG, changes, ['Host', 'Match']) logger.info('Configured %s', paths.SSH_CONFIG)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
