From 4dc55725a6c9107019534bd381a4c6043fdf3146 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Sat, 22 Mar 2025 17:44:56 -0400 Subject: [PATCH] * Sat Mar 22 2025 Jean-Philippe Pialasse 11.0.0-12.sme - insecure cipher and MAC removed [SME: 12968] --- .../templates/etc/ssh/sshd_config/29HostKeyAlgorithms | 1 + .../e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms | 2 +- root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs | 2 +- root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf | 4 ++++ smeserver-openssh.spec | 5 ++++- 5 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms diff --git a/root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms b/root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms new file mode 100644 index 0000000..8784cf1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms @@ -0,0 +1 @@ +HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 diff --git a/root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms b/root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms index 6169a38..5cae0a9 100644 --- a/root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms +++ b/root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms @@ -1 +1 @@ -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 diff --git a/root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs b/root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs index 17f6980..4cc653e 100644 --- a/root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs +++ b/root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs @@ -1 +1 @@ -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com diff --git a/root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf b/root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf index c7b2a65..d636b6e 100644 --- a/root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf +++ b/root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf @@ -1,4 +1,8 @@ [Service] +# could introduce security issues +# EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config +EnvironmentFile= +EnvironmentFile=-/etc/sysconfig/sshd ExecStartPre=/sbin/e-smith/service-status sshd ExecStartPre=/sbin/e-smith/systemd/sshd-prepare ExecStartPre=-/sbin/e-smith/expand-template /etc/ssh/sshd_config diff --git a/smeserver-openssh.spec b/smeserver-openssh.spec index c7f90a6..f4c286e 100644 --- a/smeserver-openssh.spec +++ b/smeserver-openssh.spec @@ -4,7 +4,7 @@ Summary: smeserver module to configure and enable ssh %define name smeserver-openssh Name: %{name} %define version 11.0.0 -%define release 11 +%define release 12 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -63,6 +63,9 @@ if [ $1 -gt 1 ] ; then fi %changelog +* Sat Mar 22 2025 Jean-Philippe Pialasse 11.0.0-12.sme +- insecure cipher and MAC removed [SME: 12968] + * Wed Jan 15 2025 Jean-Philippe Pialasse 11.0.0-11.sme - remove Requires: runit [SME: 12566]