* Thu Jul 03 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

- re-add hmac-sha2-512 for backward compatibility [SME: 12968]

.gitignore

@@ -2,3 +2,4 @@
 *.log
 *spec-20*
 *.tar.xz
+*.bak

README.md

@@ -6,7 +6,14 @@ SMEServer Koozali developed git repo for smeserver-openssh smeserver
 <br />https://wiki.koozali.org/
 
 ## Bugzilla
-Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-openssh&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)\
+Show list of outstanding bugs:
+[All](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&bug_status=VERIFIED&cf_package=smeserver-openssh&classification=SME+Server&list_id=105756&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Confirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=CONFIRMED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Unconfirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Need info](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=NEEDINFO&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[In progress](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=IN_PROGRESS&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Resolved](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=RESOLVED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Verified](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=VERIFIED&cf_package=smeserver-openssh&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)
 And a list of outstanding Legacy bugs: (e-smith-openssh) [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-openssh&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
 
 ## Description

root/etc/e-smith/events/actions/sshd-conf

@@ -83,6 +83,7 @@ SKIP: {
 =cut
 
 my $db = esmith::ConfigDB->open_ro or die "Could not open config db";
+my $comment = "root@" . $db->get('SystemName')->value . "." . $db->get('DomainName')->value;
 
 for my $typek (qw(dsa rsa ecdsa ed25519)) {
     # Recomment the key in case the SystemName or DomainName changed.
@@ -91,8 +92,8 @@ for my $typek (qw(dsa rsa ecdsa ed25519)) {
     
     esmith::util::backgroundCommand (0,
         "/usr/bin/ssh-keygen", @change, "-t", "$typek",
-        "-f", "/etc/ssh/ssh_host_key",
-        "-C", "root@" . $db->get('SystemName')->value . "." . $db->get('DomainName')->value);
+        "-f", "/etc/ssh/ssh_host_${typek}_key",
+        "-C", "comment");
 }
 exit (0);
 

root/etc/e-smith/templates/etc/ssh/sshd_config/29HostKeyAlgorithms

@@ -0,0 +1 @@
+HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

root/etc/e-smith/templates/etc/ssh/sshd_config/30KexAlgorithms

@@ -1 +1 @@
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

root/etc/e-smith/templates/etc/ssh/sshd_config/33MACs

@@ -1 +1 @@
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512

root/usr/lib/systemd/system/sshd.service.d/50-koozali.conf

@@ -1,4 +1,8 @@
 [Service]
+# could introduce security issues
+# EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
+EnvironmentFile=
+EnvironmentFile=-/etc/sysconfig/sshd
 ExecStartPre=/sbin/e-smith/service-status sshd
 ExecStartPre=/sbin/e-smith/systemd/sshd-prepare
 ExecStartPre=-/sbin/e-smith/expand-template /etc/ssh/sshd_config

smeserver-openssh.spec

@@ -4,7 +4,7 @@ Summary: smeserver module to configure and enable ssh
 %define name smeserver-openssh
 Name: %{name}
 %define version 11.0.0
-%define release 9
+%define release 13
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -19,7 +19,6 @@ Requires: openssh >= 3.5
 Requires: openssh-clients
 Requires: openssh-server
 Requires: smeserver-lib >= 1.15.1-19
-Requires: runit
 Provides: e-smith-openssh
 AutoReqProv: no
 
@@ -64,6 +63,18 @@ if [ $1 -gt 1 ] ; then
 fi
 
 %changelog
+* Thu Jul 03 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme
+- re-add hmac-sha2-512 for backward compatibility [SME: 12968]
+
+* Sat Mar 22 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-12.sme
+- insecure cipher and MAC removed [SME: 12968]
+
+* Wed Jan 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-11.sme
+- remove Requires: runit [SME: 12566]
+
+* Tue Nov 12 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-10.sme
+- fix update of host keys comment [SME: 12759]
+
 * Sun Sep 22 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme
 - remove reference to deprecated rssh [SME: 12670]
 - template /etc/pam.d/sshd to remove motd [SME: 12740]