From 7cd1d565ac2b240eda697dbebb043a1a2885d23a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Nov 13 2019 07:39:16 +0000 Subject: Use default ssh host key algorithms ipa-client-install no longer overrides SSH client settings for HostKeyAlgorithms. It's no longer necessary to configure HostKeyAlgorithms. The setting was disabling modern algorithms and enabled a weak algorithm that is blocked in FIPS code. The ipa-client package removes IPA's custom HostKeyAlgorithm from /etc/ssh/ssh_config during package update. Non-IPA settings are not touched. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432 Fixes: https://pagure.io/freeipa/issue/8082 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy Reviewed-By: Alexander Bokovoy --- diff --git a/freeipa.spec.in b/freeipa.spec.in index 0f96778..9c422c9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1316,6 +1316,10 @@ if [ $1 -gt 1 ] ; then if [ $restore -ge 2 ]; then %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi + + if [ $restore -ge 2 ]; then + sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config + fi fi diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 4b4cf00..eb4dc03 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -1093,7 +1093,6 @@ def configure_ssh_config(fstore, options): changes['GlobalKnownHostsFile'] = paths.SSSD_PUBCONF_KNOWN_HOSTS if options.trust_sshfp: changes['VerifyHostKeyDNS'] = 'yes' - changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' change_ssh_config(paths.SSH_CONFIG, changes, ['Host', 'Match']) logger.info('Configured %s', paths.SSH_CONFIG)