diff --git a/fix-ssh-keyscan-can-t-get-sm2-host-pubkey-issue.patch b/fix-ssh-keyscan-can-t-get-sm2-host-pubkey-issue.patch new file mode 100644 index 0000000000000000000000000000000000000000..2dcf67d19afe117e52203e11144bcfc5416b7514 --- /dev/null +++ b/fix-ssh-keyscan-can-t-get-sm2-host-pubkey-issue.patch @@ -0,0 +1,58 @@ +From 27a17560423137189ef4d4a86a9c9e1827feb290 Mon Sep 17 00:00:00 2001 +From: songjuntao +Date: Tue, 21 May 2024 15:35:31 +0800 +Subject: [PATCH] fix ssh-keyscan can't get sm2 host pubkey issue + +Signed-off-by: songjuntao +--- + myproposal.h | 6 ++++-- + ssh-keyscan.c | 2 +- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/myproposal.h b/myproposal.h +index ee6e9f7..cceab23 100644 +--- a/myproposal.h ++++ b/myproposal.h +@@ -31,6 +31,7 @@ + "ecdh-sha2-nistp256," \ + "ecdh-sha2-nistp384," \ + "ecdh-sha2-nistp521," \ ++ "sm2-sm3," \ + "diffie-hellman-group-exchange-sha256," \ + "diffie-hellman-group16-sha512," \ + "diffie-hellman-group18-sha512," \ +@@ -58,7 +59,7 @@ + + #define KEX_SERVER_ENCRYPT \ + "chacha20-poly1305@openssh.com," \ +- "aes128-ctr,aes192-ctr,aes256-ctr," \ ++ "aes128-ctr,aes192-ctr,aes256-ctr,sm4-ctr," \ + "aes128-gcm@openssh.com,aes256-gcm@openssh.com" + + #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT +@@ -73,7 +74,8 @@ + "umac-128@openssh.com," \ + "hmac-sha2-256," \ + "hmac-sha2-512," \ +- "hmac-sha1" ++ "hmac-sha1," \ ++ "hmac-sm3" + + #define KEX_CLIENT_MAC KEX_SERVER_MAC + +diff --git a/ssh-keyscan.c b/ssh-keyscan.c +index b402a21..68a5ab6 100644 +--- a/ssh-keyscan.c ++++ b/ssh-keyscan.c +@@ -74,7 +74,7 @@ int ssh_port = SSH_DEFAULT_PORT; + #define KT_MAX KT_SM2 + + int get_cert = 0; +-int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519|KT_ECDSA_SK|KT_ED25519_SK; ++int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519|KT_ECDSA_SK|KT_ED25519_SK|KT_SM2; + + int hash_hosts = 0; /* Hash hostname on output */ + +-- +2.43.0 + diff --git a/openssh.spec b/openssh.spec index 2a727d7265eef900cc9aaac248fd6ed5c168c800..c6422943e21f4484050a65c2d4deafd05684bacc 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 5 +%global openssh_release 6 Name: openssh Version: 9.6p1 @@ -113,6 +113,7 @@ Patch72: backport-upstream-some-extra-paranoia.patch Patch73: backport-fix-CVE-2024-39894.patch Patch74: backport-fix-CVE-2025-26465.patch Patch75: backport-fix-CVE-2025-26466.patch +Patch76: fix-ssh-keyscan-can-t-get-sm2-host-pubkey-issue.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -272,6 +273,7 @@ popd %patch -P 73 -p1 %patch -P 74 -p1 %patch -P 75 -p1 +%patch -P 76 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -503,6 +505,13 @@ fi %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Wed Feb 26 2025 songjuntao - 9.6p1-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:add auto generate sm2 hostkey when start sshd service, + fix ssh-keyscan can't get host pubkey issue + * Tue Feb 18 2025 bitianyuan - 9.6p1-5 - Type:CVE - CVE:CVE-2025-26465 CVE-2025-26466 diff --git a/sshd-keygen b/sshd-keygen index 170ada07a9d0f48a49dd00405fb8509ef1b5678b..8568a8a3150c6a7f6ca2ca4335c5b09f96dcf50e 100644 --- a/sshd-keygen +++ b/sshd-keygen @@ -10,6 +10,7 @@ case $KEYTYPE in exit 0 fi ;; "rsa") ;; # always ok + "sm2") ;; "ecdsa") ;; *) # wrong argument exit 12 ;; diff --git a/sshd-keygen.target b/sshd-keygen.target index 9efb4e25e044fb1fd39424d8533376f308cd47b4..63a024b2d43e25bdaf89e1e7185c33c55d4351a2 100644 --- a/sshd-keygen.target +++ b/sshd-keygen.target @@ -2,4 +2,5 @@ Wants=sshd-keygen@rsa.service Wants=sshd-keygen@ecdsa.service Wants=sshd-keygen@ed25519.service +Wants=sshd-keygen@sm2.service PartOf=sshd.service