From 8bdda36b16cc3fb0a0f2d25df490e7f642f79231 Mon Sep 17 00:00:00 2001
From: "a869920004@163.com" <a869920004@163.com>
Date: Sat, 10 Oct 2020 11:20:11 +0800
Subject: [PATCH] Use secure MACs and KexAlgorithms

---
 Use-secure-MACs-and-KexAlgorithms.patch | 22 ++++++++++++++++++++++
 security-tool.spec                      |  7 ++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 Use-secure-MACs-and-KexAlgorithms.patch

diff --git a/Use-secure-MACs-and-KexAlgorithms.patch b/Use-secure-MACs-and-KexAlgorithms.patch
new file mode 100644
index 0000000..3f858f0
--- /dev/null
+++ b/Use-secure-MACs-and-KexAlgorithms.patch
@@ -0,0 +1,22 @@
+diff --git a/security.conf b/security.conf
+index e5d39e2..30b9f54 100644
+--- a/security.conf
++++ b/security.conf
+@@ -74,7 +74,7 @@
+ 112@m@/etc/ssh/sshd_config@Banner @/etc/issue.net
+ 
+ # Set sshd message authentication code algorithm
+-113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com,hmac-sha1,hmac-sha1-etm@@openssh.com
++113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com
+ 
+ # Make sshd check file modes and ownership of the user's files and home directory before accepting login
+ 114@m@/etc/ssh/sshd_config@StrictModes @yes
+@@ -95,7 +95,7 @@
+ 120@m@/etc/ssh/sshd_config@PermitTunnel @no
+ 
+ #CVE-2015-4000
+-121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256
++121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group-exchange-sha256
+ 
+ 130@systemctl@sshd.service@restart
+ 
diff --git a/security-tool.spec b/security-tool.spec
index cba2394..e5798a6 100644
--- a/security-tool.spec
+++ b/security-tool.spec
@@ -1,7 +1,7 @@
 Summary: openEuler Security Tool
 Name   : security-tool
 Version: 2.0
-Release: 1.49
+Release: 1.50
 Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
 License: Mulan PSL v2
 URL: https://gitee.com/openeuler/security-tool
@@ -13,6 +13,8 @@ Requires(preun): systemd-units
 Requires(postun): systemd-units
 BuildRequires: xauth
 
+Patch: Use-secure-MACs-and-KexAlgorithms.patch
+
 %description
 openEuler Security Tool
 
@@ -116,6 +118,9 @@ fi
 %attr(0500,root,root) %{_sbindir}/security-tool.sh
 
 %changelog
+* Fri Oct 9 2020 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.50
+- Use secure MACs and KexAlgorithms
+
 * Thu Sep 17 2020 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.49
 - Upgrade to v2.0
 
-- 
Gitee