net-misc/openssh-contrib: revoke github.com's compromised RSA host key

See https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/.

It's necessary for the old github.com key to be explicitly removed (or revoked)
rather than just selecting a new key, i.e. it's possible for users to be silently
affected but not see the error because github.com may not serve them an RSA key.

Revoke the old github.com key as part of the ebuild to help users out.

Closes: https://github.com/gentoo/gentoo/pull/30327
Closes: https://github.com/gentoo/gentoo/pull/30897
Signed-off-by: Sam James <sam@gentoo.org>

1 files changed, 9 insertions, 0 deletions

diff --git a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
index 18255acf5f45..bdcd1d5ad012 100644
--- a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
+++ b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
@@ -393,6 +393,15 @@ tweak_ssh_configs() {
 	SendEnv COLORTERM
 	EOF
 
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/91gentoo-security.conf || die
+	RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
+	EOF
+
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
+	# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+	EOF
+
 	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/90gentoo.conf || die
 	# Allow client to pass locale environment variables (bug #367017)
 	AcceptEnv ${locale_vars[*]}