diff options
author | Sam James <sam@gentoo.org> | 2023-05-08 18:07:09 +0100 |
---|---|---|
committer | Sam James <sam@gentoo.org> | 2023-05-11 21:03:46 +0100 |
commit | a3392cb674cc568575d1dfe3c35c3fc907cb2a8f (patch) | |
tree | 0fea7a83a047bf15209be40833fcbdd0fde41120 | |
parent | net-misc/openssh: revoke github.com's compromised RSA host key (diff) | |
download | gentoo-a3392cb674cc568575d1dfe3c35c3fc907cb2a8f.tar.gz gentoo-a3392cb674cc568575d1dfe3c35c3fc907cb2a8f.tar.bz2 gentoo-a3392cb674cc568575d1dfe3c35c3fc907cb2a8f.zip |
net-misc/openssh-contrib: revoke github.com's compromised RSA host key
See https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/.
It's necessary for the old github.com key to be explicitly removed (or revoked)
rather than just selecting a new key, i.e. it's possible for users to be silently
affected but not see the error because github.com may not serve them an RSA key.
Revoke the old github.com key as part of the ebuild to help users out.
Closes: https://github.com/gentoo/gentoo/pull/30327
Closes: https://github.com/gentoo/gentoo/pull/30897
Signed-off-by: Sam James <sam@gentoo.org>
-rw-r--r-- | net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild index 18255acf5f45..bdcd1d5ad012 100644 --- a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild +++ b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild @@ -393,6 +393,15 @@ tweak_ssh_configs() { SendEnv COLORTERM EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/91gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/90gentoo.conf || die # Allow client to pass locale environment variables (bug #367017) AcceptEnv ${locale_vars[*]} |