[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/

Thu, 11 May 2023 13:04:07 -0700 

commit:     a3392cb674cc568575d1dfe3c35c3fc907cb2a8f
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon May  8 17:07:09 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu May 11 20:03:46 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3392cb6

net-misc/openssh-contrib: revoke github.com's compromised RSA host key

See https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/.

It's necessary for the old github.com key to be explicitly removed (or revoked)
rather than just selecting a new key, i.e. it's possible for users to be 
silently
affected but not see the error because github.com may not serve them an RSA key.

Revoke the old github.com key as part of the ebuild to help users out.

Closes: https://github.com/gentoo/gentoo/pull/30327
Closes: https://github.com/gentoo/gentoo/pull/30897
Signed-off-by: Sam James <sam <AT> gentoo.org>

 net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild 
b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
index 18255acf5f45..bdcd1d5ad012 100644
--- a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
+++ b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
@@ -393,6 +393,15 @@ tweak_ssh_configs() {
        SendEnv COLORTERM
        EOF
 
+       cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/91gentoo-security.conf || die
+       RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
+       EOF
+
+       cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
+       # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+       ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+       EOF
+
        cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/90gentoo.conf || die
        # Allow client to pass locale environment variables (bug #367017)
        AcceptEnv ${locale_vars[*]}

Reply via email to