From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/
Date: Thu, 11 May 2023 20:03:57 +0000 (UTC) [thread overview]
Message-ID: <1683835426.a3392cb674cc568575d1dfe3c35c3fc907cb2a8f.sam@gentoo> (raw)
commit: a3392cb674cc568575d1dfe3c35c3fc907cb2a8f
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon May 8 17:07:09 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu May 11 20:03:46 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3392cb6
net-misc/openssh-contrib: revoke github.com's compromised RSA host key
See https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/.
It's necessary for the old github.com key to be explicitly removed (or revoked)
rather than just selecting a new key, i.e. it's possible for users to be silently
affected but not see the error because github.com may not serve them an RSA key.
Revoke the old github.com key as part of the ebuild to help users out.
Closes: https://github.com/gentoo/gentoo/pull/30327
Closes: https://github.com/gentoo/gentoo/pull/30897
Signed-off-by: Sam James <sam <AT> gentoo.org>
net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
index 18255acf5f45..bdcd1d5ad012 100644
--- a/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
+++ b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
@@ -393,6 +393,15 @@ tweak_ssh_configs() {
SendEnv COLORTERM
EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/91gentoo-security.conf || die
+ RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
+ EOF
+
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
+ # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+ EOF
+
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/90gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
next reply other threads:[~2023-05-11 20:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-11 20:03 Sam James [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-02-22 9:38 [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/ Ulrich Müller
2024-07-02 17:07 Patrick McLean
2024-03-25 21:29 Patrick McLean
2024-02-07 0:21 Patrick McLean
2023-10-05 22:17 Patrick McLean
2023-08-21 18:51 Patrick McLean
2023-08-14 18:55 Patrick McLean
2023-07-24 22:39 Patrick McLean
2023-07-24 22:15 Patrick McLean
2023-06-26 15:14 Sam James
2023-05-11 20:03 Sam James
2023-05-11 20:03 Sam James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1683835426.a3392cb674cc568575d1dfe3c35c3fc907cb2a8f.sam@gentoo \
--to=sam@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox