diff --git a/connectivity/openssh/centos/patches/harden-server-and-client-config.patch b/connectivity/openssh/centos/patches/harden-server-and-client-config.patch index a5899f238..ea474cffc 100644 --- a/connectivity/openssh/centos/patches/harden-server-and-client-config.patch +++ b/connectivity/openssh/centos/patches/harden-server-and-client-config.patch @@ -1,6 +1,6 @@ -From 5f272d70827454c71a650018786c444116927348 Mon Sep 17 00:00:00 2001 +From a2f285b181d1867266ff9e705e87d54737f863cb Mon Sep 17 00:00:00 2001 From: Andy Ning -Date: Thu, 22 Mar 2018 10:16:08 -0400 +Date: Fri, 23 Mar 2018 14:46:06 -0400 Subject: [PATCH 1/1] CGTS-9265: remove sha1 based kex algorithms The patch hardened ssh server and client security, specifically @@ -8,8 +8,8 @@ removed support of sha1 base kex algrorithms as found by Nessus scan. --- ssh_config | 3 +++ - sshd_config | 47 ++++++++++++++++++++++++++++------------------- - 2 files changed, 31 insertions(+), 19 deletions(-) + sshd_config | 45 +++++++++++++++++++++++++++------------------ + 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/ssh_config b/ssh_config index d1c83ea..3320eb0 100644 @@ -23,7 +23,7 @@ index d1c83ea..3320eb0 100644 +# Filtered key exchange algorithm list +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 diff --git a/sshd_config b/sshd_config -index 6bbb86b..122dee3 100644 +index 6bbb86b..7fb2ac7 100644 --- a/sshd_config +++ b/sshd_config @@ -25,19 +25,19 @@ HostKey /etc/ssh/ssh_host_ecdsa_key @@ -107,15 +107,6 @@ index 6bbb86b..122dee3 100644 # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -@@ -129,7 +130,7 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE - AcceptEnv XMODIFIERS - - # override default of no subsystems --Subsystem sftp /usr/libexec/sftp-server -+Subsystem sftp /usr/libexec/openssh/sftp-server - - # Example of overriding settings on a per-user basis - #Match User anoncvs @@ -137,3 +138,11 @@ Subsystem sftp /usr/libexec/sftp-server # AllowTcpForwarding no # PermitTTY no