rescue: relax OpenSSH 7 key/algo restrictions

Apparently DH SHA1 key exchange algorithm is still in wide use at least within Cisco products (there's a real world case involving our user), and some still use DSA keys which might be longer than "allowed" yet not trusted anymore. See also: http://www.openssh.com/legacy.html http://bugzilla.altlinux.org/31716 http://altlinux.org/changes (Jan 2016; RU)

rescue: relax OpenSSH 7 key/algo restrictions
4de3463b · Michael Shigorin · ee590934 · 4de3463b
Commit 4de3463b authored Jan 22, 2016 by Michael Shigorin
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 0 deletions

50-openssh features.in/rescue/rescue/image-scripts.d/50-openssh +19 -0

No files found.
--- a/features.in/rescue/rescue/image-scripts.d/50-openssh
+++ b/features.in/rescue/rescue/image-scripts.d/50-openssh
+#!/bin/sh
+# re-enable insecure DSA and DH SHA1 support
+# see also: http://www.openssh.com/legacy.html
+
+# any openssh at all?
+[ -d /etc/openssh ] && cd /etc/openssh || exit 0
+
+# is it p7 or earlier (which won't grok the lines added below)?
+[ $(rpmvercmp $(rpmquery --qf='%{VERSION}' openssh-common) 7.0) != "-1" ] ||
+	exit 0
+
+KEY_TYPES="PubkeyAcceptedKeyTypes +ssh-dss,ssh-dss-cert-v01@openssh.com"
+KEX_ALGOS="KexAlgorithms +diffie-hellman-group1-sha1"
+
+grep -qs "^$KEY_TYPES" sshd_config || echo "$KEY_TYPES" >> sshd_config
+grep -qs "^$KEY_TYPES" ssh_config  || echo "$KEY_TYPES" >> ssh_config
+grep -qs "^$KEX_ALGOS" ssh_config  || echo "$KEX_ALGOS" >> ssh_config
+
+: