Use default ssh host key algorithms

ipa-client-install no longer overrides SSH client settings for HostKeyAlgorithms. It's no longer necessary to configure HostKeyAlgorithms. The setting was disabling modern algorithms and enabled a weak algorithm that is blocked in FIPS code. The ipa-client package removes IPA's custom HostKeyAlgorithm from /etc/ssh/ssh_config during package update. Non-IPA settings are not touched. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432 Fixes: https://pagure.io/freeipa/issue/8082 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-11-12 09:51:02 +01:00
parent 6c27104467
commit 97a31e69e8
2 changed files with 4 additions and 1 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -963,6 +963,10 @@ if [ $1 -gt 1 ] ; then
    if [ $restore -ge 2 ]; then
        %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
    fi
+
+    if [ $restore -ge 2 ]; then
+        sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
+    fi
 fi