Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of udpate x/crypto/ssh into v1.2 #30963

Merged
merged 1 commit into from
Apr 28, 2022
Merged

Backport of udpate x/crypto/ssh into v1.2 #30963

merged 1 commit into from
Apr 28, 2022

Conversation

teamterraform
Copy link
Contributor

Backport

This PR is auto-generated from #30962 to be assessed for backporting due to the inclusion of the label 1.2-backport.

The below text is copied from the body of the original PR.

The existing ssh client was relying on legacy key algorithms and could not connect to recent versions of openssh, or servers with a limited set of fips approved algorithms.

Update golang.org/x/crypto to allow the ssh client to make use of newer key algorithms.

The server-side portion of this work is not yet completed, making a unit test difficult, but this was manually tested against an openssh server using the fedora35 fips configuration options

Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512

The module update does not contain any changes to the other packages used in terraform, openpgp and bcrypt.

Closes #30134

@teamterraform teamterraform force-pushed the backport/jbardin/update-ssh/cheaply-steady-gnu branch from 8d51b71 to 7799d60 Compare April 28, 2022 20:44
@teamterraform teamterraform requested a review from jbardin April 28, 2022 20:44
@jbardin jbardin merged commit caa163b into v1.2 Apr 28, 2022
@jbardin jbardin deleted the backport/jbardin/update-ssh/cheaply-steady-gnu branch April 28, 2022 20:51
@github-actions
Copy link
Contributor

Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch.

@github-actions
Copy link
Contributor

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jbardin jbardin Awaiting requested review from jbardin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@teamterraform @jbardin