Use secure MACs and KexAlgorithms

Use-secure-MACs-and-KexAlgorithms.patch

@@ -0,0 +1,22 @@
+diff --git a/security.conf b/security.conf
+index e5d39e2..30b9f54 100644
+--- a/security.conf
++++ b/security.conf
+@@ -74,7 +74,7 @@
+ 112@m@/etc/ssh/sshd_config@Banner @/etc/issue.net
+ 
+ # Set sshd message authentication code algorithm
+-113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com,hmac-sha1,hmac-sha1-etm@@openssh.com
++113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com
+ 
+ # Make sshd check file modes and ownership of the user's files and home directory before accepting login
+ 114@m@/etc/ssh/sshd_config@StrictModes @yes
+@@ -95,7 +95,7 @@
+ 120@m@/etc/ssh/sshd_config@PermitTunnel @no
+ 
+ #CVE-2015-4000
+-121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256
++121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group-exchange-sha256
+ 
+ 130@systemctl@sshd.service@restart
+ 

security-tool.spec

@@ -1,7 +1,7 @@
 Summary: openEuler Security Tool
 Name   : security-tool
 Version: 2.0
-Release: 1.49
+Release: 1.50
 Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz
 License: Mulan PSL v2
 URL: https://gitee.com/openeuler/security-tool
@@ -13,6 +13,8 @@ Requires(preun): systemd-units
 Requires(postun): systemd-units
 BuildRequires: xauth
 
+Patch: Use-secure-MACs-and-KexAlgorithms.patch
+
 %description
 openEuler Security Tool
 
@@ -116,6 +118,9 @@ fi
 %attr(0500,root,root) %{_sbindir}/security-tool.sh
 
 %changelog
+* Fri Oct 9 2020 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.50
+- Use secure MACs and KexAlgorithms
+
 * Thu Sep 17 2020 gaoyusong <gaoyusong1@huawei.com> - 2.0-1.49
 - Upgrade to v2.0