- create SSHv2 RSA in addition to SSHv1 RSA server key - generate server keys with 2048 bits instead of 1024 - create ~/.ssh/agent file with mode 600 instead of mode 700 - cleanup ssh_config and sshd_config files - default to "Protocol 2,1" in server and "Protocol 1,2" in client

openssh/openssh.spec

@@ -44,7 +44,7 @@ Distribution: OpenPKG [REL]
 Group:        Cryptography
 License:      BSD
 Version:      3.2.3p1
-Release:      20020522
+Release:      20020531
 
 #   list of sources
 Source0:      ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -203,18 +203,26 @@ AutoReqProv:  no
     rm -rf $RPM_BUILD_ROOT
 
 %post
-    #   generate server RSA key
+    #   generate server RSA1 (SSHv1) key
     if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_key" -o \
          ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_key" ] ; then
-        $RPM_INSTALL_PREFIX/bin/ssh-keygen -t rsa1 -b 1024 \
+        $RPM_INSTALL_PREFIX/bin/ssh-keygen -t rsa1 -b 2048 \
             -f $RPM_INSTALL_PREFIX/etc/openssh/ssh_host_key \
             -N '' -C `hostname` 1>&2
     fi
 
-    #   generate server DSA key
+    #   generate server RSA (SSHv2) key
+    if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_rsa_key" -o \
+         ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_rsa_key" ] ; then
+        $RPM_INSTALL_PREFIX/bin/ssh-keygen -t rsa -b 2048 \
+            -f $RPM_INSTALL_PREFIX/etc/openssh/ssh_host_rsa_key \
+            -N '' -C `hostname` 1>&2
+    fi
+
+    #   generate server DSA (SSHv2) key
     if [ ! -f "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_dsa_key" -o \
          ! -s "$RPM_INSTALL_PREFIX/etc/openssh/ssh_host_dsa_key" ] ; then
-        $RPM_INSTALL_PREFIX/bin/ssh-keygen -t dsa -d \
+        $RPM_INSTALL_PREFIX/bin/ssh-keygen -t dsa -b 2048 \
             -f $RPM_INSTALL_PREFIX/etc/openssh/ssh_host_dsa_key \
             -N '' -C `hostname` 1>&2
     fi

openssh/ssh-keyman

@@ -26,8 +26,8 @@
 
 #   program information
 prog_name="ssh-keyman"
-prog_vers="1.0.0"
-prog_date="05-May-2002"
+prog_vers="1.0.1"
+prog_date="31-May-2002"
 
 #   OpenSSH programs
 ssh_agent="@l_prefix@/bin/ssh-agent"
@@ -143,7 +143,7 @@ if [ ! -f $agentfile ]; then
     if [ ".$SSH_AUTH_SOCK" != . -a ".$SSH_AGENT_PID" != . ]; then
         ( echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK"
           echo "SSH_AGENT_PID=$SSH_AGENT_PID"
-        ) >$agentfile && chmod 700 $agentfile
+        ) >$agentfile && chmod 600 $agentfile
         echo "$prog_name:WARNING: valid agent information in your environment" 1>&2
         echo "$prog_name:WARNING: but no saved agent state file -- fixed" 1>&2
     fi
@@ -182,7 +182,7 @@ if [ ".$opt_s" = .yes ]; then
         fi
         ( echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK"
           echo "SSH_AGENT_PID=$SSH_AGENT_PID"
-        ) >$agentfile && chmod 700 $agentfile
+        ) >$agentfile && chmod 600 $agentfile
     fi
 fi
 

openssh/ssh_config

@@ -3,7 +3,6 @@
 ##
 
 Host localhost
-    Cipher                          blowfish
     Compression                     no
     ForwardX11                      yes
     KeepAlive                       yes
@@ -13,30 +12,32 @@ Host localhost
 #   the rule is "first matching is used")
 Host *
     BatchMode                       no
-    ChallengeResponseAuthentication yes
     CheckHostIP                     yes
+    Protocol                        1,2
+    HostKeyAlgorithms               ssh-rsa,ssh-dss
+    PreferredAuthentications        hostbased,publickey,keyboard-interactive,password
     Cipher                          3des
-    Ciphers                         3des-cbc,blowfish-cbc,aes128-cbc
+    Ciphers                         aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+    MACs                            hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
     Compression                     yes
     CompressionLevel                4
     ConnectionAttempts              2
-    DSAAuthentication               yes
-    EscapeChar                      ~
-    FallBackToRsh                   no
-    ForwardAgent                    yes
-    ForwardX11                      no
-    GatewayPorts                    no
-    KeepAlive                       no
-    LogLevel                        INFO
-    MACs                            hmac-sha1,hmac-md5,hmac-ripemd160
-    NumberOfPasswordPrompts         2
-    PasswordAuthentication          yes
-    Protocol                        1,2
     PubkeyAuthentication            yes
+    DSAAuthentication               yes
     RSAAuthentication               yes
+    ChallengeResponseAuthentication yes
+    PasswordAuthentication          yes
+    NumberOfPasswordPrompts         2
     RhostsAuthentication            no
     RhostsRSAAuthentication         no
     StrictHostKeyChecking           no
     UsePrivilegedPort               no
     UseRsh                          no
+    FallBackToRsh                   no
+    EscapeChar                      ~
+    ForwardAgent                    yes
+    ForwardX11                      no
+    GatewayPorts                    no
+    KeepAlive                       no
+    LogLevel                        INFO
 

openssh/sshd_config

@@ -7,7 +7,7 @@ ListenAddress            0.0.0.0
 
 Subsystem                sftp @l_prefix@/libexec/openssh/sftp-server
 
-Protocol                 1,2
+Protocol                 2,1
 HostKey                  @l_prefix@/etc/openssh/ssh_host_key
 HostDsaKey               @l_prefix@/etc/openssh/ssh_host_dsa_key
 ServerKeyBits            768
@@ -17,17 +17,18 @@ PidFile                  @l_prefix@/var/openssh/sshd.pid
 SyslogFacility           AUTH
 LogLevel                 INFO
 
-RhostsAuthentication     no
-RhostsRSAAuthentication  no
-PasswordAuthentication   yes
+PubkeyAuthentication     yes
 RSAAuthentication        yes
 DSAAuthentication        yes
+PasswordAuthentication   yes
+RhostsAuthentication     no
+RhostsRSAAuthentication  no
 
 StrictModes              yes
 IgnoreRhosts             yes
+KeepAlive                yes
 X11Forwarding            no
 GatewayPorts             no
-KeepAlive                yes
 
 LoginGraceTime           600
 MaxStartups              10:30:60