From 4de3463b81ed7783c5f5750fa0b83d39e9ced2c5 Mon Sep 17 00:00:00 2001
From: Michael Shigorin <mike@altlinux.org>
Date: Fri, 22 Jan 2016 11:59:50 +0300
Subject: [PATCH] rescue: relax OpenSSH 7 key/algo restrictions

Apparently DH SHA1 key exchange algorithm is still in wide
use at least within Cisco products (there's a real world
case involving our user), and some still use DSA keys
which might be longer than "allowed" yet not trusted anymore.

See also:
http://www.openssh.com/legacy.html
http://bugzilla.altlinux.org/31716
http://altlinux.org/changes (Jan 2016; RU)
---
 .../rescue/rescue/image-scripts.d/50-openssh  | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100755 features.in/rescue/rescue/image-scripts.d/50-openssh

diff --git a/features.in/rescue/rescue/image-scripts.d/50-openssh b/features.in/rescue/rescue/image-scripts.d/50-openssh
new file mode 100755
index 00000000..ff60c47d
--- /dev/null
+++ b/features.in/rescue/rescue/image-scripts.d/50-openssh
@@ -0,0 +1,19 @@
+#!/bin/sh
+# re-enable insecure DSA and DH SHA1 support
+# see also: http://www.openssh.com/legacy.html
+
+# any openssh at all?
+[ -d /etc/openssh ] && cd /etc/openssh || exit 0
+
+# is it p7 or earlier (which won't grok the lines added below)?
+[ $(rpmvercmp $(rpmquery --qf='%{VERSION}' openssh-common) 7.0) != "-1" ] ||
+	exit 0
+
+KEY_TYPES="PubkeyAcceptedKeyTypes +ssh-dss,ssh-dss-cert-v01@openssh.com"
+KEX_ALGOS="KexAlgorithms +diffie-hellman-group1-sha1"
+
+grep -qs "^$KEY_TYPES" sshd_config || echo "$KEY_TYPES" >> sshd_config
+grep -qs "^$KEY_TYPES" ssh_config  || echo "$KEY_TYPES" >> ssh_config
+grep -qs "^$KEX_ALGOS" ssh_config  || echo "$KEX_ALGOS" >> ssh_config
+
+: