[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-unix-dev
Subject: HostkeyAlgorithms + support seems broken [7.0]
From: Bryan Drewery <bdrewery () FreeBSD ! org>
Date: 2015-08-21 21:46:53
Message-ID: 55D79C4D.5030004 () FreeBSD ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
The `+' support for HostkeyAlgorithms seems wrong compared to the other
configuration options; it replaces with literal +value.
Default:
# sshd -v
sshd: illegal option -- v
OpenSSH_7.0p1, OpenSSL 1.0.2d 9 Jul 2015
# sshd -T -f /usr/local/etc/ssh/sshd_config|grep hostkeyalgorithms
hostkeyalgorithms
ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecds \
a-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01 \
@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
With this in sshd_config:
HostkeyAlgorithms +ssh-dss
The result:
# sshd -T -f /usr/local/etc/ssh/sshd_config|grep hostkeyalgorithms
hostkeyalgorithms +ssh-dss
This disables all algorithms:
# ssh -vvv user@127.0.0.1
...
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
Unable to negotiate with 127.0.0.1: no matching host key type found.
Their offer:
A similar problem exists with ssh_config:
# ssh -G user@127.0.0.1|grep hostkeyalgorithms
hostkeyalgorithms +ssh-dss
Also many of these new configuration options are missing in the manpages.
--
Regards,
Bryan Drewery
["signature.asc" (application/pgp-signature)]
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic