[Bug 3184] New: Unable to add deprecated KexAlgorithms back for host via config file

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Jun 20 02:51:45 AEST 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3184

            Bug ID: 3184
           Summary: Unable to add deprecated KexAlgorithms back for host
                    via config file
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: nneul at neulinger.org

I understand the desire to remove diffie-hellman-group14-sha1 for
example from the default offers - and agree completely with that. This
bug is NOT about the removal/default changes. 

Somewhere between 7.6p1 and 8.2p1 the ability to add the deprecated
algorithms back in via config has broken. IT DOES WORK on command line.
It's only in the config file parsing where it fails. (i.e. I can no
longer add a 'Host old-PoS-router  KexAlgorithms insecureone' entry to
my config. 

This worked as of 7.6p1. Note that it is also not specific to the
deprecated ones, it appears to be a general issue with that option
being ignored in the config file.

For example, with 7.6p1, if I put:

Host *
   KexAlgorithms ecdh-sha2-nistp521

in config, and run with -vvv, I see: 

debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp521,ext-info-c


but with 8.2p1, the offer just shows the default regardless of the
content of the settings in config:

debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,ext-info-c



I'll see if I can find where specifically this broke.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list