[Bug 3661] New: Set handshake-related keywords like KexAlgorithms,Ciphers,MACs in "Match address" conditional block
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Feb 1 22:49:43 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3661
Bug ID: 3661
Summary: Set handshake-related keywords like
KexAlgorithms,Ciphers,MACs in "Match address"
conditional block
Product: Portable OpenSSH
Version: 9.6p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: daku8938 at gmx.de
In the sshd_config (specifically the sftp-server subsystem) I would
like to set the following, to generally offer Cipher aes128-ctr, but
for clients from IP address 1.2.3.4 offer Ciphers aes128-ctr and also
aes128-gcm at openssh.com:
----------------------------------
Ciphers aes128-ctr
Match Address 1.2.3.4
Ciphers aes128-ctr,aes128-gcm at openssh.com
----------------------------------
Analog I would like to be able to configure other handshake-related
variables like KexAlgorithms and MACs.
Use case is, that we need to restrict values to strict secure values.
But when some customer clients cannot connect with those, we could
offer to those specific client IP addresses additionally older unsecure
values for a period of time, to give clients time for update.
The client source IP is already known on the TCP(IP) layer, so before
any application(ssh) layer handshake, so this should be possible.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list