[Bug 3661] New: Set handshake-related keywords like KexAlgorithms,Ciphers,MACs in "Match address" conditional block

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Feb 1 22:49:43 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3661

            Bug ID: 3661
           Summary: Set handshake-related keywords like
                    KexAlgorithms,Ciphers,MACs in "Match address"
                    conditional block
           Product: Portable OpenSSH
           Version: 9.6p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: daku8938 at gmx.de

In the sshd_config (specifically the sftp-server subsystem) I would
like to set the following, to generally offer Cipher aes128-ctr, but
for clients from IP address 1.2.3.4 offer Ciphers aes128-ctr and also
aes128-gcm at openssh.com:

----------------------------------
Ciphers aes128-ctr

Match Address 1.2.3.4
    Ciphers aes128-ctr,aes128-gcm at openssh.com
----------------------------------

Analog I would like to be able to configure other handshake-related
variables like KexAlgorithms and MACs.

Use case is, that we need to restrict values to strict secure values.
But when some customer clients cannot connect with those, we could
offer to those specific client IP addresses additionally older unsecure
values for a period of time, to give clients time for update.

The client source IP is already known on the TCP(IP) layer, so before
any application(ssh) layer handshake, so this should be possible.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list