Call for testing: OpenSSH 6.7

Damien Miller djm at mindrot.org
Wed Aug 20 09:54:09 EST 2014 

On Tue, 19 Aug 2014, Iain Morgan wrote:

> On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> > Potentially-incompatible changes
> > 
> >  * sshd(8): The default set of ciphers and MACs has been altered to
> >    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
> >    are disabled by default.
> > 
> 
> Is this really true? I just ran "$PWD/sshd -f /dev/null -T" in my build
> directory, and it lists the full set of ciphers -- not the trimmed-down
> default list indicated in sshd_config(5).

It is true, but you've just uncovered a bug in the code that dumps the
config :)

Index: servconf.c
===================================================================
RCS file: /var/cvs/openssh/servconf.c,v
retrieving revision 1.249
diff -u -p -r1.249 servconf.c
--- servconf.c	18 Jul 2014 04:11:26 -0000	1.249
+++ servconf.c	19 Aug 2014 23:53:44 -0000
@@ -54,6 +54,7 @@
 #include "packet.h"
 #include "hostfile.h"
 #include "auth.h"
+#include "myproposal.h"
 
 static void add_listen_addr(ServerOptions *, char *, int);
 static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -2070,9 +2071,8 @@ dump_config(ServerOptions *o)
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
-	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
-	    cipher_alg_list(',', 0));
-	dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
+	dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
+	dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
 	dump_cfg_string(sBanner, o->banner);
 	dump_cfg_string(sForceCommand, o->adm_forced_command);
 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2084,8 +2084,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
 	dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
 	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
-	dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
-	    kex_alg_list(','));
+	dump_cfg_string(sKexAlgorithms,
+  	    o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
 
 	/* string arguments requiring a lookup */
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

More information about the openssh-unix-dev mailing list