Patch: Ciphers, MACs and KexAlgorithms on Match

Damien Miller djm at mindrot.org
Sun Jun 8 09:23:38 EST 2014


On Fri, 6 Jun 2014, Armin Wolfermann wrote:

> Hi all,
> 
> this is a patch to make Ciphers, MACs and KexAlgorithms available in
> Match blocks. Now I can reach a -current machine with some Android
> terminal app without changing the default ciphers for all clients:
> 
> Match Address 192.168.1.2
>   Ciphers aes128-cbc
>   MACs hmac-sha1
>   KexAlgorithms diffie-hellman-group-exchange-sha1

Unfortunately, this a a bit confusing - some Match criteria only work
after key exchange has completed. If users try something like

Match user djm
	Ciphers aes128-cbc

then it will never work. For this reason, we've made any any sshd_config
directives that must be applied before key exchange available by Match.

-d


More information about the openssh-unix-dev mailing list