Patch: Ciphers, MACs and KexAlgorithms on Match
Armin Wolfermann
aw at osn.de
Sun Jun 8 22:32:34 EST 2014
* Damien Miller <djm at mindrot.org> [08.06.2014 01:23]:
> Unfortunately, this a a bit confusing - some Match criteria only work
> after key exchange has completed. If users try something like
>
> Match user djm
> Ciphers aes128-cbc
>
> then it will never work. For this reason, we've made any any sshd_config
> directives that must be applied before key exchange available by Match.
Would some additional documentation suffice or should an error/warning be
generated when using such a combination?
Index: sshd_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.173
diff -u -p -u -r1.173 sshd_config.5
--- sshd_config.5 28 Mar 2014 05:17:11 -0000 1.173
+++ sshd_config.5 8 Jun 2014 12:26:11 -0000
@@ -896,6 +896,7 @@ Available keywords are
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
+.Cm Ciphers ,
.Cm DenyGroups ,
.Cm DenyUsers ,
.Cm ForceCommand ,
@@ -905,6 +906,8 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm KexAlgorithms ,
+.Cm MACs ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
@@ -921,6 +924,18 @@ Available keywords are
.Cm X11Forwarding
and
.Cm X11UseLocalHost .
+.Pp
+The keywords
+.Cm Ciphers ,
+.Cm KexAlgorithms
+and
+.Cm MACs
+apply to pre-authenticated connections and will not modify configuration
+when specified after the (post-authentication)
+.Cm User
+or
+.Cm Group
+criteria.
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.
Regards,
Armin Wolfermann
More information about the openssh-unix-dev
mailing list