Patch: Ciphers, MACs and KexAlgorithms on Match

Ben Lindstrom mouring at eviladmin.org
Mon Jun 9 00:21:57 EST 2014


On Jun 8, 2014, at 8:43 AM, Darren Tucker <dtucker at zip.com.au> wrote:

> On Sat, Jun 7, 2014 at 7:23 PM, Damien Miller <djm at mindrot.org> wrote:
> 
>> On Fri, 6 Jun 2014, Armin Wolfermann wrote:
>> 
>> [...]
>> Unfortunately, this a a bit confusing - some Match criteria only work
>> after key exchange has completed. If users try something like
>> 
>> Match user djm
>>        Ciphers aes128-cbc
>> 
>> then it will never work.
> 
> 
> Actually in this particular case you could probably force a rekeying as
> soon as the username is received and make this work more or less as
> expected.  That'd work for Compression too.

However, if the SSH client in question is broken (as it sounds like Mr Wolfermann's Android clients are) it will never get to a rekey stage as it will fail to do the initial connection.

Just feels hokey to try and play with Ciphers and Macs in the Match.

- Ben


More information about the openssh-unix-dev mailing list