Patch: Ciphers, MACs and KexAlgorithms on Match
Ben Lindstrom
mouring at eviladmin.org
Mon Jun 9 00:21:57 EST 2014
On Jun 8, 2014, at 8:43 AM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Sat, Jun 7, 2014 at 7:23 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> On Fri, 6 Jun 2014, Armin Wolfermann wrote:
>>
>> [...]
>> Unfortunately, this a a bit confusing - some Match criteria only work
>> after key exchange has completed. If users try something like
>>
>> Match user djm
>> Ciphers aes128-cbc
>>
>> then it will never work.
>
>
> Actually in this particular case you could probably force a rekeying as
> soon as the username is received and make this work more or less as
> expected. That'd work for Compression too.
However, if the SSH client in question is broken (as it sounds like Mr Wolfermann's Android clients are) it will never get to a rekey stage as it will fail to do the initial connection.
Just feels hokey to try and play with Ciphers and Macs in the Match.
- Ben
More information about the openssh-unix-dev
mailing list