HostkeyAlgorithms + support seems broken [7.0]
Bryan Drewery
bdrewery at FreeBSD.org
Sat Aug 22 07:46:53 AEST 2015
The `+' support for HostkeyAlgorithms seems wrong compared to the other
configuration options; it replaces with literal +value.
Default:
# sshd -v
sshd: illegal option -- v
OpenSSH_7.0p1, OpenSSL 1.0.2d 9 Jul 2015
# sshd -T -f /usr/local/etc/ssh/sshd_config|grep hostkeyalgorithms
hostkeyalgorithms
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
With this in sshd_config:
HostkeyAlgorithms +ssh-dss
The result:
# sshd -T -f /usr/local/etc/ssh/sshd_config|grep hostkeyalgorithms
hostkeyalgorithms +ssh-dss
This disables all algorithms:
# ssh -vvv user at 127.0.0.1
...
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305 at openssh.com'
debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit> none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305 at openssh.com'
debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit> none
Unable to negotiate with 127.0.0.1: no matching host key type found.
Their offer:
A similar problem exists with ssh_config:
# ssh -G user at 127.0.0.1|grep hostkeyalgorithms
hostkeyalgorithms +ssh-dss
Also many of these new configuration options are missing in the manpages.
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150821/8a9f0e40/attachment.bin>
More information about the openssh-unix-dev
mailing list