HostkeyAlgorithms + support seems broken [7.0]

Bryan Drewery bdrewery at FreeBSD.org
Sat Aug 22 07:46:53 AEST 2015


The `+' support for HostkeyAlgorithms seems wrong compared to the other
configuration options; it replaces with literal +value.

Default:

# sshd -v
sshd: illegal option -- v
OpenSSH_7.0p1, OpenSSL 1.0.2d 9 Jul 2015

# sshd -T -f /usr/local/etc/ssh/sshd_config|grep hostkeyalgorithms
hostkeyalgorithms
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa

With this in sshd_config:
HostkeyAlgorithms +ssh-dss

The result:

# sshd -T -f /usr/local/etc/ssh/sshd_config|grep hostkeyalgorithms
hostkeyalgorithms +ssh-dss

This disables all algorithms:

# ssh -vvv user at 127.0.0.1
...
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305 at openssh.com'
debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit> none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305 at openssh.com'
debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit> none
Unable to negotiate with 127.0.0.1: no matching host key type found.
Their offer:


A similar problem exists with ssh_config:

# ssh -G user at 127.0.0.1|grep hostkeyalgorithms
hostkeyalgorithms +ssh-dss




Also many of these new configuration options are missing in the manpages.

-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150821/8a9f0e40/attachment.bin>


More information about the openssh-unix-dev mailing list