playing around with removing algos
Cristian Ionescu-Idbohrn
cristian.ionescu-idbohrn at axis.com
Tue May 2 00:48:46 AEST 2017
On Mon, 1 May 2017, Cristian Ionescu-Idbohrn wrote:
>
> Example, 'Macs'.
>
> On the man page I read:
>
> "Multiple algorithms must be comma-separated.
> ...
> If the specified value begins with a '-' character, then the
> specified algorithms (including wildcards) will be removed"
>
> It seems that just one algo name is supported on such a line, example:
>
> Macs -umac-64*
>
> But this form is not supported:
>
> Macs -umac-64*,-hmac-sha1*
>
> nor is this:
>
> Macs -umac-64*
> Macs -hmac-sha1*
>
> And I have difficulties in finding _one_ pattern that matches _only_
> the above algo families, but nothing else.
>
> Can you confirm this behaviour? Can it be improved?
More observations.
After doing one of the above in /etc/ssh/sshd_config:
# sshd -tT | sort | egrep '^macs'
macs umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,
hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,
umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
umac-64* is gone, but I can still use umac-64 at openssh.com to login:
$ ssh -oMacs=umac-64 at openssh.com localhost
Can you confirm this behaviour?
Cheers,
--
Cristian
More information about the openssh-unix-dev
mailing list