playing around with removing algos

Jakub Jelen jjelen at
Tue May 2 18:03:42 AEST 2017

On 05/01/2017 04:48 PM, Cristian Ionescu-Idbohrn wrote:
> On Mon, 1 May 2017, Cristian Ionescu-Idbohrn wrote:
>> Example, 'Macs'.
>> On the man page I read:
>> "Multiple algorithms must be comma-separated.
>> ...
>> If the specified value begins with a '-' character, then the
>> specified algorithms (including wildcards) will be removed"
>> It seems that just one algo name is supported on such a line, example:
>> 	Macs -umac-64*
>> But this form is not supported:
>> 	Macs -umac-64*,-hmac-sha1*
>> nor is this:
>> 	Macs -umac-64*
>> 	Macs -hmac-sha1*
>> And I have difficulties in finding _one_ pattern that matches _only_
>> the above algo families, but nothing else.
>> Can you confirm this behaviour?  Can it be improved?

I believe this is expected behavior and limitation of the current 
behavior. The manual page also says

 > For each parameter, the first obtained value will be used. [...]

 > [...] will be removed *from the default set instead of replacing them*.

  * Only the default set is affected
  * The second Macs option is ignored (because Macs are already set)

This might be confusing especially when specifying multiple values and 
improving that would be very nice.

> More observations.
> After doing one of the above in /etc/ssh/sshd_config:
> # sshd -tT | sort | egrep '^macs'
> macs umac-128-etm at,hmac-sha2-256-etm at,
> hmac-sha2-512-etm at,hmac-sha1-etm at,
> umac-128 at,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> umac-64* is gone, but I can still use umac-64 at to login:
> $ ssh -oMacs=umac-64 at localhost
> Can you confirm this behaviour?

I would investigate the debug log with -vvv switches to see what is 
actually offered by server and client.

Jakub Jelen
Software Engineer
Security Technologies
Red Hat

More information about the openssh-unix-dev mailing list