Call for testing: OpenSSH 8.2
Darren Tucker
dtucker at dtucker.net
Fri Feb 7 15:06:21 AEDT 2020
I've committed this change, the man page should now be accurate WRT to
querying supported algorithm types.
Thanks for the feedback.
On Thu, 6 Feb 2020 at 15:08, Darren Tucker <dtucker at dtucker.net> wrote:
>
> On Wed, Feb 05, 2020 at 10:04:44PM -0500, Phil Pennock wrote:
> > On 2020-02-06 at 13:28 +1100, Darren Tucker wrote:
> > > Like this.
> >
> > > --- a/sshd_config.5
> > > +++ b/sshd_config.5
> >
> > The ssh_config.5 also has a copy of this and presumably needs the same
> > change, unless I've misunderstood.
>
> Yeah, I think that is the case.
>
> For a while I've wanted ssh -Q to understand config keywords as aliases
> for the corresponding queries so it's obvious which are valid for which.
>
> diff --git a/ssh.1 b/ssh.1
> index 97133752..8acd3bb7 100644
> --- a/ssh.1
> +++ b/ssh.1
> @@ -590,6 +590,13 @@ flag),
> .Ar sig
> (supported signature algorithms).
> .Pp
> +Alternatively, a keyword from
> +.Xr ssh_config 5
> +or
> +.Xr sshd_config 5
> +that takes an algorithm list may be used as an alias for the corresponding
> +query_option.
> +.Pp
> .It Fl q
> Quiet mode.
> Causes most warning and diagnostic messages to be suppressed.
> diff --git a/ssh.c b/ssh.c
> index 35972fe3..885b6cea 100644
> --- a/ssh.c
> +++ b/ssh.c
> @@ -736,13 +736,16 @@ main(int ac, char **av)
> break;
> case 'Q':
> cp = NULL;
> - if (strcmp(optarg, "cipher") == 0)
> + if (strcmp(optarg, "cipher") == 0 ||
> + strcasecmp(optarg, "Ciphers") == 0)
> cp = cipher_alg_list('\n', 0);
> else if (strcmp(optarg, "cipher-auth") == 0)
> cp = cipher_alg_list('\n', 1);
> - else if (strcmp(optarg, "mac") == 0)
> + else if (strcmp(optarg, "mac") == 0 ||
> + strcasecmp(optarg, "MACs") == 0)
> cp = mac_alg_list('\n');
> - else if (strcmp(optarg, "kex") == 0)
> + else if (strcmp(optarg, "kex") == 0 ||
> + strcasecmp(optarg, "KexAlgorithms") == 0)
> cp = kex_alg_list('\n');
> else if (strcmp(optarg, "key") == 0)
> cp = sshkey_alg_list(0, 0, 0, '\n');
> @@ -750,6 +753,12 @@ main(int ac, char **av)
> cp = sshkey_alg_list(1, 0, 0, '\n');
> else if (strcmp(optarg, "key-plain") == 0)
> cp = sshkey_alg_list(0, 1, 0, '\n');
> + else if (strcmp(optarg, "key-sig") == 0 ||
> + strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 ||
> + strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||
> + strcasecmp(optarg, "HostbasedKeyTypes") == 0 ||
> + strcasecmp(optarg, "HostbasedAcceptedKeyTypes") == 0)
> + cp = sshkey_alg_list(0, 0, 1, '\n');
> else if (strcmp(optarg, "sig") == 0)
> cp = sshkey_alg_list(0, 1, 1, '\n');
> else if (strcmp(optarg, "protocol-version") == 0)
> @@ -763,7 +772,7 @@ main(int ac, char **av)
> } else if (strcmp(optarg, "help") == 0) {
> cp = xstrdup(
> "cipher\ncipher-auth\ncompression\nkex\n"
> - "key\nkey-cert\nkey-plain\nmac\n"
> + "key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
> "protocol-version\nsig");
> }
> if (cp == NULL)
> diff --git a/ssh_config.5 b/ssh_config.5
> index 0a6d8054..3ff5e8b2 100644
> --- a/ssh_config.5
> +++ b/ssh_config.5
> @@ -868,7 +868,7 @@ If hostkeys are known for the destination host then this default is modified
> to prefer their algorithms.
> .Pp
> The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q HostKeyAlgorithms .
> .It Cm HostKeyAlias
> Specifies an alias that should be used instead of the
> real host name when looking up or saving the host key
> diff --git a/sshd_config.5 b/sshd_config.5
> index 0684300f..42df29e6 100644
> --- a/sshd_config.5
> +++ b/sshd_config.5
> @@ -693,7 +693,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
> .Ed
> .Pp
> The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q HostbasedAcceptedKeyTypes .
> .It Cm HostbasedAuthentication
> Specifies whether rhosts or /etc/hosts.equiv authentication together
> with successful public key client host authentication is allowed
> @@ -776,7 +776,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
> .Ed
> .Pp
> The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q HostKeyAlgorithms .
> .It Cm IgnoreRhosts
> Specifies that
> .Pa .rhosts
> @@ -949,7 +949,7 @@ diffie-hellman-group14-sha256
> .Ed
> .Pp
> The list of available key exchange algorithms may also be obtained using
> -.Qq ssh -Q kex .
> +.Qq ssh -Q KexAlgorithms .
> .It Cm ListenAddress
> Specifies the local addresses
> .Xr sshd 8
> @@ -1460,7 +1460,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
> .Ed
> .Pp
> The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q PubkeyAcceptedKeyTypes .
> .It Cm PubkeyAuthOptions
> Sets one or more public key authentication options.
> Two option keywords are currently supported:
>
> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list