Call for testing: OpenSSH 8.5

Phil Pennock phil.pennock at
Wed Feb 24 11:08:05 AEDT 2021

On 2021-02-23 at 12:46 +1100, Damien Miller wrote:
> OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.

Ubuntu 20.04/amd64: all tests passed [openssh-SNAP-20210224.tar.gz]

>  * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
>    PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
>    that it control allowed key algorithms, when this option actually
>    specifies the signature algorithms that are accepted. The previous
>    name remains available as an alias. bz#3253

Seeing this available in the server, something I'd somehow missed, led
me to test it out.

Not a regression but an existing issue (seen in 8.3p1), unknown if bug
or comprehension issue but reporting now to fix either docs or code
before release:

  # /etc/ssh/sshd_config:
  PubkeyAcceptedAlgorithms -ssh-rsa,-ssh-rsa-cert-*,-rsa*

  # command-line:
  sshd -T | grep -i '^PubkeyAcceptedKeyTypes'

  pubkeyacceptedkeytypes ssh-ed25519-cert-v01 at,ecdsa-sha2-nistp256-cert-v01 at,ecdsa-sha2-nistp384-cert-v01 at,ecdsa-sha2-nistp521-cert-v01 at,sk-ssh-ed25519-cert-v01 at,sk-ecdsa-sha2-nistp256-cert-v01 at,rsa-sha2-512-cert-v01 at,rsa-sha2-256-cert-v01 at,ssh-rsa-cert-v01 at,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519 at,sk-ecdsa-sha2-nistp256 at,rsa-sha2-512,rsa-sha2-256

So besides the option not being renamed or duplicated under both names
for compatibility ... the glob removals don't work, and attempts to
remove rsa-sha2-256 explicitly don't work here either.  Something seems
to be adding them back in?


More information about the openssh-unix-dev mailing list