planning for deprecations

mike tancsa mike at sentex.net
Thu Oct 14 22:26:04 AEDT 2021


Hi,

     I have a few servers where a lot of different client implementation 
connect and I want to proactively see who will break as certain key 
exchange protocols and ciphers get deprecated (e.g. rsa-sha1).  One 
thing that would be helpful, and perhaps this could be changed going 
forward is setting the loglevel to verbose from debug ? e.g. something 
like this would make planning / migration a little easier for admins 
without having to go full debug level, which brings in a lot more data 
than necessary. (diff is from FreeBSD's RELENG_12 copy, but the idea is 
the same)

--- crypto/openssh/kex.c.prev   2021-10-14 06:50:53.862633000 -0400
+++ crypto/openssh/kex.c        2021-10-14 06:51:20.902653000 -0400
@@ -761,7 +761,7 @@

         k->name = match_list(client, server, NULL);

-       debug("kex: algorithm: %s", k->name ? k->name : "(no match)");
+       verbose("kex: algorithm: %s", k->name ? k->name : "(no match)");
         if (k->name == NULL)
                 return SSH_ERR_NO_KEX_ALG_MATCH;
         if ((kexalg = kex_alg_by_name(k->name)) == NULL)
@@ -777,7 +777,7 @@
  {
         k->hostkey_alg = match_list(client, server, NULL);

-       debug("kex: host key algorithm: %s",
+       verbose("kex: host key algorithm: %s",
             k->hostkey_alg ? k->hostkey_alg : "(no match)");
         if (k->hostkey_alg == NULL)
                 return SSH_ERR_NO_HOSTKEY_ALG_MATCH;
@@ -892,7 +892,7 @@
                         peer[ncomp] = NULL;
                         goto out;
                 }
-               debug("kex: %s cipher: %s MAC: %s compression: %s",
+               verbose("kex: %s cipher: %s MAC: %s compression: %s",
                     ctos ? "client->server" : "server->client",
                     newkeys->enc.name,
                     authlen == 0 ? newkeys->mac.name : "<implicit>",


     ---Mike




More information about the openssh-unix-dev mailing list