[Bug 3184] New: Unable to add deprecated KexAlgorithms back for host via config file
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Jun 20 02:51:45 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3184
Bug ID: 3184
Summary: Unable to add deprecated KexAlgorithms back for host
via config file
Product: Portable OpenSSH
Version: 8.2p1
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: nneul at neulinger.org
I understand the desire to remove diffie-hellman-group14-sha1 for
example from the default offers - and agree completely with that. This
bug is NOT about the removal/default changes.
Somewhere between 7.6p1 and 8.2p1 the ability to add the deprecated
algorithms back in via config has broken. IT DOES WORK on command line.
It's only in the config file parsing where it fails. (i.e. I can no
longer add a 'Host old-PoS-router KexAlgorithms insecureone' entry to
my config.
This worked as of 7.6p1. Note that it is also not specific to the
deprecated ones, it appears to be a general issue with that option
being ignored in the config file.
For example, with 7.6p1, if I put:
Host *
KexAlgorithms ecdh-sha2-nistp521
in config, and run with -vvv, I see:
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp521,ext-info-c
but with 8.2p1, the offer just shows the default regardless of the
content of the settings in config:
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,ext-info-c
I'll see if I can find where specifically this broke.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list