Call for testing: OpenSSH 8.2

Darren Tucker dtucker at dtucker.net
Fri Feb 7 15:06:21 AEDT 2020


I've committed this change, the man page should now be accurate WRT to
querying supported algorithm types.

Thanks for the feedback.

On Thu, 6 Feb 2020 at 15:08, Darren Tucker <dtucker at dtucker.net> wrote:
>
> On Wed, Feb 05, 2020 at 10:04:44PM -0500, Phil Pennock wrote:
> > On 2020-02-06 at 13:28 +1100, Darren Tucker wrote:
> > > Like this.
> >
> > > --- a/sshd_config.5
> > > +++ b/sshd_config.5
> >
> > The ssh_config.5 also has a copy of this and presumably needs the same
> > change, unless I've misunderstood.
>
> Yeah, I think that is the case.
>
> For a while I've wanted ssh -Q to understand config keywords as aliases
> for the corresponding queries so it's obvious which are valid for which.
>
> diff --git a/ssh.1 b/ssh.1
> index 97133752..8acd3bb7 100644
> --- a/ssh.1
> +++ b/ssh.1
> @@ -590,6 +590,13 @@ flag),
>  .Ar sig
>  (supported signature algorithms).
>  .Pp
> +Alternatively, a keyword from
> +.Xr ssh_config 5
> +or
> +.Xr sshd_config 5
> +that takes an algorithm list may be used as an alias for the corresponding
> +query_option.
> +.Pp
>  .It Fl q
>  Quiet mode.
>  Causes most warning and diagnostic messages to be suppressed.
> diff --git a/ssh.c b/ssh.c
> index 35972fe3..885b6cea 100644
> --- a/ssh.c
> +++ b/ssh.c
> @@ -736,13 +736,16 @@ main(int ac, char **av)
>                         break;
>                 case 'Q':
>                         cp = NULL;
> -                       if (strcmp(optarg, "cipher") == 0)
> +                       if (strcmp(optarg, "cipher") == 0 ||
> +                           strcasecmp(optarg, "Ciphers") == 0)
>                                 cp = cipher_alg_list('\n', 0);
>                         else if (strcmp(optarg, "cipher-auth") == 0)
>                                 cp = cipher_alg_list('\n', 1);
> -                       else if (strcmp(optarg, "mac") == 0)
> +                       else if (strcmp(optarg, "mac") == 0 ||
> +                           strcasecmp(optarg, "MACs") == 0)
>                                 cp = mac_alg_list('\n');
> -                       else if (strcmp(optarg, "kex") == 0)
> +                       else if (strcmp(optarg, "kex") == 0 ||
> +                           strcasecmp(optarg, "KexAlgorithms") == 0)
>                                 cp = kex_alg_list('\n');
>                         else if (strcmp(optarg, "key") == 0)
>                                 cp = sshkey_alg_list(0, 0, 0, '\n');
> @@ -750,6 +753,12 @@ main(int ac, char **av)
>                                 cp = sshkey_alg_list(1, 0, 0, '\n');
>                         else if (strcmp(optarg, "key-plain") == 0)
>                                 cp = sshkey_alg_list(0, 1, 0, '\n');
> +                       else if (strcmp(optarg, "key-sig") == 0 ||
> +                           strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 ||
> +                           strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||
> +                           strcasecmp(optarg, "HostbasedKeyTypes") == 0 ||
> +                           strcasecmp(optarg, "HostbasedAcceptedKeyTypes") == 0)
> +                               cp = sshkey_alg_list(0, 0, 1, '\n');
>                         else if (strcmp(optarg, "sig") == 0)
>                                 cp = sshkey_alg_list(0, 1, 1, '\n');
>                         else if (strcmp(optarg, "protocol-version") == 0)
> @@ -763,7 +772,7 @@ main(int ac, char **av)
>                         } else if (strcmp(optarg, "help") == 0) {
>                                 cp = xstrdup(
>                                     "cipher\ncipher-auth\ncompression\nkex\n"
> -                                   "key\nkey-cert\nkey-plain\nmac\n"
> +                                   "key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
>                                     "protocol-version\nsig");
>                         }
>                         if (cp == NULL)
> diff --git a/ssh_config.5 b/ssh_config.5
> index 0a6d8054..3ff5e8b2 100644
> --- a/ssh_config.5
> +++ b/ssh_config.5
> @@ -868,7 +868,7 @@ If hostkeys are known for the destination host then this default is modified
>  to prefer their algorithms.
>  .Pp
>  The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q HostKeyAlgorithms .
>  .It Cm HostKeyAlias
>  Specifies an alias that should be used instead of the
>  real host name when looking up or saving the host key
> diff --git a/sshd_config.5 b/sshd_config.5
> index 0684300f..42df29e6 100644
> --- a/sshd_config.5
> +++ b/sshd_config.5
> @@ -693,7 +693,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
>  .Ed
>  .Pp
>  The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q HostbasedAcceptedKeyTypes .
>  .It Cm HostbasedAuthentication
>  Specifies whether rhosts or /etc/hosts.equiv authentication together
>  with successful public key client host authentication is allowed
> @@ -776,7 +776,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
>  .Ed
>  .Pp
>  The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q HostKeyAlgorithms .
>  .It Cm IgnoreRhosts
>  Specifies that
>  .Pa .rhosts
> @@ -949,7 +949,7 @@ diffie-hellman-group14-sha256
>  .Ed
>  .Pp
>  The list of available key exchange algorithms may also be obtained using
> -.Qq ssh -Q kex .
> +.Qq ssh -Q KexAlgorithms .
>  .It Cm ListenAddress
>  Specifies the local addresses
>  .Xr sshd 8
> @@ -1460,7 +1460,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
>  .Ed
>  .Pp
>  The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q PubkeyAcceptedKeyTypes .
>  .It Cm PubkeyAuthOptions
>  Sets one or more public key authentication options.
>  Two option keywords are currently supported:
>
> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list