Call for testing: OpenSSH 8.5
Phil Pennock
phil.pennock at globnix.org
Wed Feb 24 11:08:05 AEDT 2021
On 2021-02-23 at 12:46 +1100, Damien Miller wrote:
> OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
Ubuntu 20.04/amd64: all tests passed [openssh-SNAP-20210224.tar.gz]
> * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
> PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
> that it control allowed key algorithms, when this option actually
> specifies the signature algorithms that are accepted. The previous
> name remains available as an alias. bz#3253
Seeing this available in the server, something I'd somehow missed, led
me to test it out.
Not a regression but an existing issue (seen in 8.3p1), unknown if bug
or comprehension issue but reporting now to fix either docs or code
before release:
# /etc/ssh/sshd_config:
PubkeyAcceptedAlgorithms -ssh-rsa,-ssh-rsa-cert-*,-rsa*
# command-line:
sshd -T | grep -i '^PubkeyAcceptedKeyTypes'
pubkeyacceptedkeytypes ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256
So besides the option not being renamed or duplicated under both names
for compatibility ... the glob removals don't work, and attempts to
remove rsa-sha2-256 explicitly don't work here either. Something seems
to be adding them back in?
-Phil
More information about the openssh-unix-dev
mailing list