Hi all, this is a patch to make Ciphers, MACs and KexAlgorithms available in Match blocks. Now I can reach a -current machine with some Android terminal app without changing the default ciphers for all clients: Match Address 192.168.1.2 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha1 Index: servconf.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/servconf.c,v retrieving revision 1.249 diff -u -p -u -r1.249 servconf.c --- servconf.c 29 Jan 2014 06:18:35 -0000 1.249 +++ servconf.c 6 Jun 2014 08:04:06 -0000 @@ -399,8 +399,8 @@ static struct { { "denyusers", sDenyUsers, SSHCFG_ALL }, { "allowgroups", sAllowGroups, SSHCFG_ALL }, { "denygroups", sDenyGroups, SSHCFG_ALL }, - { "ciphers", sCiphers, SSHCFG_GLOBAL }, - { "macs", sMacs, SSHCFG_GLOBAL }, + { "ciphers", sCiphers, SSHCFG_ALL }, + { "macs", sMacs, SSHCFG_ALL }, { "protocol", sProtocol, SSHCFG_GLOBAL }, { "gatewayports", sGatewayPorts, SSHCFG_ALL }, { "subsystem", sSubsystem, SSHCFG_GLOBAL }, @@ -427,7 +427,7 @@ static struct { { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, @@ -1239,7 +1239,7 @@ process_server_config_line(ServerOptions if (!ciphers_valid(arg)) fatal("%s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : "<NONE>"); - if (options->ciphers == NULL) + if (*activep && options->ciphers == NULL) options->ciphers = xstrdup(arg); break; @@ -1250,7 +1250,7 @@ process_server_config_line(ServerOptions if (!mac_valid(arg)) fatal("%s line %d: Bad SSH2 mac spec '%s'.", filename, linenum, arg ? arg : "<NONE>"); - if (options->macs == NULL) + if (*activep && options->macs == NULL) options->macs = xstrdup(arg); break; @@ -1262,7 +1262,7 @@ process_server_config_line(ServerOptions if (!kex_names_valid(arg)) fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", filename, linenum, arg ? arg : "<NONE>"); - if (options->kex_algorithms == NULL) + if (*activep && options->kex_algorithms == NULL) options->kex_algorithms = xstrdup(arg); break; Index: servconf.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/servconf.h,v retrieving revision 1.112 diff -u -p -u -r1.112 servconf.h --- servconf.h 29 Jan 2014 06:18:35 -0000 1.112 +++ servconf.h 6 Jun 2014 08:04:06 -0000 @@ -209,6 +209,9 @@ struct connection_info { M_CP_STROPT(authorized_principals_file); \ M_CP_STROPT(authorized_keys_command); \ M_CP_STROPT(authorized_keys_command_user); \ + M_CP_STROPT(ciphers); \ + M_CP_STROPT(macs); \ + M_CP_STROPT(kex_algorithms); \ M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ M_CP_STRARRAYOPT(allow_users, num_allow_users); \ M_CP_STRARRAYOPT(deny_users, num_deny_users); \ Index: sshd.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd.c,v retrieving revision 1.426 diff -u -p -u -r1.426 sshd.c --- sshd.c 29 Apr 2014 18:01:49 -0000 1.426 +++ sshd.c 6 Jun 2014 08:04:06 -0000 @@ -1919,6 +1919,10 @@ main(int ac, char **av) verbose("Connection from %s port %d on %s port %d", remote_ip, remote_port, get_local_ipaddr(sock_in), get_local_port()); + + /* Match configuration against the connection */ + connection_info = get_connection_info(1, options.use_dns); + parse_server_match_config(&options, connection_info); /* * We don't want to listen forever unless the other side Index: sshd_config.5 =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.173 diff -u -p -u -r1.173 sshd_config.5 --- sshd_config.5 28 Mar 2014 05:17:11 -0000 1.173 +++ sshd_config.5 6 Jun 2014 08:04:06 -0000 @@ -896,6 +896,7 @@ Available keywords are .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , +.Cm Ciphers , .Cm DenyGroups , .Cm DenyUsers , .Cm ForceCommand , @@ -905,6 +906,8 @@ Available keywords are .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , +.Cm KexAlgorithms , +.Cm MACs , .Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , Regards, Armin Wolfermann _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev