* Damien Miller <djm@xxxxxxxxxxx> [08.06.2014 01:23]: > Unfortunately, this a a bit confusing - some Match criteria only work > after key exchange has completed. If users try something like > > Match user djm > Ciphers aes128-cbc > > then it will never work. For this reason, we've made any any sshd_config > directives that must be applied before key exchange available by Match. Would some additional documentation suffice or should an error/warning be generated when using such a combination? Index: sshd_config.5 =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v retrieving revision 1.173 diff -u -p -u -r1.173 sshd_config.5 --- sshd_config.5 28 Mar 2014 05:17:11 -0000 1.173 +++ sshd_config.5 8 Jun 2014 12:26:11 -0000 @@ -896,6 +896,7 @@ Available keywords are .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , +.Cm Ciphers , .Cm DenyGroups , .Cm DenyUsers , .Cm ForceCommand , @@ -905,6 +906,8 @@ Available keywords are .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , +.Cm KexAlgorithms , +.Cm MACs , .Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , @@ -921,6 +924,18 @@ Available keywords are .Cm X11Forwarding and .Cm X11UseLocalHost . +.Pp +The keywords +.Cm Ciphers , +.Cm KexAlgorithms +and +.Cm MACs +apply to pre-authenticated connections and will not modify configuration +when specified after the (post-authentication) +.Cm User +or +.Cm Group +criteria. .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Regards, Armin Wolfermann _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev