Re: Patch: Ciphers, MACs and KexAlgorithms on Match

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



* Damien Miller <djm@xxxxxxxxxxx> [08.06.2014 01:23]:
> Unfortunately, this a a bit confusing - some Match criteria only work
> after key exchange has completed. If users try something like
> 
> Match user djm
> 	Ciphers aes128-cbc
> 
> then it will never work. For this reason, we've made any any sshd_config
> directives that must be applied before key exchange available by Match.

Would some additional documentation suffice or should an error/warning be
generated when using such a combination?

Index: sshd_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.173
diff -u -p -u -r1.173 sshd_config.5
--- sshd_config.5	28 Mar 2014 05:17:11 -0000	1.173
+++ sshd_config.5	8 Jun 2014 12:26:11 -0000
@@ -896,6 +896,7 @@ Available keywords are
 .Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
+.Cm Ciphers ,
 .Cm DenyGroups ,
 .Cm DenyUsers ,
 .Cm ForceCommand ,
@@ -905,6 +906,8 @@ Available keywords are
 .Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
+.Cm KexAlgorithms ,
+.Cm MACs ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
@@ -921,6 +924,18 @@ Available keywords are
 .Cm X11Forwarding
 and
 .Cm X11UseLocalHost .
+.Pp
+The keywords
+.Cm Ciphers ,
+.Cm KexAlgorithms
+and
+.Cm MACs
+apply to pre-authenticated connections and will not modify configuration
+when specified after the (post-authentication)
+.Cm User
+or
+.Cm Group
+criteria.
 .It Cm MaxAuthTries
 Specifies the maximum number of authentication attempts permitted per
 connection.

Regards,
Armin Wolfermann
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux