On Tue, 19 Aug 2014, Iain Morgan wrote: > On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote: > > Potentially-incompatible changes > > > > * sshd(8): The default set of ciphers and MACs has been altered to > > remove unsafe algorithms. In particular, CBC ciphers and arcfour* > > are disabled by default. > > > > Is this really true? I just ran "$PWD/sshd -f /dev/null -T" in my build > directory, and it lists the full set of ciphers -- not the trimmed-down > default list indicated in sshd_config(5). It is true, but you've just uncovered a bug in the code that dumps the config :) Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.249 diff -u -p -r1.249 servconf.c --- servconf.c 18 Jul 2014 04:11:26 -0000 1.249 +++ servconf.c 19 Aug 2014 23:53:44 -0000 @@ -54,6 +54,7 @@ #include "packet.h" #include "hostfile.h" #include "auth.h" +#include "myproposal.h" static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); @@ -2070,9 +2071,8 @@ dump_config(ServerOptions *o) /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sXAuthLocation, o->xauth_location); - dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : - cipher_alg_list(',', 0)); - dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(',')); + dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); + dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); dump_cfg_string(sBanner, o->banner); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); @@ -2084,8 +2084,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); dump_cfg_string(sHostKeyAgent, o->host_key_agent); - dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : - kex_alg_list(',')); + dump_cfg_string(sKexAlgorithms, + o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev