The `+' support for HostkeyAlgorithms seems wrong compared to the other configuration options; it replaces with literal +value. Default: # sshd -v sshd: illegal option -- v OpenSSH_7.0p1, OpenSSL 1.0.2d 9 Jul 2015 # sshd -T -f /usr/local/etc/ssh/sshd_config|grep hostkeyalgorithms hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa With this in sshd_config: HostkeyAlgorithms +ssh-dss The result: # sshd -T -f /usr/local/etc/ssh/sshd_config|grep hostkeyalgorithms hostkeyalgorithms +ssh-dss This disables all algorithms: # ssh -vvv user@127.0.0.1 ... debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@xxxxxxxxxxx' debug1: kex: server->client chacha20-poly1305@xxxxxxxxxxx <implicit> none debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@xxxxxxxxxxx' debug1: kex: client->server chacha20-poly1305@xxxxxxxxxxx <implicit> none Unable to negotiate with 127.0.0.1: no matching host key type found. Their offer: A similar problem exists with ssh_config: # ssh -G user@127.0.0.1|grep hostkeyalgorithms hostkeyalgorithms +ssh-dss Also many of these new configuration options are missing in the manpages. -- Regards, Bryan Drewery
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev