On 05/01/2017 04:48 PM, Cristian Ionescu-Idbohrn wrote:
On Mon, 1 May 2017, Cristian Ionescu-Idbohrn wrote:
Example, 'Macs'.
On the man page I read:
"Multiple algorithms must be comma-separated.
...
If the specified value begins with a '-' character, then the
specified algorithms (including wildcards) will be removed"
It seems that just one algo name is supported on such a line, example:
Macs -umac-64*
But this form is not supported:
Macs -umac-64*,-hmac-sha1*
nor is this:
Macs -umac-64*
Macs -hmac-sha1*
And I have difficulties in finding _one_ pattern that matches _only_
the above algo families, but nothing else.
Can you confirm this behaviour? Can it be improved?
I believe this is expected behavior and limitation of the current
behavior. The manual page also says
> For each parameter, the first obtained value will be used. [...]
> [...] will be removed *from the default set instead of replacing them*.
Therefore:
* Only the default set is affected
* The second Macs option is ignored (because Macs are already set)
This might be confusing especially when specifying multiple values and
improving that would be very nice.
More observations.
After doing one of the above in /etc/ssh/sshd_config:
# sshd -tT | sort | egrep '^macs'
macs umac-128-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,
hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,
umac-128@xxxxxxxxxxx,hmac-sha2-256,hmac-sha2-512,hmac-sha1
umac-64* is gone, but I can still use umac-64@xxxxxxxxxxx to login:
$ ssh -oMacs=umac-64@xxxxxxxxxxx localhost
Can you confirm this behaviour?
I would investigate the debug log with -vvv switches to see what is
actually offered by server and client.
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
