On 2020-02-05 at 20:39 -0500, Phil Pennock wrote:
> On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> > OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a feature release.
>
> > * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
> This actually affects me: github.com has very limited HostKeyAlgorithms
> advertised and my attempts to filter acceptable algorithms are based
> around lines from `ssh -Q key` (since before the newer - support for
> filtering) so I've been re-enabling ssh-rsa for github.com, missing that
> there was another option. I think I've stopped using clients old enough
> to not have -tag support for this option, so I'll switch over away from
> explicit enumeration.
Rediscovered part of why I was doing this: HostKeyAlgorithms is not
cumulative across rules, instead still being the "first match", even
when subsequent entries start with "+" or "-".
IMO the easiest way for people to safely test and discover what works
still is to have ssh config which looks like:
Host *
HostKeyAlgorithms -ssh-rsa*,ssh-dss*
Host legacy
HostKeyAlgorithms +ssh-rsa
Is changing to support this, as long as subsequent rules start +/-,
something sufficiently compatible that you'd consider it?
Yes, we can put the "HostKeyAlgorithms -ssh-rsa*,ssh-dss*" at the end of
the file, but then every host where we explicitly enable ssh-rsa, we
then have to also re-disable the things we don't intend to re-enable.
So I contend that the behavior of this is only obvious to OpenSSH
experts and it will cause me pain helping folks:
Host legacy
HostKeyAlgorithms +ssh-rsa
Host *
HostKeyAlgorithms -ssh-rsa*,ssh-dss*
# net result: host legacy has ssh-dss* algorithms enabled, plus any
# ssh-rsa* glob matches beyond ssh-rsa itself
Thanks,
-Phil
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
