On Wed, 5 Feb 2020, Phil Pennock wrote: > On 2020-02-06 at 14:41 +1100, Damien Miller wrote: > > No, sorry - the rules evaluation is enough of a mess without adding > > more corner cases where first-match-doesn't-always-win... > > Fair. Thanks for the feedback. :) > > > I don't think that is correct. Host legacy won't have ssh-dss enabled > > because that isn't in the default set of algs to begin with. > > Ugh. Okay, bad example, sorry. I should have stuck to what I'm > actually using. For $reasons, I'm disabling all RSA by default, > sticking to ECC for pubkey usage in SSH. I re-enable it where needed > for some hosts. Legacy was my euphemism for "no ECC". > > Host legacy > HostKeyAlgorithms +rsa-sha2-256,rsa-sha2-512 > Host * > HostKeyAlgorithms -ssh-rsa*,ssh-dss*,rsa-sha* > > This will re-enable ssh-rsa for host legacy. I'll quibble by saying ssh-rsa was never disabled for host legacy to begin with, but yeah - the result is the same: we only support a single +/- modification. > FWIW, while github.com has updated to allow rsa-sha2-* algorithms, > very public hosts which will currently cause people pain because they > only allow ssh-rsa include: > > * bazaar.launchpad.net > * bitbucket.org (also ssh-dss) > * AWS codecommit hosts (at least, the one I touch) That's why we're warning people now :) Hopefully these will fix their sh^wstuff before we actually turn off ssh-rsa. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
