On 2021-02-23 at 12:46 +1100, Damien Miller wrote: > OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. Ubuntu 20.04/amd64: all tests passed [openssh-SNAP-20210224.tar.gz] > * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to > PubkeyAcceptedAlgorithms. The previous name incorrectly suggested > that it control allowed key algorithms, when this option actually > specifies the signature algorithms that are accepted. The previous > name remains available as an alias. bz#3253 Seeing this available in the server, something I'd somehow missed, led me to test it out. Not a regression but an existing issue (seen in 8.3p1), unknown if bug or comprehension issue but reporting now to fix either docs or code before release: # /etc/ssh/sshd_config: PubkeyAcceptedAlgorithms -ssh-rsa,-ssh-rsa-cert-*,-rsa* # command-line: sshd -T | grep -i '^PubkeyAcceptedKeyTypes' pubkeyacceptedkeytypes ssh-ed25519-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,sk-ssh-ed25519-cert-v01@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-256 So besides the option not being renamed or duplicated under both names for compatibility ... the glob removals don't work, and attempts to remove rsa-sha2-256 explicitly don't work here either. Something seems to be adding them back in? -Phil _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
