Mailing List Archive

[Bug 3184] New: Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

Bug ID: 3184
Summary: Unable to add deprecated KexAlgorithms back for host
via config file
Product: Portable OpenSSH
Version: 8.2p1
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: nneul@neulinger.org

I understand the desire to remove diffie-hellman-group14-sha1 for
example from the default offers - and agree completely with that. This
bug is NOT about the removal/default changes.

Somewhere between 7.6p1 and 8.2p1 the ability to add the deprecated
algorithms back in via config has broken. IT DOES WORK on command line.
It's only in the config file parsing where it fails. (i.e. I can no
longer add a 'Host old-PoS-router KexAlgorithms insecureone' entry to
my config.

This worked as of 7.6p1. Note that it is also not specific to the
deprecated ones, it appears to be a general issue with that option
being ignored in the config file.

For example, with 7.6p1, if I put:

Host *
KexAlgorithms ecdh-sha2-nistp521

in config, and run with -vvv, I see:

debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp521,ext-info-c


but with 8.2p1, the offer just shows the default regardless of the
content of the settings in config:

debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,ext-info-c



I'll see if I can find where specifically this broke.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs