Mailing List Archive

[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

--- Comment #1 from Nathan Neulinger <nneul@neulinger.org> ---
Some further digging - it appears it's not exactly as described.

It's obeying the config when the config is SIMPLE. But if I put:

KexAlgorithms +diffie-hellman-group1-sha1

it's like it's getting stuck with the default, and ignoring any other
changes. Trying to find more detail.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

--- Comment #2 from Nathan Neulinger <nneul@neulinger.org> ---
I was able to work around this... Maybe it's expected, but there
appears to be something "magic" about adding group1-sha1 that
interferes with incrementally adding other entries.

Adding all of them in one shot appears to work fine even on current
versions.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

Jakub Jelen <jjelen@redhat.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen@redhat.com

--- Comment #3 from Jakub Jelen <jjelen@redhat.com> ---
Please, post the complete debug log and check what is in all the
configuration files (also included if you have some).

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

--- Comment #4 from Nathan Neulinger <nneul@neulinger.org> ---
AH, I think I now understand what the problem is with what I was doing.

The KexAlgorithms config setting in config file ONLY WORKS ONCE.

i.e. you cannot do:

KexAlgorithms +diffie-hellman-group1-sha1
KexAlgorithms +diffie-hellman-group-exchange-sha1

but when specified via command line, it appears to allow another
override (or it's being processed first).

Above snippet results in it listing group1-sha1, but NOT the
group-exchange-sha1.


Is that "one shot" expected? It sure doesn't appear that way from
documentation.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

--- Comment #5 from Nathan Neulinger <nneul@neulinger.org> ---
Created attachment 3413
--> https://bugzilla.mindrot.org/attachment.cgi?id=3413&action=edit
Trace of ssh -vvv

Example trace with this conf file in /tmp/testconf:

KexAlgorithms diffie-hellman-group14-sha1
KexAlgorithms +diffie-hellman-group1-sha1
KexAlgorithms +diffie-hellman-group-exchange-sha1

and invoked as:

ssh -F /tmp/testconf -vvv root@localhost id >/tmp/trace.txt 2>&1

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

--- Comment #6 from Nathan Neulinger <nneul@neulinger.org> ---
This appears to be long standing behavior, I had always had the
+diffie-hellman-group1-sha1 and only noticed the change with upgrade to
Ubuntu20 when the group-exchange-sha1 was also removed in current
versions.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org

--- Comment #7 from Damien Miller <djm@mindrot.org> ---
This is expected behaviour - ssh'd config is "first match wins" for
most configuration options. I.e only the first configuration option is
considered. This is documented at the start of ssh_config(1):

"For each parameter, the first obtained value will be used."

You should be able to do:

KexAlgorithms
+diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

to get the behaviour you want.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3184

Nathan Neulinger <nneul@neulinger.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID

--- Comment #8 from Nathan Neulinger <nneul@neulinger.org> ---
Totally explains the behavior, sorry for the wasted time.

Thank you.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs