https://bugzilla.mindrot.org/show_bug.cgi?id=3661
Bug ID: 3661
Summary: Set handshake-related keywords like
KexAlgorithms,Ciphers,MACs in "Match address"
conditional block
Product: Portable OpenSSH
Version: 9.6p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: daku8938@gmx.de
In the sshd_config (specifically the sftp-server subsystem) I would
like to set the following, to generally offer Cipher aes128-ctr, but
for clients from IP address 1.2.3.4 offer Ciphers aes128-ctr and also
aes128-gcm@openssh.com:
----------------------------------
Ciphers aes128-ctr
Match Address 1.2.3.4
Ciphers aes128-ctr,aes128-gcm@openssh.com
----------------------------------
Analog I would like to be able to configure other handshake-related
variables like KexAlgorithms and MACs.
Use case is, that we need to restrict values to strict secure values.
But when some customer clients cannot connect with those, we could
offer to those specific client IP addresses additionally older unsecure
values for a period of time, to give clients time for update.
The client source IP is already known on the TCP(IP) layer, so before
any application(ssh) layer handshake, so this should be possible.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3661
Summary: Set handshake-related keywords like
KexAlgorithms,Ciphers,MACs in "Match address"
conditional block
Product: Portable OpenSSH
Version: 9.6p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: daku8938@gmx.de
In the sshd_config (specifically the sftp-server subsystem) I would
like to set the following, to generally offer Cipher aes128-ctr, but
for clients from IP address 1.2.3.4 offer Ciphers aes128-ctr and also
aes128-gcm@openssh.com:
----------------------------------
Ciphers aes128-ctr
Match Address 1.2.3.4
Ciphers aes128-ctr,aes128-gcm@openssh.com
----------------------------------
Analog I would like to be able to configure other handshake-related
variables like KexAlgorithms and MACs.
Use case is, that we need to restrict values to strict secure values.
But when some customer clients cannot connect with those, we could
offer to those specific client IP addresses additionally older unsecure
values for a period of time, to give clients time for update.
The client source IP is already known on the TCP(IP) layer, so before
any application(ssh) layer handshake, so this should be possible.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs