bugzilla-daemon at mindrot.org
2024-Feb-01 11:49 UTC
[Bug 3661] New: Set handshake-related keywords like KexAlgorithms,Ciphers,MACs in "Match address" conditional block
https://bugzilla.mindrot.org/show_bug.cgi?id=3661 Bug ID: 3661 Summary: Set handshake-related keywords like KexAlgorithms,Ciphers,MACs in "Match address" conditional block Product: Portable OpenSSH Version: 9.6p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: daku8938 at gmx.de In the sshd_config (specifically the sftp-server subsystem) I would like to set the following, to generally offer Cipher aes128-ctr, but for clients from IP address 1.2.3.4 offer Ciphers aes128-ctr and also aes128-gcm at openssh.com: ---------------------------------- Ciphers aes128-ctr Match Address 1.2.3.4 Ciphers aes128-ctr,aes128-gcm at openssh.com ---------------------------------- Analog I would like to be able to configure other handshake-related variables like KexAlgorithms and MACs. Use case is, that we need to restrict values to strict secure values. But when some customer clients cannot connect with those, we could offer to those specific client IP addresses additionally older unsecure values for a period of time, to give clients time for update. The client source IP is already known on the TCP(IP) layer, so before any application(ssh) layer handshake, so this should be possible. -- You are receiving this mail because: You are watching the assignee of the bug.