On 2021-02-23 at 12:46 +1100, Damien Miller wrote:> OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Ubuntu 20.04/amd64: all tests passed [openssh-SNAP-20210224.tar.gz]> * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to > PubkeyAcceptedAlgorithms. The previous name incorrectly suggested > that it control allowed key algorithms, when this option actually > specifies the signature algorithms that are accepted. The previous > name remains available as an alias. bz#3253Seeing this available in the server, something I'd somehow missed, led me to test it out. Not a regression but an existing issue (seen in 8.3p1), unknown if bug or comprehension issue but reporting now to fix either docs or code before release: # /etc/ssh/sshd_config: PubkeyAcceptedAlgorithms -ssh-rsa,-ssh-rsa-cert-*,-rsa* # command-line: sshd -T | grep -i '^PubkeyAcceptedKeyTypes' pubkeyacceptedkeytypes ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256 So besides the option not being renamed or duplicated under both names for compatibility ... the glob removals don't work, and attempts to remove rsa-sha2-256 explicitly don't work here either. Something seems to be adding them back in? -Phil
On Tue, Feb 23, 2021 at 07:08:05PM -0500, Phil Pennock wrote: [...]> # command-line: > sshd -T | grep -i '^PubkeyAcceptedKeyTypes' > > pubkeyacceptedkeytypes [...] > > So besides the option not being renamed or duplicatedThey should not be duplicated, but the not being renamed is an oversight on my part (the old names are still listed first, so the config dumper finds them ahead of the new names). diff --git a/readconf.c b/readconf.c index b0a85097..a05be047 100644 --- a/readconf.c +++ b/readconf.c @@ -308,10 +308,10 @@ static struct { { "revokedhostkeys", oRevokedHostKeys }, { "fingerprinthash", oFingerprintHash }, { "updatehostkeys", oUpdateHostkeys }, - { "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */ { "hostbasedalgorithms", oHostbasedAcceptedAlgorithms }, - { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */ + { "hostbasedkeytypes", oHostbasedAcceptedAlgorithms }, /* obsolete */ { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms }, + { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */ { "ignoreunknown", oIgnoreUnknown }, { "proxyjump", oProxyJump }, { "securitykeyprovider", oSecurityKeyProvider }, diff --git a/servconf.c b/servconf.c index b782ccbb..7e94d2d7 100644 --- a/servconf.c +++ b/servconf.c @@ -559,13 +559,13 @@ static struct { { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL }, { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, - { "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */ { "hostbasedacceptedalgorithms", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, + { "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */ { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, { "rsaauthentication", sDeprecated, SSHCFG_ALL }, { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, - { "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */ { "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, + { "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */ { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Wed, 24 Feb 2021 at 11:16, Phil Pennock <phil.pennock at globnix.org> wrote:> # /etc/ssh/sshd_config: > PubkeyAcceptedAlgorithms -ssh-rsa,-ssh-rsa-cert-*,-rsa*"If the specified list begins with a '-' character, then the specified key types (including wildcards)will be removed from the default set instead of replacing them." Only the first "-" indicates the specified patterns are to be removed, the other ones form part of the patterns and thus don't match any algorithms. You probably want something like: $ sudo ./sshd -T -o 'PubkeyAcceptedAlgorithms -ssh-rsa,ssh-rsa-cert-*,rsa*' | grep -i PubkeyAcceptedAlgorithms pubkeyacceptedalgorithms ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.