Example, 'Macs'. On the man page I read: "Multiple algorithms must be comma-separated. ... If the specified value begins with a '-' character, then the specified algorithms (including wildcards) will be removed" It seems that just one algo name is supported on such a line, example: Macs -umac-64* But this form is not supported: Macs -umac-64*,-hmac-sha1* nor is this: Macs -umac-64* Macs -hmac-sha1* And I have difficulties in finding _one_ pattern that matches _only_ the above algo families, but nothing else. Can you confirm this behaviour? Can it be improved? Cheers, -- Cristian
On Mon, 1 May 2017, Cristian Ionescu-Idbohrn wrote:> > Example, 'Macs'. > > On the man page I read: > > "Multiple algorithms must be comma-separated. > ... > If the specified value begins with a '-' character, then the > specified algorithms (including wildcards) will be removed" > > It seems that just one algo name is supported on such a line, example: > > Macs -umac-64* > > But this form is not supported: > > Macs -umac-64*,-hmac-sha1* > > nor is this: > > Macs -umac-64* > Macs -hmac-sha1* > > And I have difficulties in finding _one_ pattern that matches _only_ > the above algo families, but nothing else. > > Can you confirm this behaviour? Can it be improved?More observations. After doing one of the above in /etc/ssh/sshd_config: # sshd -tT | sort | egrep '^macs' macs umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com, hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com, umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 umac-64* is gone, but I can still use umac-64 at openssh.com to login: $ ssh -oMacs=umac-64 at openssh.com localhost Can you confirm this behaviour? Cheers, -- Cristian
On 05/01/2017 04:48 PM, Cristian Ionescu-Idbohrn wrote:> On Mon, 1 May 2017, Cristian Ionescu-Idbohrn wrote: >> >> Example, 'Macs'. >> >> On the man page I read: >> >> "Multiple algorithms must be comma-separated. >> ... >> If the specified value begins with a '-' character, then the >> specified algorithms (including wildcards) will be removed" >> >> It seems that just one algo name is supported on such a line, example: >> >> Macs -umac-64* >> >> But this form is not supported: >> >> Macs -umac-64*,-hmac-sha1* >> >> nor is this: >> >> Macs -umac-64* >> Macs -hmac-sha1* >> >> And I have difficulties in finding _one_ pattern that matches _only_ >> the above algo families, but nothing else. >> >> Can you confirm this behaviour? Can it be improved?I believe this is expected behavior and limitation of the current behavior. The manual page also says > For each parameter, the first obtained value will be used. [...] > [...] will be removed *from the default set instead of replacing them*. Therefore: * Only the default set is affected * The second Macs option is ignored (because Macs are already set) This might be confusing especially when specifying multiple values and improving that would be very nice.> More observations. > > After doing one of the above in /etc/ssh/sshd_config: > > # sshd -tT | sort | egrep '^macs' > macs umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com, > hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com, > umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > > umac-64* is gone, but I can still use umac-64 at openssh.com to login: > > $ ssh -oMacs=umac-64 at openssh.com localhost > > Can you confirm this behaviour?I would investigate the debug log with -vvv switches to see what is actually offered by server and client. -- Jakub Jelen Software Engineer Security Technologies Red Hat
Maybe Matching Threads
- playing around with removing algos
- playing around with removing algos
- DSA key not accepted on CentOS even after enabling
- [Bug 2715] New: for more flexibility, please support a comma ',' separated list of patterns to add to/remove from the defaults
- Updating from 6.6 - 6.9 SSH