bugzilla-daemon at mindrot.org
2013-Apr-15 08:52 UTC
[Bug 2089] New: filter out bad host key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2089 Bug ID: 2089 Summary: filter out bad host key algorithms Classification: Unclassified Product: Portable OpenSSH Version: 6.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: ossman at cendio.se Created attachment 2242 --> https://bugzilla.mindrot.org/attachment.cgi?id=2242&action=edit host_key_alg_filter.patch Currently the clients will just exit if you give them anything bad in HostKeyAlgorithms. This can be annoying for calling code though as you might not know which algorithms this particular instance of ssh supports. Instead I propose simply filtering out unsupported algorithms and proceeding with what's left. Attached patch does just that. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Apr-15 08:53 UTC
[Bug 2089] filter out bad host key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2089 Pierre Ossman <ossman at cendio.se> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2242|0 |1 is patch| | -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-Apr-16 01:10 UTC
[Bug 2089] filter out bad host key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2089 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- I think I'd prefer to make it possible to list supported ciphers, MACs and hostkey algorithms. Ignoring things we know to be bad may yield nasty surprises, e.g. if a typo causes an unexpected fallback to a weaker algorithm. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Apr-19 01:09 UTC
[Bug 2089] filter out bad host key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2089 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Blocks| |2076 --- Comment #2 from Damien Miller <djm at mindrot.org> --- I implemented a query facility in ssh to allow users or scripts to check which protocol features are available: -Q protocol_feature Queries ssh for the algorithms supported for the specified version 2 protocol_feature. The queriable features are: ``cipher'' (supported symmetric ciphers), ``MAC'' (supported message integrity codes), ``KEX'' (key exchange algorithms), ``key'' (key types). Protocol features are treated case-insensitively. or, as an example: $ ssh -Q cipher 3des-cbc blowfish-cbc cast128-cbc arcfour arcfour128 arcfour256 aes128-cbc aes192-cbc aes256-cbc rijndael-cbc at lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm at openssh.com aes256-gcm at openssh.com $ ssh -Q mac hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-ripemd160 at openssh.com umac-64 at openssh.com umac-128 at openssh.com hmac-sha1-etm at openssh.com hmac-sha1-96-etm at openssh.com hmac-sha2-256-etm at openssh.com hmac-sha2-512-etm at openssh.com hmac-md5-etm at openssh.com hmac-md5-96-etm at openssh.com hmac-ripemd160-etm at openssh.com umac-64-etm at openssh.com umac-128-etm at openssh.com $ ssh -Q kex diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 $ ssh -Q key ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa-cert-v01 at openssh.com ssh-dss-cert-v01 at openssh.com ecdsa-sha2-nistp256-cert-v01 at openssh.com ecdsa-sha2-nistp384-cert-v01 at openssh.com ecdsa-sha2-nistp521-cert-v01 at openssh.com ssh-rsa-cert-v00 at openssh.com ssh-dss-cert-v00 at openssh.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Apr-19 07:17 UTC
[Bug 2089] filter out bad host key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2089 --- Comment #3 from Pierre Ossman <ossman at cendio.se> --- Many thanks. I'll look into switching over to this mechanism. :) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:42 UTC
[Bug 2089] filter out bad host key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2089 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.