bugzilla-daemon at mindrot.org
2020-Jun-19 16:51 UTC
[Bug 3184] New: Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 Bug ID: 3184 Summary: Unable to add deprecated KexAlgorithms back for host via config file Product: Portable OpenSSH Version: 8.2p1 Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: nneul at neulinger.org I understand the desire to remove diffie-hellman-group14-sha1 for example from the default offers - and agree completely with that. This bug is NOT about the removal/default changes. Somewhere between 7.6p1 and 8.2p1 the ability to add the deprecated algorithms back in via config has broken. IT DOES WORK on command line. It's only in the config file parsing where it fails. (i.e. I can no longer add a 'Host old-PoS-router KexAlgorithms insecureone' entry to my config. This worked as of 7.6p1. Note that it is also not specific to the deprecated ones, it appears to be a general issue with that option being ignored in the config file. For example, with 7.6p1, if I put: Host * KexAlgorithms ecdh-sha2-nistp521 in config, and run with -vvv, I see: debug2: local client KEXINIT proposal debug2: KEX algorithms: ecdh-sha2-nistp521,ext-info-c but with 8.2p1, the offer just shows the default regardless of the content of the settings in config: debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,ext-info-c I'll see if I can find where specifically this broke. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-19 17:02 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 --- Comment #1 from Nathan Neulinger <nneul at neulinger.org> --- Some further digging - it appears it's not exactly as described. It's obeying the config when the config is SIMPLE. But if I put: KexAlgorithms +diffie-hellman-group1-sha1 it's like it's getting stuck with the default, and ignoring any other changes. Trying to find more detail. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-19 17:22 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 --- Comment #2 from Nathan Neulinger <nneul at neulinger.org> --- I was able to work around this... Maybe it's expected, but there appears to be something "magic" about adding group1-sha1 that interferes with incrementally adding other entries. Adding all of them in one shot appears to work fine even on current versions. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-19 17:33 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #3 from Jakub Jelen <jjelen at redhat.com> --- Please, post the complete debug log and check what is in all the configuration files (also included if you have some). -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-19 17:41 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 --- Comment #4 from Nathan Neulinger <nneul at neulinger.org> --- AH, I think I now understand what the problem is with what I was doing. The KexAlgorithms config setting in config file ONLY WORKS ONCE. i.e. you cannot do: KexAlgorithms +diffie-hellman-group1-sha1 KexAlgorithms +diffie-hellman-group-exchange-sha1 but when specified via command line, it appears to allow another override (or it's being processed first). Above snippet results in it listing group1-sha1, but NOT the group-exchange-sha1. Is that "one shot" expected? It sure doesn't appear that way from documentation. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-19 17:44 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 --- Comment #5 from Nathan Neulinger <nneul at neulinger.org> --- Created attachment 3413 --> https://bugzilla.mindrot.org/attachment.cgi?id=3413&action=edit Trace of ssh -vvv Example trace with this conf file in /tmp/testconf: KexAlgorithms diffie-hellman-group14-sha1 KexAlgorithms +diffie-hellman-group1-sha1 KexAlgorithms +diffie-hellman-group-exchange-sha1 and invoked as: ssh -F /tmp/testconf -vvv root at localhost id >/tmp/trace.txt 2>&1 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-19 17:46 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 --- Comment #6 from Nathan Neulinger <nneul at neulinger.org> --- This appears to be long standing behavior, I had always had the +diffie-hellman-group1-sha1 and only noticed the change with upgrade to Ubuntu20 when the group-exchange-sha1 was also removed in current versions. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-20 10:37 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #7 from Damien Miller <djm at mindrot.org> --- This is expected behaviour - ssh'd config is "first match wins" for most configuration options. I.e only the first configuration option is considered. This is documented at the start of ssh_config(1): "For each parameter, the first obtained value will be used." You should be able to do: KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 to get the behaviour you want. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Jun-20 14:02 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 Nathan Neulinger <nneul at neulinger.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #8 from Nathan Neulinger <nneul at neulinger.org> --- Totally explains the behavior, sorry for the wasted time. Thank you. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:54 UTC
[Bug 3184] Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #9 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Seemingly Similar Threads
- Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
- Weak DH primes and openssh
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- Patch: Ciphers, MACs and KexAlgorithms on Match