On 05/01/2017 04:48 PM, Cristian Ionescu-Idbohrn wrote:> On Mon, 1 May 2017, Cristian Ionescu-Idbohrn wrote:
>>
>> Example, 'Macs'.
>>
>> On the man page I read:
>>
>> "Multiple algorithms must be comma-separated.
>> ...
>> If the specified value begins with a '-' character, then the
>> specified algorithms (including wildcards) will be removed"
>>
>> It seems that just one algo name is supported on such a line, example:
>>
>> Macs -umac-64*
>>
>> But this form is not supported:
>>
>> Macs -umac-64*,-hmac-sha1*
>>
>> nor is this:
>>
>> Macs -umac-64*
>> Macs -hmac-sha1*
>>
>> And I have difficulties in finding _one_ pattern that matches _only_
>> the above algo families, but nothing else.
>>
>> Can you confirm this behaviour? Can it be improved?
I believe this is expected behavior and limitation of the current
behavior. The manual page also says
> For each parameter, the first obtained value will be used. [...]
> [...] will be removed *from the default set instead of replacing them*.
Therefore:
* Only the default set is affected
* The second Macs option is ignored (because Macs are already set)
This might be confusing especially when specifying multiple values and
improving that would be very nice.
> More observations.
>
> After doing one of the above in /etc/ssh/sshd_config:
>
> # sshd -tT | sort | egrep '^macs'
> macs umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,
> hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>
> umac-64* is gone, but I can still use umac-64 at openssh.com to login:
>
> $ ssh -oMacs=umac-64 at openssh.com localhost
>
> Can you confirm this behaviour?
I would investigate the debug log with -vvv switches to see what is
actually offered by server and client.
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat