search for: kex_default_pk_alg

...Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: m.schmidt at emtec.com in sshconnect2.c in function ssh_kex2() the function kex_default_pk_alg() is called. This function is from readconf.c and has the following prototype: const char *kex_default_pk_alg(void); The function looks like this: const char * kex_default_pk_alg(void) { static char *pkalgs; if (pkalgs == NULL) { char *all_key; all_key = sshkey_alg_list...

On 2020-02-05 at 20:39 -0500, Phil Pennock wrote: > On 2020-02-06 at 10:29 +1100, Damien Miller wrote: > > OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a feature release. > > > * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These > This actually affects me:

https://bugzilla.mindrot.org/show_bug.cgi?id=2518 Bug ID: 2518 Summary: docs: remove redundant lists of algorithms Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs

Suppose an SSH server has both RSA and DSA host keys for protocol 2, but I only have the DSA key, and I want to use that. I'm stuck; the OpenSSH client is hard-wired to offer both algorithms in the key exchange, and will select ssh-rsa if it's available (see myproposal.h, KEX_DEFAULT_PK_ALG). Below is a patch adding the client configuration option "PKAlgorithms" for this purpose. It doesn't validate the supplied list; I'm not sure if that's really necessary or desirable. This situation raises a couple of questions. The first is about the protocol, which force...

...m, -hmac-sha1-etm at openssh.com, hmac-ripemd160-etm at openssh.com, hmac-sha1-96-etm at openssh.com, hmac-md5-96-etm at openssh.com, hmac-md5, -hmac-sha1, hmac-ripemd160, -hmac-ripemd160 at openssh.com, hmac-sha1-96, hmac-md5-96, P.S.: KEX_SERVER_KEX, KEX_CLIENT_KEX, KEX_DEFAULT_PK_ALG, KEX_SERVER_ENCRYPT are correct. -- You are receiving this mail because: You are watching the assignee of the bug.

..._clear_or_none(dst->fwd_opts.streamlocal_bind_root_directory)) { + free(dst->fwd_opts.streamlocal_bind_root_directory); + dst->fwd_opts.streamlocal_bind_root_directory = NULL; + } } #undef M_CP_INTOPT @@ -2300,6 +2320,7 @@ dump_config(ServerOptions *o) o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? o->pubkey_key_types : KEX_DEFAULT_PK_ALG); + dump_cfg_string(sStreamLocalBindRootDirectory, o->fwd_opts.streamlocal_bind_root_directory); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_...

...]); + load_hostkeys(hostkeys, hostname, NULL, options.user_hostfiles[i]); for (i = 0; i < options.num_system_hostfiles; i++) - load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); + load_hostkeys(hostkeys, hostname, NULL, options.system_hostfiles[i]); oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); maxlen = strlen(avail) + 1; -- 1.8.0.2

...0) bad_options++; } free(line); diff --git a/readconf.h b/readconf.h index 9447d5d6e..3da495e38 100644 --- a/readconf.h +++ b/readconf.h @@ -231,6 +231,8 @@ typedef struct { #define SSH_KEYSTROKE_CHAFF_MIN_MS 1024 #define SSH_KEYSTROKE_CHAFF_RNG_MS 2048 +struct sshbuf; + const char *kex_default_pk_alg(void); char *ssh_connection_hash(const char *thishost, const char *host, const char *portstr, const char *user, const char *jump_host); @@ -239,9 +241,9 @@ int fill_default_options(Options *); void fill_default_options_for_canonicalization(Options *); void free_options(Options *o);...

... and I guess your next question will be about compilation environment, so: ``` $ gcc --version gcc (Gentoo 13.2.1_p20240210 p14) 13.2.1 20240210 Copyright (C) 2023 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ``` I'm running on gentoo. I tested that the

...0) bad_options++; } free(line); diff --git a/readconf.h b/readconf.h index 9447d5d6e..3da495e38 100644 --- a/readconf.h +++ b/readconf.h @@ -231,6 +231,8 @@ typedef struct { #define SSH_KEYSTROKE_CHAFF_MIN_MS 1024 #define SSH_KEYSTROKE_CHAFF_RNG_MS 2048 +struct sshbuf; + const char *kex_default_pk_alg(void); char *ssh_connection_hash(const char *thishost, const char *host, const char *portstr, const char *user, const char *jump_host); @@ -239,9 +241,9 @@ int fill_default_options(Options *); void fill_default_options_for_canonicalization(Options *); void free_options(Options *o);...

Hey there, I often want different behavior in my ssh client depending on whether I'm logging into an interactive session or running a remote non-interactive command. We can see at, say, https://unix.stackexchange.com/a/499562/305714 that this isn't a unique wish, and existing solutions are kind of baroque. Typical reasons to do this are to immediately go into a screen or tmux session; for

...SH_RAND_HELPER)" ; then \ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ fi diff -u -r1.1 -r1.3 --- openssh-4.7p1/myproposal.h Mon Dec 17 21:07:18 2007 +++ openssh-4.7p1/myproposal.h Mon Dec 17 21:09:50 2007 @@ -41,6 +41,7 @@ #endif #define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" +#ifndef OPENSSL_FIPS #define KEX_DEFAULT_ENCRYPT \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "arcfour128,arcfour256,arcfour," \ @@ -50,6 +51,16 @@ "hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160," \ "hmac-rip...