similar to: [Bug 3701] New: KexAlgorithms documentation is unclear as to default vs. supported distinction

Hi all, this is a patch to make Ciphers, MACs and KexAlgorithms available in Match blocks. Now I can reach a -current machine with some Android terminal app without changing the default ciphers for all clients: Match Address 192.168.1.2 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha1 Index: servconf.c

https://bugzilla.mindrot.org/show_bug.cgi?id=2333 Bug ID: 2333 Summary: forbid old Ciphers, KexAlgorithms and MACs by default Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee:

https://bugzilla.mindrot.org/show_bug.cgi?id=3184 Bug ID: 3184 Summary: Unable to add deprecated KexAlgorithms back for host via config file Product: Portable OpenSSH Version: 8.2p1 Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: ssh

Hi, I am running the below servers on Red Hat Enterprise Linux release 8.7 (Ootpa). The details are as follows. # rpm -qa | grep openssh openssh-8.0p1-16.el8.x86_64 openssh-askpass-8.0p1-16.el8.x86_64 openssh-server-8.0p1-16.el8.x86_64 openssh-clients-8.0p1-16.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 (Ootpa) # How do I enable strong KexAlgorithms, Ciphers and

https://bugzilla.mindrot.org/show_bug.cgi?id=3673 Bug ID: 3673 Summary: -fzero-call-used-regs=used detection fails on Linux m68k with GCC 13 Product: Portable OpenSSH Version: 9.7p1 Hardware: 68k URL: https://bugs.debian.org/1067243 OS: Linux Status: NEW Severity: normal

https://bugzilla.mindrot.org/show_bug.cgi?id=3674 Bug ID: 3674 Summary: Tracking bug for OpenSSH 9.8 Product: Portable OpenSSH Version: -current Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at

https://bugzilla.mindrot.org/show_bug.cgi?id=2671 Bug ID: 2671 Summary: make possible to remove default ciphers/kexalgorithms/mac algorithms Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

Hi Kaushal, I maintain a set of SSH hardening guides for various platforms, including RHEL 8. You can find them here: https://ssh-audit.com/hardening_guides.html - Joe -- Joseph S. Testa II Founder & Principal Security Consultant Positron Security On Thu, 2024-01-25 at 18:39 +0530, Kaushal Shriyan wrote: > Hi, > > I am running the below servers on Red Hat Enterprise

> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting? weakdh.org/sysadmin.html recommends adding: KexAlgorithms curve25519-sha256 at libssh.org But this thread makes it sound as if it's not necessary. Can anyone confirm? Personally I'm on openssh-6.7. - Grant > You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be

BTW based on your output it looks like the DEFAULT policy is just fine, If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert https://access.redhat.com/security/cve/cve-2023-48795 cipher at SSH = -CHACHA20-POLY1305 ssh_etm = 0 by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy

https://bugzilla.mindrot.org/show_bug.cgi?id=3671 Bug ID: 3671 Summary: Improve PuTTY version detection Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: Regression tests Assignee: unassigned-bugs at

https://bugzilla.mindrot.org/show_bug.cgi?id=2658 Bug ID: 2658 Summary: Make integrity tests more robust against timeouts Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Regression tests Assignee:

https://bugzilla.samba.org/show_bug.cgi?id=3701 Summary: rsync_xal_set: lsetxattr system.posix_acl_default failed: Permission denied Product: rsync Version: 2.6.7 Platform: x86 OS/Version: Linux Status: NEW Severity: major Priority: P3 Component: core AssignedTo:

Darren Tucker <dtucker at zip.com.au> writes: > On Tue, Nov 8, 2016 at 3:30 PM, Harry Putnam <reader at newsguy.com> wrote: > [...] >> After having 7.3p1 & 6.8p1 fail with same wording... I tried 6.7p1 and >> find it fails with what looks like the same problem but has slightly >> different wording. > > I set up the same versions (server:OpenSSH_6.6p1,

https://bugzilla.mindrot.org/show_bug.cgi?id=2461 Bug ID: 2461 Summary: Source IP missing in log when no suitable key exchange method found Product: Portable OpenSSH Version: 6.0p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd

On 25.01.24 14:09, Kaushal Shriyan wrote: > I am running the below servers on Red Hat Enterprise Linux release 8.7 > How do I enable strong KexAlgorithms, Ciphers and MACs On RHEL 8, you need to be aware that there are "crypto policies" modifying sshd's behaviour, and it would likely be the *preferred* method to inject your intended config changes *there* (unless they

http://bugzilla.mindrot.org/show_bug.cgi?id=459 Summary: ssh-keygen doesn't know how to export private keys Product: Portable OpenSSH Version: 3.5p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at mindrot.org

On Fri, Jan 26, 2024 at 7:24?PM Jochen Bern <Jochen.Bern at binect.de> wrote: > On 25.01.24 14:09, Kaushal Shriyan wrote: > > I am running the below servers on Red Hat Enterprise Linux release 8.7 > > How do I enable strong KexAlgorithms, Ciphers and MACs > > On RHEL 8, you need to be aware that there are "crypto policies" > modifying sshd's behaviour,

https://bugzilla.mindrot.org/show_bug.cgi?id=3692 Bug ID: 3692 Summary: rekey.sh doesn't actually test different algorithms Product: Portable OpenSSH Version: 9.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Regression tests

Hello, Maybe I'm asking an already answered question, if yes I'm sorry to bother you. Why in default HostKeyAlgorithms settings is ecdsa-sha2-nistp256-cert-v01 at openssh.com preferred over ssh-ed25519-cert-v01 at openssh.com ? For example in default settings for KexAlgorithms the curve25519-sha256 at libssh.org is preferred over ecdh-sha2-nistp256. Fedor Defaults in openssh-6.6p1