Andy Bradford
2016-02-09 05:34:55 UTC
Hello,
I notice that if I configure sshd_config with:
PubkeyAcceptedKeyTypes +ssh-dss
Everything works as expected and the algorithm is appended to the
default list, but if I place that same option in a Match block it does
not extend the setting, but instead replaces it with a literal string of
``+ssh-dss'' which effectively disables all algorithms.
# tail -2 /etc/ssh/sshd_config
Match Address 192.168.1.0/24
PubkeyAcceptedKeyTypes +ssh-dss
# sshd -T -C user=tester,host=example.dom,addr=192.168.1.1,laddr=192.168.1.2,lport=22 | grep pubkey
pubkeyauthentication yes
pubkeyacceptedkeytypes +ssh-dss
I found a similar bug mentioned here regarding HostkeyAlgorithms but as
far as I can tell the fix didn't extend to cover the above mentioned
scenario:
http://marc.info/?l=openssh-unix-dev&m=144019508104294&w=2
Does this need to go reported also to bugs@ or is this list sufficient?
Thanks,
Andy
I notice that if I configure sshd_config with:
PubkeyAcceptedKeyTypes +ssh-dss
Everything works as expected and the algorithm is appended to the
default list, but if I place that same option in a Match block it does
not extend the setting, but instead replaces it with a literal string of
``+ssh-dss'' which effectively disables all algorithms.
# tail -2 /etc/ssh/sshd_config
Match Address 192.168.1.0/24
PubkeyAcceptedKeyTypes +ssh-dss
# sshd -T -C user=tester,host=example.dom,addr=192.168.1.1,laddr=192.168.1.2,lport=22 | grep pubkey
pubkeyauthentication yes
pubkeyacceptedkeytypes +ssh-dss
I found a similar bug mentioned here regarding HostkeyAlgorithms but as
far as I can tell the fix didn't extend to cover the above mentioned
scenario:
http://marc.info/?l=openssh-unix-dev&m=144019508104294&w=2
Does this need to go reported also to bugs@ or is this list sufficient?
Thanks,
Andy
--
TAI64 timestamp: 4000000056b97aa2
TAI64 timestamp: 4000000056b97aa2