Bug 2671

Summary:

make possible to remove default ciphers/kexalgorithms/mac algorithms

Product:

Portable OpenSSH

Reporter:

Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn>

Component:

sshd

Assignee:

Damien Miller <djm>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

djm

Priority:

Version:

7.4p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

2647

Attachments:

Description	Flags
Support =- syntax for algorithms	none

Description Cristian Ionescu-Idbohrn 2017-01-30 02:48:33 AEDT

Would it be possible to add the option of adding a '-' character prefix (in the same manner as appending algorithms currently works:
"if the specified value begins with a '+' character, then the specified algorithms will be appended to the default set instead of replacing them.") in order to remove default algorithms?

Comment 1 Damien Miller 2017-02-03 18:00:30 AEDT

Created attachment 2939 [details]
Support =- syntax for algorithms

This isn't particularly hard to do, but it requires a little refactoring.

Comment 2 Damien Miller 2017-02-04 10:16:55 AEDT

applied in:

commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Feb 3 23:01:19 2017 +0000

    upstream commit
    
    support =- for removing methods from algorithms lists,
    e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
    it" markus@
    
    Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d

Comment 3 Damien Miller 2021-04-23 15:03:59 AEST

closing resolved bugs as of 8.6p1 release