2671 – make possible to remove default ciphers/kexalgorithms/mac algorithms

Bug 2671 - make possible to remove default ciphers/kexalgorithms/mac algorithms

Summary: make possible to remove default ciphers/kexalgorithms/mac algorithms

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.4p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Damien Miller

URL:
Keywords:

Depends on:
Blocks:	V_7_5
	Show dependency tree / graph

Reported:	2017-01-30 02:48 AEDT by Cristian Ionescu-Idbohrn
Modified:	2021-04-23 15:03 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Support =- syntax for algorithms (13.52 KB, patch) 2017-02-03 18:00 AEDT, Damien Miller	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cristian Ionescu-Idbohrn 2017-01-30 02:48:33 AEDT

Would it be possible to add the option of adding a '-' character prefix (in the same manner as appending algorithms currently works:
"if the specified value begins with a '+' character, then the specified algorithms will be appended to the default set instead of replacing them.") in order to remove default algorithms?

Comment 1 Damien Miller 2017-02-03 18:00:30 AEDT

Created attachment 2939 [details]
Support =- syntax for algorithms

This isn't particularly hard to do, but it requires a little refactoring.

Comment 2 Damien Miller 2017-02-04 10:16:55 AEDT

applied in:

commit 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Feb 3 23:01:19 2017 +0000

    upstream commit
    
    support =- for removing methods from algorithms lists,
    e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like
    it" markus@
    
    Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d

Comment 3 Damien Miller 2021-04-23 15:03:59 AEST

closing resolved bugs as of 8.6p1 release