openssh-portable icon indicating copy to clipboard operation
openssh-portable copied to clipboard
verified publisher icon openssh

Add flag to filter default algorithms

Open CendioOssman opened this issue 3 years ago • 2 comments

Allows you to more easily select a subset of algorithms you want to use, without also overriding the priority, or enabling something that is no longer deemed safe to use.

CendioOssman avatar Jul 11 '22 07:07 CendioOssman

What is the difference between this and the existing - flag? E.g. KexAlgorithms=-diffie-hellman*

djmdjm avatar Jul 11 '22 07:07 djmdjm

If new algorithms are added, then an existing command line using - needs to be updated. This is stricter in that only the things mentioned on the command line can be used. So it's closer to the prefix-less behaviour. Only that it doesn't add or reorder.

The goal was to retain some of the trust in OpenSSH's defaults and avoid pushing that responsibility on the caller. In our case, it was because host keys storage is handled by the caller, so we needed a mechanism to inform ssh which ones are available. But we'd like to retain the priority that upstream has deemed best. And not accidentally enable something that is now considered too old.

It's meant to be an intersection operator, rather than a subtraction or addition.

CendioOssman avatar Jul 11 '22 07:07 CendioOssman