Skip to main content
Unix & Linux

Return to Question

added 476 characters in body
Source Link
Chris
Chris
  • 327
  • 3
  • 10

I know that ssh config file is parsed from top down and that it uses the options listed for the first valid match, ignoring ones from later valid matches if it already saw that option. I've tried a few different variants of formatting, but with my efforts it seems to either dislike the syntax/formatting, or else ignore the option if it is presented twice under the same host.

I'm using this version:

ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

For an arbitrary example, the KexAlgorithms option supports explicit lists, or adding and removing from the default set:

Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. If the specified list begins with a ‘+’ character, then the specified methods will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified methods will be placed at the head of the default set.

https://man7.org/linux/man-pages/man5/ssh_config.5.html

If I wanted to alter the default set to in order to:

  • remove: diffie-hellman-group-exchange-sha256 and also curve25519-sha256
  • add: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Does anyone know the syntax, or if it's possible to both add and remove, without having to make your own entirely explicit list of all options?

I've tried using the + and - list modifiers in the same line after KexAlgorithms, but it reports that as garbage. If I split them to separate lists (see below) it executes fine but seems to only perform the top KexAlgorithms option, not both.

Host myHost
  HostName myHost.myDomain.com
  KexAlgorithms -"diffie-hellman-group-exchange-sha256,curve25519-sha256"
  KexAlgorithms +"diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"

And I know I'm removing some secure options there and adding insecure ones, no need to tell me that :-)

Thanks!

UPDATE: As requested ssh -Q kex output:

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]

I know that ssh config file is parsed from top down and that it uses the options listed for the first valid match, ignoring ones from later valid matches if it already saw that option. I've tried a few different variants of formatting, but with my efforts it seems to either dislike the syntax/formatting, or else ignore the option if it is presented twice under the same host.

I'm using this version:

ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

For an arbitrary example, the KexAlgorithms option supports explicit lists, or adding and removing from the default set:

Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. If the specified list begins with a ‘+’ character, then the specified methods will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified methods will be placed at the head of the default set.

https://man7.org/linux/man-pages/man5/ssh_config.5.html

If I wanted to alter the default set to in order to:

  • remove: diffie-hellman-group-exchange-sha256 and also curve25519-sha256
  • add: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Does anyone know the syntax, or if it's possible to both add and remove, without having to make your own entirely explicit list of all options?

I've tried using the + and - list modifiers in the same line after KexAlgorithms, but it reports that as garbage. If I split them to separate lists (see below) it executes fine but seems to only perform the top KexAlgorithms option, not both.

Host myHost
  HostName myHost.myDomain.com
  KexAlgorithms -"diffie-hellman-group-exchange-sha256,curve25519-sha256"
  KexAlgorithms +"diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"

And I know I'm removing some secure options there and adding insecure ones, no need to tell me that :-)

Thanks!

I know that ssh config file is parsed from top down and that it uses the options listed for the first valid match, ignoring ones from later valid matches if it already saw that option. I've tried a few different variants of formatting, but with my efforts it seems to either dislike the syntax/formatting, or else ignore the option if it is presented twice under the same host.

I'm using this version:

ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

For an arbitrary example, the KexAlgorithms option supports explicit lists, or adding and removing from the default set:

Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. If the specified list begins with a ‘+’ character, then the specified methods will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified methods will be placed at the head of the default set.

https://man7.org/linux/man-pages/man5/ssh_config.5.html

If I wanted to alter the default set to in order to:

  • remove: diffie-hellman-group-exchange-sha256 and also curve25519-sha256
  • add: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Does anyone know the syntax, or if it's possible to both add and remove, without having to make your own entirely explicit list of all options?

I've tried using the + and - list modifiers in the same line after KexAlgorithms, but it reports that as garbage. If I split them to separate lists (see below) it executes fine but seems to only perform the top KexAlgorithms option, not both.

Host myHost
  HostName myHost.myDomain.com
  KexAlgorithms -"diffie-hellman-group-exchange-sha256,curve25519-sha256"
  KexAlgorithms +"diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"

And I know I'm removing some secure options there and adding insecure ones, no need to tell me that :-)

Thanks!

UPDATE: As requested ssh -Q kex output:

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]
Source Link
Chris
Chris
  • 327
  • 3
  • 10

SSH Config - Options - Remove some whilst adding others?

I know that ssh config file is parsed from top down and that it uses the options listed for the first valid match, ignoring ones from later valid matches if it already saw that option. I've tried a few different variants of formatting, but with my efforts it seems to either dislike the syntax/formatting, or else ignore the option if it is presented twice under the same host.

I'm using this version:

ssh -V
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2

For an arbitrary example, the KexAlgorithms option supports explicit lists, or adding and removing from the default set:

Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. If the specified list begins with a ‘+’ character, then the specified methods will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified methods (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a ‘^’ character, then the specified methods will be placed at the head of the default set.

https://man7.org/linux/man-pages/man5/ssh_config.5.html

If I wanted to alter the default set to in order to:

  • remove: diffie-hellman-group-exchange-sha256 and also curve25519-sha256
  • add: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Does anyone know the syntax, or if it's possible to both add and remove, without having to make your own entirely explicit list of all options?

I've tried using the + and - list modifiers in the same line after KexAlgorithms, but it reports that as garbage. If I split them to separate lists (see below) it executes fine but seems to only perform the top KexAlgorithms option, not both.

Host myHost
  HostName myHost.myDomain.com
  KexAlgorithms -"diffie-hellman-group-exchange-sha256,curve25519-sha256"
  KexAlgorithms +"diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"

And I know I'm removing some secure options there and adding insecure ones, no need to tell me that :-)

Thanks!