Bug#989906: openssh-server: With GSSAPIKeyExchage "yes" openssh presents poor quality key exchange methods

To: 989906@bugs.debian.org
Cc: Felix Hädicke <felix.haedicke@gmx.de>
Subject: Bug#989906: openssh-server: With GSSAPIKeyExchage "yes" openssh presents poor quality key exchange methods
From: John Hughes <john.hughes@calva.com>
Date: Mon, 13 Feb 2023 16:59:21 +0100
Message-id: <[🔎] eab5ae35-348b-0312-267f-d444603980c1@calva.com>
Reply-to: John Hughes <john.hughes@calva.com>, 989906@bugs.debian.org
In-reply-to: <[🔎] ed8b8b54c4da3cb250c66701349d52e9a737575a.camel@gmx.de>
References: <[🔎] ed8b8b54c4da3cb250c66701349d52e9a737575a.camel@gmx.de> <162377522148.20746.9420183202875211864.reportbug@olympic.calvaedi.com>

On 12/02/2023 18:51, Felix Hädicke wrote:

As far as I can tell there is no way of configuring openssh to avoid
using gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==.

It is possible with option "GSSAPIKexAlgorithms", see man page for
ssh_config / sshd_config.


Well, I feel like a bit of an idiot for missing that, thanks for the tip.

However, the default for GSSAPIKexAlgorithms should be adjusted.
See patch:
https://github.com/felixhaedicke/openssh/commit/11244c7dd5fb5a8d8ecf07016e0d7afff982f0a3.diff


Seems reasonable to me.

--
John Hughes, CalvaEDI -- an Esker company.

Reply to:

References:
- Bug#989906: openssh-server: With GSSAPIKeyExchage "yes" openssh presents poor quality key exchange methods
  - From: Felix Hädicke <felix.haedicke@gmx.de>

Prev by Date: Bug#989906: openssh-server: With GSSAPIKeyExchage "yes" openssh presents poor quality key exchange methods
Next by Date: Bug#989906: openssh-server: With GSSAPIKeyExchage "yes" openssh presents poor quality key exchange methods
Previous by thread: Bug#989906: openssh-server: With GSSAPIKeyExchage "yes" openssh presents poor quality key exchange methods
Next by thread: Bug#989906: openssh-server: With GSSAPIKeyExchage "yes" openssh presents poor quality key exchange methods
Index(es):
- Date
- Thread