Bug#1073065: ssh_config manpage disagrees with ssh -Q kex on KexAlgorithms
Package: openssh-client
Version: 1:9.2p1-2+deb12u2
Severity: minor
In Debian stable, the manual page says:
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. If the spec‐
ified list begins with a ‘+’ character, then the specified
algorithms will be appended to the default set instead of
replacing them. If the specified list begins with a ‘-’
character, then the specified algorithms (including wild‐
cards) will be removed from the default set instead of re‐
placing them. If the specified list begins with a ‘^’
character, then the specified algorithms will be placed at
the head of the default set. The default is:
sntrup761x25519-sha512@openssh.com,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,
diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
Yet that command, `ssh -Q kex`, has a *different* list:
anarcat@angela:~$ ssh -Q kex | sort
curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group1-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com
The diff is:
--- b 2024-06-12 12:44:27.872122356 -0400
+++ /dev/fd/63 2024-06-12 12:44:44.476131607 -0400
@@ -1,8 +1,11 @@
curve25519-sha256
curve25519-sha256@libssh.org
+diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
+diffie-hellman-group1-sha1
+diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
This might be related to the SHA1 removal, but it seems to me -Q
should reflect the manual page output.
-- System Information:
Debian Release: 12.5
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable'), (1, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.6.13+bpo-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-client depends on:
ii adduser 3.134
ii libc6 2.36-9+deb12u7
ii libedit2 3.1-20221030-2
ii libfido2-1 1.12.0-2+b1
ii libgssapi-krb5-2 1.20.1-2+deb12u1
ii libselinux1 3.4-1+b6
ii libssl3 3.0.11-1~deb12u2
ii passwd 1:4.13+dfsg1-1+b1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages openssh-client recommends:
ii xauth 1:1.1.2-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
ii ssh-askpass 1:1.2.4.1-16
-- no debconf information
Reply to: