Since I want to protect my ssh connections, I set some global cipher suite options to restrict set of used algorithms. But recently I’ve encountered a server which doesn’t support some of those algorithms. So, I need to selectively enable deprecated algorithms for a specific host record in client (my system) configuration.
I found out that the options override is not working as I expected. Let’s take a minimal (not-)working example for the github:
HostKeyAlgorithms <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cbb8b8a3e6aeaff9fefefaf2e6a8aeb9bfe6bdfbfa8ba4bbaea5b8b8a3e5a8a4a6">[email protected]</a>,ssh-ed25519,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e68385829587cb958e87d4cb888f959296d3d4d7cb85839492cb90d6d7a68996838895958ec885898b">[email protected]</a>,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256
Host github
HostKeyAlgorithms ssh-rsa
Hostname github.com
Port 22
User git
PubkeyAuthentication yes
IdentityFile ~/.ssh/some-filename-here
Having that, I receive the following error (HostKeyAlgorithms is not overriden at all):
debug1: /home/username/.ssh/config line 14: Applying options for github <...> debug2: kex_parse_kexinit: <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f487879cd99190c6c1c1c5cdd997918680d982c4c5b49b84919a87879cda979b99">[email protected]</a>,ssh-ed25519,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2045434453410d534841120d4e495354501512110d434552540d561011604f50454e5353480e434f4d">[email protected]</a>,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256 <...> Unable to negotiate with 192.30.252.130: no matching host key type found. Their offer: ssh-dss,ssh-rsa
It is similarly not working for the global PubkeyAuthentication no options with an override in a host configuration.
Also, the match doesn’t help either:
match host github
HostKeyAlgorithms ssh-rsa
So, is there a way to selectively redefine those options?
NOTE: I’m using the openssh-7.1_p2-r1 on gentoo.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
OpenSSH options might behave somehow strange on the first sight. But manual page for ssh_config documents it well:
For each parameter, the first obtained value will be used. The configuration files contain sections separated by “Host” specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is usually the one given on the command line (see the CanonicalizeHostname option for exceptions.)
You might rewrite your config like this to achieve what you need:
Host github
HostKeyAlgorithms ssh-rsa
Hostname github.com
Port 22
User git
PubkeyAuthentication yes
IdentityFile ~/.ssh/some-filename-here
Host *
HostKeyAlgorithms <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="582b2b30753d3c6a6d6d6961753b3d2a2c752e68691837283d362b2b30763b3735">[email protected]</a>,ssh-ed25519,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0e6b6d6a7d6f237d666f3c2360677d7a7e3b3c3f236d6b7c7a23783e3f4e617e6b607d7d66206d6163">[email protected]</a>,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256
Method 2
Apart from a few specific (often used) options like -p to set the port, there is the generic -o options.
ssh -o HostKeyAlgorithms=ssh-algamel
can override that value
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0