From dd7807bbe80a93ffb4616f2bd5cf83ad5a5595fb Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 14 Jun 2024 05:01:22 +0000 Subject: [PATCH] upstream: clarify KEXAlgorithms supported vs available. Inspired by bz3701 from Colin Watson. OpenBSD-Commit-ID: e698e69bea19bd52971d253f2b1094490c4701f7 --- ssh_config.5 | 13 +++++++++---- sshd_config.5 | 15 ++++++++++----- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/ssh_config.5 b/ssh_config.5 index 2931d807e..0f8dddcb6 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.394 2024/02/21 06:01:13 djm Exp $ -.Dd $Mdocdate: February 21 2024 $ +.\" $OpenBSD: ssh_config.5,v 1.395 2024/06/14 05:01:22 djm Exp $ +.Dd $Mdocdate: June 14 2024 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1261,8 +1261,12 @@ it may be zero or more of: and .Cm pam . .It Cm KexAlgorithms -Specifies the available KEX (Key Exchange) algorithms. +Specifies the permitted KEX (Key Exchange) algorithms that will be used and +their preference order. +The selected algorithm will the the first algorithm in this list that +the server also supports. Multiple algorithms must be comma-separated. +.Pp If the specified list begins with a .Sq + character, then the specified algorithms will be appended to the default set @@ -1275,6 +1279,7 @@ If the specified list begins with a .Sq ^ character, then the specified algorithms will be placed at the head of the default set. +.Pp The default is: .Bd -literal -offset indent sntrup761x25519-sha512@openssh.com, @@ -1286,7 +1291,7 @@ diffie-hellman-group18-sha512, diffie-hellman-group14-sha256 .Ed .Pp -The list of available key exchange algorithms may also be obtained using +The list of supported key exchange algorithms may also be obtained using .Qq ssh -Q kex . .It Cm KnownHostsCommand Specifies a command to use to obtain a list of host keys, in addition to diff --git a/sshd_config.5 b/sshd_config.5 index b228e905b..d5019f8ea 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.362 2024/06/13 15:06:33 naddy Exp $ -.Dd $Mdocdate: June 13 2024 $ +.\" $OpenBSD: sshd_config.5,v 1.363 2024/06/14 05:01:22 djm Exp $ +.Dd $Mdocdate: June 14 2024 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1003,9 +1003,13 @@ file on logout. The default is .Cm yes . .It Cm KexAlgorithms -Specifies the available KEX (Key Exchange) algorithms. +Specifies the permitted KEX (Key Exchange) algorithms that the server will +offer to clients. +The ordering of this list is not important, as the client specifies the +preference order. Multiple algorithms must be comma-separated. -Alternately if the specified list begins with a +.Pp +If the specified list begins with a .Sq + character, then the specified algorithms will be appended to the default set instead of replacing them. @@ -1017,6 +1021,7 @@ If the specified list begins with a .Sq ^ character, then the specified algorithms will be placed at the head of the default set. +.Pp The supported algorithms are: .Pp .Bl -item -compact -offset indent @@ -1058,7 +1063,7 @@ diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, diffie-hellman-group14-sha256 .Ed .Pp -The list of available key exchange algorithms may also be obtained using +The list of supported key exchange algorithms may also be obtained using .Qq ssh -Q KexAlgorithms . .It Cm ListenAddress Specifies the local addresses