Bug#783594: openssh-server: sshd -T does not show actual kexchange and ciphers

Stephen Dowdy Wed, 25 Nov 2015 12:09:42 -0800

Package: openssh-server
Version: 1:6.7p1-5
Followup-For: Bug #783594

Dear Maintainer,


The bug appears only if the Ciphers directive is missing and implied from 
program defaults:
(i'm guessing that -T runs prior to proper full initialization of 'sshd')

    $ grep -i ciphers /etc/ssh/sshd_config                                      
                                                                                
                       
    $
    $ sudo /usr/sbin/sshd -T | grep -i ciphers
    ciphers 
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com
-or-
    $ sudo /usr/sbin/sshd -f /dev/null -T | grep -i ciphers
    ciphers 
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com

If we explicitly specify the manpage defaults, '-T' functions as expected:

    $ echo 'Ciphers 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com'
 | sudo /usr/sbin/sshd -T -f /dev/stdin | grep ciphers 
    ciphers 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  dpkg                   1.17.25
ii  init-system-helpers    1.22
ii  libc6                  2.19-18+deb8u1
ii  libcomerr2             1.42.12-1.1
ii  libgssapi-krb5-2       1.12.1+dfsg-19+deb8u1
ii  libkrb5-3              1.12.1+dfsg-19+deb8u1
ii  libpam-modules         1.1.8-3.1
ii  libpam-runtime         1.1.8-3.1
ii  libpam0g               1.1.8-3.1
ii  libselinux1            2.3-2
ii  libssl1.0.0            1.0.1k-3+deb8u1
ii  libwrap0               7.6.q-25
ii  lsb-base               4.1+Debian13+nmu1
ii  openssh-client         1:6.7p1-5
ii  openssh-sftp-server    1:6.7p1-5
ii  procps                 2:3.3.9-9
ii  zlib1g                 1:1.2.8.dfsg-2+b1

Versions of packages openssh-server recommends:
ii  ncurses-term  5.9+20140913-1
ii  xauth         1:1.0.9-1

Versions of packages openssh-server suggests:
ii  ksshaskpass [ssh-askpass]  0.5.3-1+b1
pn  molly-guard                <none>
pn  monkeysphere               <none>
pn  rssh                       <none>
pn  ufw                        <none>

-- debconf information excluded

Bug#783594: openssh-server: sshd -T does not show actual kexchange and ciphers

Reply via email to