Package: openssh-client Version: 1:9.2p1-2+deb12u2 Severity: minor In Debian stable, the manual page says:
KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. If the spec‐ ified list begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a ‘-’ character, then the specified algorithms (including wild‐ cards) will be removed from the default set instead of re‐ placing them. If the specified list begins with a ‘^’ character, then the specified algorithms will be placed at the head of the default set. The default is: sntrup761x25519-sha...@openssh.com, curve25519-sha256,curve25519-sha...@libssh.org, ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256 The list of available key exchange algorithms may also be obtained using "ssh -Q kex". Yet that command, `ssh -Q kex`, has a *different* list: anarcat@angela:~$ ssh -Q kex | sort curve25519-sha256 curve25519-sha...@libssh.org diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 sntrup761x25519-sha...@openssh.com The diff is: --- b 2024-06-12 12:44:27.872122356 -0400 +++ /dev/fd/63 2024-06-12 12:44:44.476131607 -0400 @@ -1,8 +1,11 @@ curve25519-sha256 curve25519-sha...@libssh.org +diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 +diffie-hellman-group1-sha1 +diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 This might be related to the SHA1 removal, but it seems to me -Q should reflect the manual page output. -- System Information: Debian Release: 12.5 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable'), (1, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.6.13+bpo-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-client depends on: ii adduser 3.134 ii libc6 2.36-9+deb12u7 ii libedit2 3.1-20221030-2 ii libfido2-1 1.12.0-2+b1 ii libgssapi-krb5-2 1.20.1-2+deb12u1 ii libselinux1 3.4-1+b6 ii libssl3 3.0.11-1~deb12u2 ii passwd 1:4.13+dfsg1-1+b1 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages openssh-client recommends: ii xauth 1:1.1.2-1 Versions of packages openssh-client suggests: pn keychain <none> pn libpam-ssh <none> pn monkeysphere <none> ii ssh-askpass 1:1.2.4.1-16 -- no debconf information