Since I want to protect my ssh connections, I set some global cipher suite options to restrict set of used algorithms. But recently I've encountered a server which doesn't support some of those algorithms. So, I need to selectively enable deprecated algorithms for a specific host record in client (my system) configuration.
I found out that the options override is not working as I expected. Let's take a minimal (not-)working example for the github:
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256
Host github
HostKeyAlgorithms ssh-rsa
Hostname github.com
Port 22
User git
PubkeyAuthentication yes
IdentityFile ~/.ssh/some-filename-here
Having that, I receive the following error (HostKeyAlgorithms is not overriden at all):
debug1: /home/username/.ssh/config line 14: Applying options for github
<...>
debug2: kex_parse_kexinit: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp256
<...>
Unable to negotiate with 192.30.252.130: no matching host key type found. Their offer: ssh-dss,ssh-rsa
It is similarly not working for the global PubkeyAuthentication no options with an override in a host configuration.
Also, the match doesn't help either:
match host github
HostKeyAlgorithms ssh-rsa
So, is there a way to selectively redefine those options?
NOTE: I'm using the openssh-7.1_p2-r1 on gentoo.
Best Answer
OpenSSH options might behave somehow strange on the first sight. But manual page for
ssh_configdocuments it well:You might rewrite your config like this to achieve what you need: