On Thu, Aug 15, 2019 at 06:44:24PM +0200, Klemens Nanni wrote:
> The current wording explaining how to append or exclude ciphers seems
> ambiguous as to whether an optional dash or plus character is to be
> prepended once to the entire list or every cipher in the list.
>
> Diff below slightly tweaks it without substantial changes, making it
> clearer (at least for non-native speakers, I think).
>
> We could also a simple example excluding weak ciphers, but if we nailed
> the wording it would not be needed to extend this already length manual
> much further.
>
> Also, to sync `Ciphers' and `KexAlgorithms', stop listing supported
> ciphers in the first one since we already point to `ssh -Q ...' for
> listing all available ones already, and add a missing `.Pp' to the latter.
>
> Feedback?
>
hi. feedback inline.
> Index: ssh_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v
> retrieving revision 1.298
> diff -u -p -r1.298 ssh_config.5
> --- ssh_config.5 9 Aug 2019 04:24:03 -0000 1.298
> +++ ssh_config.5 15 Aug 2019 16:27:43 -0000
> @@ -424,27 +424,13 @@ Specifies the ciphers allowed and their
> Multiple ciphers must be comma-separated.
> If the specified value begins with a
> .Sq +
> -character, then the specified ciphers will be appended to the default set
> +character, all specified ciphers will be appended to the default set
> instead of replacing them.
try as i can, i can;t really see how this wording avoids the ambiguity.
nor how the current wording contains it exactly.
what about
If the cipher list begins with a
.Sq
character ...
i think it's one of those things that will be clear if you try to
specify it (like, how else would it work?)
> If the specified value begins with a
> .Sq -
> -character, then the specified ciphers (including wildcards) will be removed
> +character, all specified ciphers (including wildcards) will be removed
> from the default set instead of replacing them.
> .Pp
> -The supported ciphers are:
> -.Bd -literal -offset indent
> -3des-cbc
> -aes128-cbc
> -aes192-cbc
> -aes256-cbc
> -aes128-ctr
> -aes192-ctr
> -aes256-ctr
> [email protected]
> [email protected]
> [email protected]
> -.Ed
> -.Pp
> The default is:
> .Bd -literal -offset indent
> [email protected],
> @@ -1044,14 +1030,15 @@ and
> .It Cm KexAlgorithms
> Specifies the available KEX (Key Exchange) algorithms.
> Multiple algorithms must be comma-separated.
> -Alternately if the specified value begins with a
> +If the specified value begins with a
> .Sq +
> -character, then the specified methods will be appended to the default set
> +character, all specified methods will be appended to the default set
> instead of replacing them.
> If the specified value begins with a
> .Sq -
> -character, then the specified methods (including wildcards) will be removed
> +character, all specified methods (including wildcards) will be removed
> from the default set instead of replacing them.
> +.Pp
> The default is:
> .Bd -literal -offset indent
> curve25519-sha256,[email protected],
>
why do you want to remove the list of ciphers but not kex algorithms?
both contain info on displaying the default using -Q.
having said that, i think the idea to trim these may be good. it does
add text to an already large page, and it would save people having to
bump this every time it changes.
so maybe we could do this for all places where -Q works? but maybe there
was a solid reason for listing them in the first place?
jmc
