We are using confd 8.0.6.
It seems it does not honor the configures ssh algorithms.
This is our ssh algorithm configuration in confd.conf:
/confdConfig/ssh/algorithms/kex = diffie-hellman-group14-sha256
/confdConfig/ssh/algorithms/mac = hmac-sha2-512
/confdConfig/ssh/algorithms/encryption = aes256-ctr
However, when I run “ssh -oKexAlgorithms=diffie-hellman-group14-sha1 admin@localhost”, it accepts the connection.
In ssh debug I see the confd publish all possible cyphers and not what wS configured:
debug2: KEX algorithms: ecdh-sha2-nistp384,ecdh-sha2-nistp521,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-
sha512,diffie-hellman-group14-sha256,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
debug2: host key algorithms: ssh-ed25519,ssh-rsa
Is this a known issue or miss configuration?
Note:
This change was done while confd was running, and we called confd --reset.
However I found out that if we restart confd it works as expected.
Is this expected? In previous releases, it was supported without restarting confd