On Fri, Sep 27, 2024 at 02:00:45PM +0300, Martin-Éric Racine wrote: > pe 27. syysk. 2024 klo 13.54 Colin Watson (cjwat...@debian.org) kirjoitti: > > On Wed, Sep 25, 2024 at 09:01:34AM +0300, Martin-Éric Racine wrote: > > > According to OpenSSH's feature list, ext-info-s and ext-info-c were > > > implemented starting with version 7.2 upstream. > > > > > > However, on the Debian port, ssh-audit doesn't report ext-info-c as > > > supported and it only started reporting ext-info-s around 9.8. Is > > > there any particular reason for disabling this? > > > > The Debian packaging of OpenSSH does not disable ext-info-c, and if we > > tried to do so then a bunch of things wouldn't work. > > > > It sounds as though ssh-audit is simply wrong here. I'm closing this > > bug as it's not an issue in OpenSSH, but you may want to reopen it and > > reassign it to ssh-audit if you think it appropriate to do so. > > See https://github.com/jtesta/ssh-audit/issues/291 > > You're welcome to engage with ssh-audit upstream if you disagree with > his assessment.
I looked into this more and updated the upstream issue in https://github.com/jtesta/ssh-audit/issues/291#issuecomment-2395525772. The short version is that the claim that Debian removed this feature is mistaken; rather, ext-info-s (as opposed to ext-info-c) was only added in OpenSSH 9.6. I'll get in touch with upstream to see if they can clarify their feature list. -- Colin Watson (he/him) [cjwat...@debian.org]
