sshd - specify different ciphers based on incoming host
According to man sshd_config, I can specify a list of supported ciphers for example:
Ciphers arcfour, 3des-cbc
The problem is that a client application running on one host does not support the same cipher as the remainder of the network
Hence, is there any way to specify a cipher to use in all cases, but with a single host exception?
Solution 1:
The ciphers listed in the Ciphers
directive should go by the first match, so put the cipher of the rogue client last in the list. The other clients in your network will negotiate the ciphers higher in the list first if able, and your rogue client should fall through to the weaker cipher.
Unfortunately, this will still allow other clients to use the weaker ciphers if set explicitly. You can't put a Ciphers
directive inside a Match
block, sadly. The other option I can think of is run a different server on a different port for the odd-client-out and restrict access to the second instance of sshd to that host.
Solution 2:
From what I can see the only option is to script around it using ForceCommand.
It shouldn't be too tricky using Match:
ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if
present. The command is invoked by using the user's login shell
with the -c option. This applies to shell, command, or subsystem
execution. It is most useful inside a Match block.
The above are from the man pages. I found more here: SSHD Gatekeeper Script
--edit--
The best I can muster is running a separate SSHD instance on another port and then adding -s to one of the redirect examples to catch only the application's IP and redirect it to the other instance configured with the right cipher: http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/