summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2021-08-12 23:59:25 +0000
committerDamien Miller <djm@mindrot.org>2021-08-13 10:01:15 +1000
commitdcce2a2bcf007bf817a2fb0dce3db83fa9201e92 (patch)
tree13257d82aa4d1e5cd175743f941085ac849e4088
parent090a82486e5d7a8f7f16613d67e66a673a40367f (diff)
upstream: mention that CASignatureAlgorithms accepts +/- similarly to
the other algorithm list directives; ok jmc bz#3335 OpenBSD-Commit-ID: 0d46b53995817052c78e2dce9dbd133963b073d9
-rw-r--r--ssh_config.519
-rw-r--r--sshd_config.519
2 files changed, 30 insertions, 8 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 199fd608..cd0eea86 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.361 2021/08/06 05:04:42 dtucker Exp $
-.Dd $Mdocdate: August 6 2021 $
+.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $
+.Dd $Mdocdate: August 12 2021 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
The default is:
.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
+ssh-ed25519,ecdsa-sha2-nistp256,
+ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519@openssh.com,
+sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512,rsa-sha2-256
.Ed
.Pp
+If the specified list begins with a
+.Sq +
+character, then the specified algorithms will be appended to the default set
+instead of replacing them.
+If the specified list begins with a
+.Sq -
+character, then the specified algorithms (including wildcards) will be removed
+from the default set instead of replacing them.
+.Pp
.Xr ssh 1
will not accept host certificates signed using algorithms other than those
specified.
diff --git a/sshd_config.5 b/sshd_config.5
index a33280e1..69d55206 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.333 2021/07/27 14:28:46 jmc Exp $
-.Dd $Mdocdate: July 27 2021 $
+.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $
+.Dd $Mdocdate: August 12 2021 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
The default is:
.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
+ssh-ed25519,ecdsa-sha2-nistp256,
+ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519@openssh.com,
+sk-ecdsa-sha2-nistp256@openssh.com,
rsa-sha2-512,rsa-sha2-256
.Ed
.Pp
+If the specified list begins with a
+.Sq +
+character, then the specified algorithms will be appended to the default set
+instead of replacing them.
+If the specified list begins with a
+.Sq -
+character, then the specified algorithms (including wildcards) will be removed
+from the default set instead of replacing them.
+.Pp
Certificates signed using other algorithms will not be accepted for
public key or host-based authentication.
.It Cm ChrootDirectory