path: root/myproposal.h
AgeCommit message (Collapse)Author
2021-08-30upstream: After years of forewarning, disable the RSA/
signature algorithm by default. It is feasible to create colliding SHA1 hashes, so we need to deprecate its use. RSA/SHA-256/512 remains available and will be transparently selected instead of RSA/SHA1 for most SSH servers released in the last five+ years. There is no need to regenerate RSA keys. The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the PubkeyAcceptedAlgorithms directives on the client and server. ok dtucker deraadt OpenBSD-Commit-ID: 189bcc4789c7254e09e23734bdd5def8354ff1d5
2020-10-03upstream: prefer ed25519 signature algorithm variants to ECDSA;
markus@ OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
2020-01-25upstream: remove ssh-rsa (SHA1) from the list of allowed
signature algorithms ok markus OpenBSD-Commit-ID: da3481fca8c81e6951f319a86b7be67502237f57
2020-01-23upstream: Remove unsupported algorithms from list of defaults at
time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
2020-01-22upstream: remove diffie-hellman-group14-sha1 from default kex
see what happens. general mostly ok OpenBSD-Commit-ID: 216b7b8462d2ef5f4531f26cb2cb839b2153dad9
2019-12-20upstream: sort sk-* methods behind their plain key methods
for now OpenBSD-Commit-ID: c97e22c2b28c0d12ee389b8b4ef5f2ada7908828
2019-12-16upstream: allow security keys to act as host keys as well as
keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
2019-12-11upstream: add security key types to list of keys allowed to act
CAs; spotted by Ron Frederick OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3
2019-11-19remove all EC algs from proposals, no just sk onesDamien Miller
ok dtucker@
2019-11-18filter PUBKEY_DEFAULT_PK_ALG for ECC algorithmsDamien Miller
Remove ECC algorithms from the PUBKEY_DEFAULT_PK_ALG list when compiling without ECC support in libcrypto.
2019-11-13upstream: enable ed25519 support; ok
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-01upstream: remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL
OpenBSD-Commit-ID: 95a7cafad2a4665d57cabacc28031fabc0bea9fc
2019-11-01upstream: Separate myproposal.h userauth pubkey
U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys. feedback & ok markus@ OpenBSD-Commit-ID: 7fe2e6ab85f9f2338866e5af8ca2d312abbf0429
2019-10-28Wrap OpenSSL bits in WITH_OPENSSL.Darren Tucker
2019-05-17Use the correct macro for SSH_ALLOWED_CA_SIGALGS.Darren Tucker
2019-05-17Conditionalize ECDH methods in CA algos.Darren Tucker
When building against an OpenSSL configured without ECC, don't include those algos in CASignatureAlgorithms. ok djm@
2019-02-24upstream: openssh-7.9 accidentally reused the server's algorithm
in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method. This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method. Reported by nuxi AT via bz#2697; ok dtucker OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
2018-09-12upstream: add SSH_ALLOWED_CA_SIGALGS - the default list
signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa. ok markus@ OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
2018-07-03upstream: Improve strictness and control over RSA-SHA2
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "" and "" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
Don't offer CBC ciphers by default in the client. ok markus@ Upstream-ID: 94c9ce8d0d1a085052e11c7f3307950fdc0901ef
Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (; ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as Upstream-ID: 5e2b6db2e72667048cf426da43c0ee3fc777baa2
remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway. ok deraadt, markus, dtucker Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@ Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@ Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@ Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@ Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@ Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
delete support for legacy v00 certificates; "sure" markus@ dtucker@ Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
2015-05-29fix merge botch that left ",," in KEX algsDamien Miller
Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@ Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again. ok deraadt@
promote to be the default cipher; ok markus
2014-08-19 - (djm) [myproposal.h] Make curve25519 KEX dependent onDamien Miller
2014-07-17 - 2014/07/11 13:54:34Damien Miller
[myproposal.h] by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
2014-06-11 - (dtucker) [myprosal.h] Don't include inDarren Tucker
the proposal if the version of OpenSSL we're using doesn't support ECC.
2014-05-15 - 2014/04/30 19:07:48Damien Miller
[mac.c myproposal.h umac.c] UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
2014-05-15 - 2014/04/29 18:01:49Damien Miller
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
2014-04-20Three commits in one (since they touch the same heavily-diverged fileDamien Miller
repeatedly): - 2014/03/25 09:40:03 [myproposal.h] trimm default proposals. This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files). ok djm@, reminded by tedu@ & naddy@ and discussed with many - 2014/03/26 17:16:26 [myproposal.h] The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy. - 2014/03/27 23:01:27 [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] disable weak proposals in sshd, but keep them in ssh; ok djm@
2013-12-07 - 2013/12/06 13:39:49Damien Miller
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see feedback, help & ok djm@
2013-11-21 - 2013/11/21 00:45:44Damien Miller
[ PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport cipher "" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
2013-11-09 - (dtucker) [ kex.c key.c myproposal.h] Test for the presence ofDarren Tucker
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the latter actually works before using it. Fedora (at least) has NID_secp521r1 that doesn't work (see
2013-11-08 - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.Darren Tucker
2013-11-04 - 2013/11/02 21:59:15Damien Miller
[kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] use curve25519 for default key exchange (; initial patch from Aris Adamantiadis; ok djm@
2013-06-11 - (dtucker) [myproposal.h] Make the conditional algorithm support consistentDarren Tucker
and add some comments so it's clear what goes where.
2013-06-11 - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't haveDarren Tucker
the required OpenSSL support. Patch from naddy at freebsd.
2013-06-05 - (dtucker) Enable sha256 kex methods based on the presence of the necessaryDarren Tucker
functions, not from the openssl version.
2013-01-09 - 2013/01/08 18:49:04Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c] [myproposal.h packet.c ssh_config.5 sshd_config.5] support AES-GCM as defined in RFC 5647 (but with simpler KEX handling) ok and feedback djm@
2012-12-12 - 2012/12/11 22:31:18Damien Miller
[PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h] [packet.c ssh_config.5 sshd_config.5] add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms that change the packet format and compute the MAC over the encrypted message (including the packet size) instead of the plaintext data; these EtM modes are considered more secure and used by default. feedback and ok djm@