diff --git a/ssh-keygen.1 b/ssh-keygen.1 index f29774249..673bf6e2f 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.158 2019/04/19 05:47:44 dtucker Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.159 2019/05/20 00:20:35 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 19 2019 $ +.Dd $Mdocdate: May 20 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -577,6 +577,15 @@ The possible values are .Dq ed25519 , or .Dq rsa . +.Pp +This flag may also be used to specify the desired signature type when +signing certificates using a RSA CA key. +The available RSA signature variants are +.Dq ssh-rsa +(SHA1 signatures, not recommended), +.Dq rsa-sha2-256 +.Dq rsa-sha2-512 +(the default). .It Fl U When used in combination with .Fl s , diff --git a/sshkey.c b/sshkey.c index 9849cb237..379a579cf 100644 --- a/sshkey.c +++ b/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.74 2019/05/03 03:25:18 dtucker Exp $ */ +/* $OpenBSD: sshkey.c,v 1.75 2019/05/20 00:20:35 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -2528,6 +2528,13 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, strcmp(alg, k->cert->signature_type) != 0) return SSH_ERR_INVALID_ARGUMENT; + /* + * If no signing algorithm or signature_type was specified and we're + * using a RSA key, then default to a good signature algorithm. + */ + if (alg == NULL && ca->type == KEY_RSA) + alg = "rsa-sha2-512"; + if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;