tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: When signing certificates with an RSA key, default to 

using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
will therefore be incompatible with OpenSSH < 7.2 unless the default is
overridden.

Document the ability of the ssh-keygen -t flag to override the
signature algorithm when signing certificates, and the new default.

ok deraadt@

OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
This commit is contained in:
djm@openbsd.org 2019-05-20 00:20:35 +00:00 committed by Damien Miller
parent 606077ee1e
commit 476e3551b2
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.158 2019/04/19 05:47:44 dtucker Exp $ .\" $OpenBSD: ssh-keygen.1,v 1.159 2019/05/20 00:20:35 djm Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: April 19 2019 $ .Dd $Mdocdate: May 20 2019 $
.Dt SSH-KEYGEN 1 .Dt SSH-KEYGEN 1
.Os .Os
.Sh NAME .Sh NAME
@ -577,6 +577,15 @@ The possible values are
.Dq ed25519 , .Dq ed25519 ,
or or
.Dq rsa . .Dq rsa .
.Pp
This flag may also be used to specify the desired signature type when
signing certificates using a RSA CA key.
The available RSA signature variants are
.Dq ssh-rsa
(SHA1 signatures, not recommended),
.Dq rsa-sha2-256
.Dq rsa-sha2-512
(the default).
.It Fl U .It Fl U
When used in combination with When used in combination with
.Fl s , .Fl s ,

9
sshkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshkey.c,v 1.74 2019/05/03 03:25:18 dtucker Exp $ */ /* $OpenBSD: sshkey.c,v 1.75 2019/05/20 00:20:35 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@ -2528,6 +2528,13 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
strcmp(alg, k->cert->signature_type) != 0) strcmp(alg, k->cert->signature_type) != 0)
return SSH_ERR_INVALID_ARGUMENT; return SSH_ERR_INVALID_ARGUMENT;
/*
* If no signing algorithm or signature_type was specified and we're
* using a RSA key, then default to a good signature algorithm.
*/
if (alg == NULL && ca->type == KEY_RSA)
alg = "rsa-sha2-512";
if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;