From dcce2a2bcf007bf817a2fb0dce3db83fa9201e92 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 12 Aug 2021 23:59:25 +0000 Subject: [PATCH] upstream: mention that CASignatureAlgorithms accepts +/- similarly to the other algorithm list directives; ok jmc bz#3335 OpenBSD-Commit-ID: 0d46b53995817052c78e2dce9dbd133963b073d9 --- ssh_config.5 | 19 +++++++++++++++---- sshd_config.5 | 19 +++++++++++++++---- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/ssh_config.5 b/ssh_config.5 index 199fd6088..cd0eea867 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.361 2021/08/06 05:04:42 dtucker Exp $ -.Dd $Mdocdate: August 6 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $ +.Dd $Mdocdate: August 12 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 .Ed .Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp .Xr ssh 1 will not accept host certificates signed using algorithms other than those specified. diff --git a/sshd_config.5 b/sshd_config.5 index a33280e1c..69d55206a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.333 2021/07/27 14:28:46 jmc Exp $ -.Dd $Mdocdate: July 27 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $ +.Dd $Mdocdate: August 12 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 .Ed .Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp Certificates signed using other algorithms will not be accepted for public key or host-based authentication. .It Cm ChrootDirectory