diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-08-12 23:59:25 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-08-13 10:01:15 +1000 |
| commit | dcce2a2bcf007bf817a2fb0dce3db83fa9201e92 (patch) | |
| tree | 13257d82aa4d1e5cd175743f941085ac849e4088 | |
| parent | 090a82486e5d7a8f7f16613d67e66a673a40367f (diff) | |
upstream: mention that CASignatureAlgorithms accepts +/- similarly to
the other algorithm list directives; ok jmc bz#3335
OpenBSD-Commit-ID: 0d46b53995817052c78e2dce9dbd133963b073d9
| -rw-r--r-- | ssh_config.5 | 19 | ||||
| -rw-r--r-- | sshd_config.5 | 19 |
2 files changed, 30 insertions, 8 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 199fd608..cd0eea86 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.361 2021/08/06 05:04:42 dtucker Exp $ -.Dd $Mdocdate: August 6 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $ +.Dd $Mdocdate: August 12 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 .Ed .Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp .Xr ssh 1 will not accept host certificates signed using algorithms other than those specified. diff --git a/sshd_config.5 b/sshd_config.5 index a33280e1..69d55206 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.333 2021/07/27 14:28:46 jmc Exp $ -.Dd $Mdocdate: July 27 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $ +.Dd $Mdocdate: August 12 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 .Ed .Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp Certificates signed using other algorithms will not be accepted for public key or host-based authentication. .It Cm ChrootDirectory |