diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-10-03 04:15:06 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-10-03 14:34:06 +1000 |
commit | 12ae8f95e2e0c273e9e7ef930b01a028ef796a3f (patch) | |
tree | 20cae31190eb33e9000e178f99824c3340c07e4c | |
parent | e5ed753add7aa8eed6b167e44db6240a76404db2 (diff) |
upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
markus@
OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
-rw-r--r-- | myproposal.h | 14 | ||||
-rw-r--r-- | ssh_config.5 | 29 | ||||
-rw-r--r-- | sshd_config.5 | 29 |
3 files changed, 39 insertions, 33 deletions
diff --git a/myproposal.h b/myproposal.h index 5312e605..f03b7dfd 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.67 2020/01/24 00:28:57 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -38,21 +38,21 @@ #define KEX_CLIENT_KEX KEX_SERVER_KEX #define KEX_DEFAULT_PK_ALG \ + "ssh-ed25519-cert-v01@openssh.com," \ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ - "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \ - "ssh-ed25519-cert-v01@openssh.com," \ "sk-ssh-ed25519-cert-v01@openssh.com," \ + "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \ "rsa-sha2-512-cert-v01@openssh.com," \ "rsa-sha2-256-cert-v01@openssh.com," \ "ssh-rsa-cert-v01@openssh.com," \ + "ssh-ed25519," \ "ecdsa-sha2-nistp256," \ "ecdsa-sha2-nistp384," \ "ecdsa-sha2-nistp521," \ - "sk-ecdsa-sha2-nistp256@openssh.com," \ - "ssh-ed25519," \ "sk-ssh-ed25519@openssh.com," \ + "sk-ecdsa-sha2-nistp256@openssh.com," \ "rsa-sha2-512," \ "rsa-sha2-256," \ "ssh-rsa" @@ -80,12 +80,12 @@ /* Not a KEX value, but here so all the algorithm defaults are together */ #define SSH_ALLOWED_CA_SIGALGS \ + "ssh-ed25519," \ "ecdsa-sha2-nistp256," \ "ecdsa-sha2-nistp384," \ "ecdsa-sha2-nistp521," \ - "sk-ecdsa-sha2-nistp256@openssh.com," \ - "ssh-ed25519," \ "sk-ssh-ed25519@openssh.com," \ + "sk-ecdsa-sha2-nistp256@openssh.com," \ "rsa-sha2-512," \ "rsa-sha2-256" diff --git a/ssh_config.5 b/ssh_config.5 index 6be1f1aa..e769493a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.332 2020/08/11 09:49:57 djm Exp $ -.Dd $Mdocdate: August 11 2020 $ +.\" $OpenBSD: ssh_config.5,v 1.333 2020/10/03 04:15:06 djm Exp $ +.Dd $Mdocdate: October 3 2020 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -372,8 +372,8 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, +ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp .Xr ssh 1 @@ -825,18 +825,19 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, -ssh-ed25519,sk-ssh-ed25519@openssh.com, rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp @@ -862,18 +863,19 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp256@openssh.com, -ssh-ed25519,sk-ssh-ed25519@openssh.com, +sk-ssh-ed25519@openssh.com, rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp @@ -1361,18 +1363,19 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, -ssh-ed25519,sk-ssh-ed25519@openssh.com, rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp diff --git a/sshd_config.5 b/sshd_config.5 index 6fa421ca..f68369f8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.315 2020/08/27 12:34:00 jmc Exp $ -.Dd $Mdocdate: August 27 2020 $ +.\" $OpenBSD: sshd_config.5,v 1.316 2020/10/03 04:15:06 djm Exp $ +.Dd $Mdocdate: October 3 2020 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -377,8 +377,8 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, +ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp Certificates signed using other algorithms will not be accepted for @@ -675,18 +675,19 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, -ssh-ed25519,sk-ssh-ed25519@openssh.com, rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp @@ -758,18 +759,19 @@ Specifies the host key algorithms that the server offers. The default for this option is: .Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, -ssh-ed25519,sk-ssh-ed25519@openssh.com, rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp @@ -1457,18 +1459,19 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n +ssh-ed25519-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +ssh-ed25519, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com, -ssh-ed25519,sk-ssh-ed25519@openssh.com, rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp |