mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-17 23:54:35 +00:00
upstream: disable the DSA signature algorithm by default; ok
markus@ (yes, I know this expands to "the Digitial Signature Algorithm signature algorithm) OpenBSD-Commit-ID: 961ef594e46dd2dcade8dd5721fa565cee79ffed
This commit is contained in:
parent
5603befe11
commit
00eb95957d
21
configure.ac
21
configure.ac
@ -2078,8 +2078,12 @@ AC_ARG_WITH([security-key-builtin],
|
||||
|
||||
enable_dsa=
|
||||
AC_ARG_ENABLE([dsa-keys],
|
||||
[ --disable-dsa-keys disable DSA key support [no]],
|
||||
[ enable_dsa="$enableval" ]
|
||||
[ --enable-dsa-keys enable DSA key support [no]],
|
||||
[
|
||||
if test "x$enableval" != "xno" ; then
|
||||
enable_dsa=1
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
AC_SEARCH_LIBS([dlopen], [dl])
|
||||
@ -3188,8 +3192,9 @@ if test "x$openssl" = "xyes" ; then
|
||||
AC_MSG_RESULT([no])
|
||||
]
|
||||
)
|
||||
|
||||
openssl_dsa=no
|
||||
if test -z "$enable_dsa" || test "x$enable_dsa" = "xyes"; then
|
||||
if test ! -z "$enable_dsa" ; then
|
||||
AC_CHECK_DECLS([OPENSSL_NO_DSA], [], [
|
||||
AC_CHECK_DECLS([OPENSSL_IS_BORINGSSL], [],
|
||||
[ openssl_dsa=yes ],
|
||||
@ -3199,15 +3204,6 @@ if test "x$openssl" = "xyes" ; then
|
||||
[ #include <openssl/opensslconf.h> ]
|
||||
)
|
||||
AC_MSG_CHECKING([whether to enable DSA key support])
|
||||
if test -z "$enable_dsa"; then
|
||||
if test "x$openssl_dsa" = "xno"; then
|
||||
AC_MSG_RESULT([not supported by OpenSSL])
|
||||
else
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_DEFINE([WITH_DSA], [1],
|
||||
[DSA keys enabled by default])
|
||||
fi
|
||||
else
|
||||
if test "x$openssl_dsa" = "xno"; then
|
||||
AC_MSG_ERROR([DSA requested but not supported by OpenSSL])
|
||||
else
|
||||
@ -3216,7 +3212,6 @@ if test "x$openssl" = "xyes" ; then
|
||||
[DSA keys explicitly enabled])
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# PKCS11/U2F depend on OpenSSL and dlopen().
|
||||
|
12
ssh-add.1
12
ssh-add.1
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-add.1,v 1.86 2023/12/19 06:57:34 jmc Exp $
|
||||
.\" $OpenBSD: ssh-add.1,v 1.87 2024/06/17 08:30:29 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -35,7 +35,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: December 19 2023 $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH-ADD 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -67,10 +67,9 @@ When run without arguments, it adds the files
|
||||
.Pa ~/.ssh/id_rsa ,
|
||||
.Pa ~/.ssh/id_ecdsa ,
|
||||
.Pa ~/.ssh/id_ecdsa_sk ,
|
||||
.Pa ~/.ssh/id_ed25519 ,
|
||||
.Pa ~/.ssh/id_ed25519_sk ,
|
||||
.Pa ~/.ssh/id_ed25519
|
||||
and
|
||||
.Pa ~/.ssh/id_dsa .
|
||||
.Pa ~/.ssh/id_ed25519_sk .
|
||||
After loading a private key,
|
||||
.Nm
|
||||
will try to load corresponding certificate information from the
|
||||
@ -314,13 +313,12 @@ the built-in USB HID support.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
.It Pa ~/.ssh/id_ecdsa_sk
|
||||
.It Pa ~/.ssh/id_ed25519
|
||||
.It Pa ~/.ssh/id_ed25519_sk
|
||||
.It Pa ~/.ssh/id_rsa
|
||||
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA authentication identity of the user.
|
||||
.El
|
||||
.Pp
|
||||
|
19
ssh-keygen.1
19
ssh-keygen.1
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.230 2023/09/04 10:29:58 job Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.231 2024/06/17 08:30:29 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -35,7 +35,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: September 4 2023 $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH-KEYGEN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -51,7 +51,7 @@
|
||||
.Op Fl m Ar format
|
||||
.Op Fl N Ar new_passphrase
|
||||
.Op Fl O Ar option
|
||||
.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
.Op Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
.Op Fl w Ar provider
|
||||
.Op Fl Z Ar cipher
|
||||
.Nm ssh-keygen
|
||||
@ -205,7 +205,6 @@ section for details.
|
||||
Normally each user wishing to use SSH
|
||||
with public key authentication runs this once to create the authentication
|
||||
key in
|
||||
.Pa ~/.ssh/id_dsa ,
|
||||
.Pa ~/.ssh/id_ecdsa ,
|
||||
.Pa ~/.ssh/id_ecdsa_sk ,
|
||||
.Pa ~/.ssh/id_ed25519 ,
|
||||
@ -414,9 +413,8 @@ section.
|
||||
Prints the contents of one or more certificates.
|
||||
.It Fl l
|
||||
Show fingerprint of specified public key file.
|
||||
For RSA and DSA keys
|
||||
.Nm
|
||||
tries to find the matching public key file and prints its fingerprint.
|
||||
will try to find the matching public key file and prints its fingerprint.
|
||||
If combined with
|
||||
.Fl v ,
|
||||
a visual ASCII art representation of the key is supplied with the
|
||||
@ -579,10 +577,9 @@ by key ID or serial number.
|
||||
See the
|
||||
.Sx KEY REVOCATION LISTS
|
||||
section for details.
|
||||
.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
.It Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
|
||||
Specifies the type of key to create.
|
||||
The possible values are
|
||||
.Dq dsa ,
|
||||
.Dq ecdsa ,
|
||||
.Dq ecdsa-sk ,
|
||||
.Dq ed25519 ,
|
||||
@ -1290,13 +1287,12 @@ the built-in USB HID support.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
.It Pa ~/.ssh/id_ecdsa_sk
|
||||
.It Pa ~/.ssh/id_ed25519
|
||||
.It Pa ~/.ssh/id_ed25519_sk
|
||||
.It Pa ~/.ssh/id_rsa
|
||||
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA authentication identity of the user.
|
||||
This file should not be readable by anyone but the user.
|
||||
It is possible to
|
||||
@ -1308,13 +1304,12 @@ but it is offered as the default file for the private key.
|
||||
.Xr ssh 1
|
||||
will read this file when a login attempt is made.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/id_dsa.pub
|
||||
.It Pa ~/.ssh/id_ecdsa.pub
|
||||
.It Pa ~/.ssh/id_ecdsa_sk.pub
|
||||
.It Pa ~/.ssh/id_ed25519.pub
|
||||
.It Pa ~/.ssh/id_ed25519_sk.pub
|
||||
.It Pa ~/.ssh/id_rsa.pub
|
||||
Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
|
||||
authenticator-hosted Ed25519 or RSA public key for authentication.
|
||||
The contents of this file should be added to
|
||||
.Pa ~/.ssh/authorized_keys
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keyscan.1,v 1.51 2024/06/14 05:20:34 jmc Exp $
|
||||
.\" $OpenBSD: ssh-keyscan.1,v 1.52 2024/06/17 08:30:29 djm Exp $
|
||||
.\"
|
||||
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||
.\"
|
||||
@ -6,7 +6,7 @@
|
||||
.\" permitted provided that due credit is given to the author and the
|
||||
.\" OpenBSD project by leaving this copyright notice intact.
|
||||
.\"
|
||||
.Dd $Mdocdate: June 14 2024 $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH-KEYSCAN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -130,7 +130,6 @@ The default is 5 seconds.
|
||||
.It Fl t Ar type
|
||||
Specify the type of the key to fetch from the scanned hosts.
|
||||
The possible values are
|
||||
.Dq dsa ,
|
||||
.Dq ecdsa ,
|
||||
.Dq ed25519 ,
|
||||
.Dq ecdsa-sk ,
|
||||
@ -138,14 +137,7 @@ The possible values are
|
||||
or
|
||||
.Dq rsa .
|
||||
Multiple values may be specified by separating them with commas.
|
||||
The default is to fetch
|
||||
.Dq rsa ,
|
||||
.Dq ecdsa ,
|
||||
.Dq ed25519 ,
|
||||
.Dq ecdsa-sk ,
|
||||
and
|
||||
.Dq ed25519-sk
|
||||
keys.
|
||||
The default is to fetch all the above key types.
|
||||
.It Fl v
|
||||
Verbose mode:
|
||||
print debugging messages about progress.
|
||||
@ -177,7 +169,7 @@ Find all hosts from the file
|
||||
which have new or different keys from those in the sorted file
|
||||
.Pa ssh_known_hosts :
|
||||
.Bd -literal -offset indent
|
||||
$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
|
||||
$ ssh-keyscan -t rsa,ecdsa,ed25519 -f ssh_hosts | \e
|
||||
sort -u - ssh_known_hosts | diff ssh_known_hosts -
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
|
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $
|
||||
.\" $OpenBSD: ssh-keysign.8,v 1.18 2024/06/17 08:30:29 djm Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
|
||||
.\"
|
||||
@ -22,7 +22,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: March 31 2022 $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH-KEYSIGN 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -61,7 +61,6 @@ Controls whether
|
||||
.Nm
|
||||
is enabled.
|
||||
.Pp
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key
|
||||
.It Pa /etc/ssh/ssh_host_ed25519_key
|
||||
.It Pa /etc/ssh/ssh_host_rsa_key
|
||||
@ -73,7 +72,6 @@ Since they are readable only by root,
|
||||
.Nm
|
||||
must be set-uid root if host-based authentication is used.
|
||||
.Pp
|
||||
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
|
||||
|
21
ssh.1
21
ssh.1
@ -33,8 +33,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh.1,v 1.440 2024/05/26 20:35:12 naddy Exp $
|
||||
.Dd $Mdocdate: May 26 2024 $
|
||||
.\" $OpenBSD: ssh.1,v 1.441 2024/06/17 08:30:29 djm Exp $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -304,10 +304,9 @@ The default is
|
||||
.Pa ~/.ssh/id_rsa ,
|
||||
.Pa ~/.ssh/id_ecdsa ,
|
||||
.Pa ~/.ssh/id_ecdsa_sk ,
|
||||
.Pa ~/.ssh/id_ed25519 ,
|
||||
.Pa ~/.ssh/id_ed25519_sk
|
||||
.Pa ~/.ssh/id_ed25519
|
||||
and
|
||||
.Pa ~/.ssh/id_dsa .
|
||||
.Pa ~/.ssh/id_ed25519_sk .
|
||||
Identity files may also be specified on
|
||||
a per-host basis in the configuration file.
|
||||
It is possible to have multiple
|
||||
@ -929,10 +928,10 @@ key pair for authentication purposes.
|
||||
The server knows the public key, and only the user knows the private key.
|
||||
.Nm
|
||||
implements public key authentication protocol automatically,
|
||||
using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
|
||||
using one of the ECDSA, Ed25519 or RSA algorithms.
|
||||
The HISTORY section of
|
||||
.Xr ssl 8
|
||||
contains a brief discussion of the DSA and RSA algorithms.
|
||||
contains a brief discussion of the RSA and ECDSA algorithms.
|
||||
.Pp
|
||||
The file
|
||||
.Pa ~/.ssh/authorized_keys
|
||||
@ -959,8 +958,6 @@ flag).
|
||||
The user creates their key pair by running
|
||||
.Xr ssh-keygen 1 .
|
||||
This stores the private key in
|
||||
.Pa ~/.ssh/id_dsa
|
||||
(DSA),
|
||||
.Pa ~/.ssh/id_ecdsa
|
||||
(ECDSA),
|
||||
.Pa ~/.ssh/id_ecdsa_sk
|
||||
@ -973,8 +970,6 @@ or
|
||||
.Pa ~/.ssh/id_rsa
|
||||
(RSA)
|
||||
and stores the public key in
|
||||
.Pa ~/.ssh/id_dsa.pub
|
||||
(DSA),
|
||||
.Pa ~/.ssh/id_ecdsa.pub
|
||||
(ECDSA),
|
||||
.Pa ~/.ssh/id_ecdsa_sk.pub
|
||||
@ -1556,7 +1551,7 @@ secret, but the recommended permissions are read/write/execute for the user,
|
||||
and not accessible by others.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/authorized_keys
|
||||
Lists the public keys (DSA, ECDSA, Ed25519, RSA)
|
||||
Lists the public keys (ECDSA, Ed25519, RSA)
|
||||
that can be used for logging in as this user.
|
||||
The format of this file is described in the
|
||||
.Xr sshd 8
|
||||
@ -1576,7 +1571,6 @@ Contains additional definitions for environment variables; see
|
||||
.Sx ENVIRONMENT ,
|
||||
above.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/id_dsa
|
||||
.It Pa ~/.ssh/id_ecdsa
|
||||
.It Pa ~/.ssh/id_ecdsa_sk
|
||||
.It Pa ~/.ssh/id_ed25519
|
||||
@ -1592,7 +1586,6 @@ It is possible to specify a passphrase when
|
||||
generating the key which will be used to encrypt the
|
||||
sensitive part of this file using AES-128.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/id_dsa.pub
|
||||
.It Pa ~/.ssh/id_ecdsa.pub
|
||||
.It Pa ~/.ssh/id_ecdsa_sk.pub
|
||||
.It Pa ~/.ssh/id_ed25519.pub
|
||||
|
11
ssh_config.5
11
ssh_config.5
@ -33,8 +33,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.395 2024/06/14 05:01:22 djm Exp $
|
||||
.Dd $Mdocdate: June 14 2024 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.396 2024/06/17 08:30:29 djm Exp $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -1114,7 +1114,7 @@ section and environment variables as described in the
|
||||
.Sx ENVIRONMENT VARIABLES
|
||||
section.
|
||||
.It Cm IdentityFile
|
||||
Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
|
||||
Specifies a file from which the user's ECDSA, authenticator-hosted ECDSA,
|
||||
Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
|
||||
You can also specify a public key file to use the corresponding
|
||||
private key that is loaded in
|
||||
@ -1124,10 +1124,9 @@ The default is
|
||||
.Pa ~/.ssh/id_rsa ,
|
||||
.Pa ~/.ssh/id_ecdsa ,
|
||||
.Pa ~/.ssh/id_ecdsa_sk ,
|
||||
.Pa ~/.ssh/id_ed25519 ,
|
||||
.Pa ~/.ssh/id_ed25519_sk
|
||||
.Pa ~/.ssh/id_ed25519
|
||||
and
|
||||
.Pa ~/.ssh/id_dsa .
|
||||
.Pa ~/.ssh/id_ed25519_sk .
|
||||
Additionally, any identities represented by the authentication agent
|
||||
will be used for authentication unless
|
||||
.Cm IdentitiesOnly
|
||||
|
9
sshd.8
9
sshd.8
@ -33,8 +33,8 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd.8,v 1.325 2023/09/19 20:37:07 deraadt Exp $
|
||||
.Dd $Mdocdate: September 19 2023 $
|
||||
.\" $OpenBSD: sshd.8,v 1.326 2024/06/17 08:30:29 djm Exp $
|
||||
.Dd $Mdocdate: June 17 2024 $
|
||||
.Dt SSHD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -465,8 +465,6 @@ sk-ssh-ed25519@openssh.com
|
||||
.It
|
||||
ssh-ed25519
|
||||
.It
|
||||
ssh-dss
|
||||
.It
|
||||
ssh-rsa
|
||||
.El
|
||||
.Pp
|
||||
@ -477,7 +475,6 @@ Note that lines in this file can be several hundred bytes long
|
||||
(because of the size of the public key encoding) up to a limit of
|
||||
8 kilobytes, which permits RSA keys up to 16 kilobits.
|
||||
You don't want to type them in; instead, copy the
|
||||
.Pa id_dsa.pub ,
|
||||
.Pa id_ecdsa.pub ,
|
||||
.Pa id_ecdsa_sk.pub ,
|
||||
.Pa id_ed25519.pub ,
|
||||
@ -881,7 +878,7 @@ secret, but the recommended permissions are read/write/execute for the user,
|
||||
and not accessible by others.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/authorized_keys
|
||||
Lists the public keys (DSA, ECDSA, Ed25519, RSA)
|
||||
Lists the public keys (ECDSA, Ed25519, RSA)
|
||||
that can be used for logging in as this user.
|
||||
The format of this file is described above.
|
||||
The content of the file is not highly sensitive, but the recommended
|
||||
|
Loading…
Reference in New Issue
Block a user