mirror of git://anongit.mindrot.org/openssh.git
upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
markus@ OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
e5ed753add
commit
12ae8f95e2
14
myproposal.h
14
myproposal.h
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: myproposal.h,v 1.67 2020/01/24 00:28:57 djm Exp $ */
|
||||
/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||
|
|
@ -38,21 +38,21 @@
|
|||
#define KEX_CLIENT_KEX KEX_SERVER_KEX
|
||||
|
||||
#define KEX_DEFAULT_PK_ALG \
|
||||
"ssh-ed25519-cert-v01@openssh.com," \
|
||||
"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
|
||||
"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
||||
"ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||
"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
|
||||
"ssh-ed25519-cert-v01@openssh.com," \
|
||||
"sk-ssh-ed25519-cert-v01@openssh.com," \
|
||||
"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
|
||||
"rsa-sha2-512-cert-v01@openssh.com," \
|
||||
"rsa-sha2-256-cert-v01@openssh.com," \
|
||||
"ssh-rsa-cert-v01@openssh.com," \
|
||||
"ssh-ed25519," \
|
||||
"ecdsa-sha2-nistp256," \
|
||||
"ecdsa-sha2-nistp384," \
|
||||
"ecdsa-sha2-nistp521," \
|
||||
"sk-ecdsa-sha2-nistp256@openssh.com," \
|
||||
"ssh-ed25519," \
|
||||
"sk-ssh-ed25519@openssh.com," \
|
||||
"sk-ecdsa-sha2-nistp256@openssh.com," \
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256," \
|
||||
"ssh-rsa"
|
||||
|
|
@ -80,12 +80,12 @@
|
|||
|
||||
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||
#define SSH_ALLOWED_CA_SIGALGS \
|
||||
"ssh-ed25519," \
|
||||
"ecdsa-sha2-nistp256," \
|
||||
"ecdsa-sha2-nistp384," \
|
||||
"ecdsa-sha2-nistp521," \
|
||||
"sk-ecdsa-sha2-nistp256@openssh.com," \
|
||||
"ssh-ed25519," \
|
||||
"sk-ssh-ed25519@openssh.com," \
|
||||
"sk-ecdsa-sha2-nistp256@openssh.com," \
|
||||
"rsa-sha2-512," \
|
||||
"rsa-sha2-256"
|
||||
|
||||
|
|
|
|||
29
ssh_config.5
29
ssh_config.5
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: ssh_config.5,v 1.332 2020/08/11 09:49:57 djm Exp $
|
||||
.Dd $Mdocdate: August 11 2020 $
|
||||
.\" $OpenBSD: ssh_config.5,v 1.333 2020/10/03 04:15:06 djm Exp $
|
||||
.Dd $Mdocdate: October 3 2020 $
|
||||
.Dt SSH_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -372,8 +372,8 @@ Specifies which algorithms are allowed for signing of certificates
|
|||
by certificate authorities (CAs).
|
||||
The default is:
|
||||
.Bd -literal -offset indent
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||
ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
.Xr ssh 1
|
||||
|
|
@ -825,18 +825,19 @@ character, then the specified key types will be placed at the head of the
|
|||
default set.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
rsa-sha2-512-cert-v01@openssh.com,
|
||||
rsa-sha2-256-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-ed25519,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
sk-ssh-ed25519@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
|
|
@ -862,18 +863,19 @@ character, then the specified key types will be placed at the head of the
|
|||
default set.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
rsa-sha2-512-cert-v01@openssh.com,
|
||||
rsa-sha2-256-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-ed25519,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
sk-ssh-ed25519@openssh.com,
|
||||
rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
|
|
@ -1361,18 +1363,19 @@ character, then the specified key types will be placed at the head of the
|
|||
default set.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
rsa-sha2-512-cert-v01@openssh.com,
|
||||
rsa-sha2-256-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-ed25519,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
sk-ssh-ed25519@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
|
|
|
|||
|
|
@ -33,8 +33,8 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $OpenBSD: sshd_config.5,v 1.315 2020/08/27 12:34:00 jmc Exp $
|
||||
.Dd $Mdocdate: August 27 2020 $
|
||||
.\" $OpenBSD: sshd_config.5,v 1.316 2020/10/03 04:15:06 djm Exp $
|
||||
.Dd $Mdocdate: October 3 2020 $
|
||||
.Dt SSHD_CONFIG 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -377,8 +377,8 @@ Specifies which algorithms are allowed for signing of certificates
|
|||
by certificate authorities (CAs).
|
||||
The default is:
|
||||
.Bd -literal -offset indent
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||
ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
Certificates signed using other algorithms will not be accepted for
|
||||
|
|
@ -675,18 +675,19 @@ character, then the specified key types will be placed at the head of the
|
|||
default set.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
rsa-sha2-512-cert-v01@openssh.com,
|
||||
rsa-sha2-256-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-ed25519,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
sk-ssh-ed25519@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
|
|
@ -758,18 +759,19 @@ Specifies the host key algorithms
|
|||
that the server offers.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
rsa-sha2-512-cert-v01@openssh.com,
|
||||
rsa-sha2-256-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-ed25519,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
sk-ssh-ed25519@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
|
|
@ -1457,18 +1459,19 @@ character, then the specified key types will be placed at the head of the
|
|||
default set.
|
||||
The default for this option is:
|
||||
.Bd -literal -offset 3n
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
rsa-sha2-512-cert-v01@openssh.com,
|
||||
rsa-sha2-256-cert-v01@openssh.com,
|
||||
ssh-rsa-cert-v01@openssh.com,
|
||||
ssh-ed25519,
|
||||
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
sk-ssh-ed25519@openssh.com,
|
||||
sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
.Ed
|
||||
.Pp
|
||||
|
|
|
|||
Loading…
Reference in New Issue