From 4cc259bac699f4d2a5c52b92230f9e488c88a223 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 12 Sep 2018 01:34:02 +0000 Subject: [PATCH] upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa. ok markus@ OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4 --- myproposal.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/myproposal.h b/myproposal.h index 08782dd30..27b4a15a1 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.56 2018/07/03 11:39:54 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.57 2018/09/12 01:34:02 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -139,6 +139,16 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +/* Not a KEX value, but here so all the algorithm defaults are together */ +#define SSH_ALLOWED_CA_SIGALGS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp521," \ + "ssh-ed25519," \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" + #else /* WITH_OPENSSL */ #define KEX_SERVER_KEX \ @@ -166,6 +176,8 @@ #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519" + #endif /* WITH_OPENSSL */ #define KEX_DEFAULT_COMP "none,zlib@openssh.com"