RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of 

signature algorithms that are allowed for CA signatures. Notably excludes
ssh-dsa.

ok markus@

OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
This commit is contained in:
djm@openbsd.org 2018-09-12 01:34:02 +00:00 committed by Damien Miller
parent ba9e788315
commit 4cc259bac6
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
myproposal.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: myproposal.h,v 1.56 2018/07/03 11:39:54 djm Exp $ */ /* $OpenBSD: myproposal.h,v 1.57 2018/09/12 01:34:02 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -139,6 +139,16 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC #define KEX_CLIENT_MAC KEX_SERVER_MAC
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
"ecdsa-sha2-nistp256," \
"ecdsa-sha2-nistp384," \
"ecdsa-sha2-nistp521," \
"ssh-ed25519," \
"rsa-sha2-512," \
"rsa-sha2-256," \
"ssh-rsa"
#else /* WITH_OPENSSL */ #else /* WITH_OPENSSL */
#define KEX_SERVER_KEX \ #define KEX_SERVER_KEX \
@ -166,6 +176,8 @@
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
#define KEX_CLIENT_MAC KEX_SERVER_MAC #define KEX_CLIENT_MAC KEX_SERVER_MAC
#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519"
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
#define KEX_DEFAULT_COMP "none,zlib@openssh.com" #define KEX_DEFAULT_COMP "none,zlib@openssh.com"