From 75f7f22a43799f6d25dffd9d6683de1601da05a3 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 10 Dec 2019 22:43:19 +0000 Subject: [PATCH] upstream: add security key types to list of keys allowed to act as CAs; spotted by Ron Frederick OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3 --- myproposal.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/myproposal.h b/myproposal.h index d6e7977e4..b393db8b0 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.61 2019/11/12 19:33:08 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.62 2019/12/10 22:43:19 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -145,7 +145,9 @@ /* Not a KEX value, but here so all the algorithm defaults are together */ #define SSH_ALLOWED_CA_SIGALGS \ HOSTKEY_ECDSA_METHODS \ + USERKEY_ECDSA_SK_METHODS \ "ssh-ed25519," \ + "sk-ssh-ed25519@openssh.com," \ "rsa-sha2-512," \ "rsa-sha2-256," \ "ssh-rsa" @@ -194,7 +196,7 @@ #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT #define KEX_CLIENT_MAC KEX_SERVER_MAC -#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519" +#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519,sk-ssh-ed25519@openssh.com" #endif /* WITH_OPENSSL */