diff options
| author | naddy@openbsd.org <naddy@openbsd.org> | 2019-12-19 15:09:30 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2019-12-20 14:25:08 +1100 |
| commit | ae024b22c4fd68e7f39681d605585889f9511108 (patch) | |
| tree | 13b0f16f9f778ba7169ccc5a7ab11a62dec36368 | |
| parent | bc2dc091e0ac4ff6245c43a61ebe12c7e9ea0b7f (diff) | |
upstream: Document that security key-hosted keys can act as host
keys.
Update the list of default host key algorithms in ssh_config.5 and
sshd_config.5. Copy the description of the SecurityKeyProvider
option to sshd_config.5.
ok jmc@
OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
| -rw-r--r-- | ssh_config.5 | 26 | ||||
| -rw-r--r-- | sshd_config.5 | 30 |
2 files changed, 38 insertions, 18 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index 93029031a..dc7a2143d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: ssh_config.5,v 1.310 2019/11/30 07:07:59 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.311 2019/12/19 15:09:30 naddy Exp $ |
| 37 | .Dd $Mdocdate: November 30 2019 $ | 37 | .Dd $Mdocdate: December 19 2019 $ |
| 38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -809,12 +809,16 @@ The default for this option is: | |||
| 809 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 809 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 810 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 810 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 811 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 811 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 812 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
| 812 | ssh-ed25519-cert-v01@openssh.com, | 813 | ssh-ed25519-cert-v01@openssh.com, |
| 814 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
| 813 | rsa-sha2-512-cert-v01@openssh.com, | 815 | rsa-sha2-512-cert-v01@openssh.com, |
| 814 | rsa-sha2-256-cert-v01@openssh.com, | 816 | rsa-sha2-256-cert-v01@openssh.com, |
| 815 | ssh-rsa-cert-v01@openssh.com, | 817 | ssh-rsa-cert-v01@openssh.com, |
| 816 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 818 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 817 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 819 | sk-ecdsa-sha2-nistp256@openssh.com, |
| 820 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
| 821 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
| 818 | .Ed | 822 | .Ed |
| 819 | .Pp | 823 | .Pp |
| 820 | The | 824 | The |
| @@ -842,12 +846,16 @@ The default for this option is: | |||
| 842 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 846 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 843 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 847 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 844 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 848 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 849 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
| 845 | ssh-ed25519-cert-v01@openssh.com, | 850 | ssh-ed25519-cert-v01@openssh.com, |
| 851 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
| 846 | rsa-sha2-512-cert-v01@openssh.com, | 852 | rsa-sha2-512-cert-v01@openssh.com, |
| 847 | rsa-sha2-256-cert-v01@openssh.com, | 853 | rsa-sha2-256-cert-v01@openssh.com, |
| 848 | ssh-rsa-cert-v01@openssh.com, | 854 | ssh-rsa-cert-v01@openssh.com, |
| 849 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 855 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 850 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 856 | sk-ecdsa-sha2-nistp256@openssh.com, |
| 857 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
| 858 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
| 851 | .Ed | 859 | .Ed |
| 852 | .Pp | 860 | .Pp |
| 853 | If hostkeys are known for the destination host then this default is modified | 861 | If hostkeys are known for the destination host then this default is modified |
| @@ -1323,19 +1331,19 @@ character, then the specified key types will be placed at the head of the | |||
| 1323 | default set. | 1331 | default set. |
| 1324 | The default for this option is: | 1332 | The default for this option is: |
| 1325 | .Bd -literal -offset 3n | 1333 | .Bd -literal -offset 3n |
| 1326 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
| 1327 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1334 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 1328 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 1335 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 1329 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 1336 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 1330 | sk-ssh-ed25519-cert-v01@openssh.com, | 1337 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 1331 | ssh-ed25519-cert-v01@openssh.com, | 1338 | ssh-ed25519-cert-v01@openssh.com, |
| 1339 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
| 1332 | rsa-sha2-512-cert-v01@openssh.com, | 1340 | rsa-sha2-512-cert-v01@openssh.com, |
| 1333 | rsa-sha2-256-cert-v01@openssh.com, | 1341 | rsa-sha2-256-cert-v01@openssh.com, |
| 1334 | ssh-rsa-cert-v01@openssh.com, | 1342 | ssh-rsa-cert-v01@openssh.com, |
| 1335 | sk-ecdsa-sha2-nistp256@openssh.com, | ||
| 1336 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 1343 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 1337 | sk-ssh-ed25519@openssh.com, | 1344 | sk-ecdsa-sha2-nistp256@openssh.com, |
| 1338 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 1345 | ssh-ed25519,sk-ssh-ed25519@openssh.com, |
| 1346 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
| 1339 | .Ed | 1347 | .Ed |
| 1340 | .Pp | 1348 | .Pp |
| 1341 | The list of available key types may also be obtained using | 1349 | The list of available key types may also be obtained using |
diff --git a/sshd_config.5 b/sshd_config.5 index 8bfb3b6c8..222193170 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.295 2019/11/30 07:07:59 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $ |
| 37 | .Dd $Mdocdate: November 30 2019 $ | 37 | .Dd $Mdocdate: December 19 2019 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -689,12 +689,16 @@ The default for this option is: | |||
| 689 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 689 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 690 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 690 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 691 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 691 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 692 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
| 692 | ssh-ed25519-cert-v01@openssh.com, | 693 | ssh-ed25519-cert-v01@openssh.com, |
| 694 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
| 693 | rsa-sha2-512-cert-v01@openssh.com, | 695 | rsa-sha2-512-cert-v01@openssh.com, |
| 694 | rsa-sha2-256-cert-v01@openssh.com, | 696 | rsa-sha2-256-cert-v01@openssh.com, |
| 695 | ssh-rsa-cert-v01@openssh.com, | 697 | ssh-rsa-cert-v01@openssh.com, |
| 696 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 698 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 697 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 699 | sk-ecdsa-sha2-nistp256@openssh.com, |
| 700 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
| 701 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
| 698 | .Ed | 702 | .Ed |
| 699 | .Pp | 703 | .Pp |
| 700 | The list of available key types may also be obtained using | 704 | The list of available key types may also be obtained using |
| @@ -768,12 +772,16 @@ The default for this option is: | |||
| 768 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 772 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 769 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 773 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 770 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 774 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 775 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
| 771 | ssh-ed25519-cert-v01@openssh.com, | 776 | ssh-ed25519-cert-v01@openssh.com, |
| 777 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
| 772 | rsa-sha2-512-cert-v01@openssh.com, | 778 | rsa-sha2-512-cert-v01@openssh.com, |
| 773 | rsa-sha2-256-cert-v01@openssh.com, | 779 | rsa-sha2-256-cert-v01@openssh.com, |
| 774 | ssh-rsa-cert-v01@openssh.com, | 780 | ssh-rsa-cert-v01@openssh.com, |
| 775 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 781 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 776 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 782 | sk-ecdsa-sha2-nistp256@openssh.com, |
| 783 | ssh-ed25519,sk-ssh-ed25519@openssh.com, | ||
| 784 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
| 777 | .Ed | 785 | .Ed |
| 778 | .Pp | 786 | .Pp |
| 779 | The list of available key types may also be obtained using | 787 | The list of available key types may also be obtained using |
| @@ -1427,19 +1435,19 @@ character, then the specified key types will be placed at the head of the | |||
| 1427 | default set. | 1435 | default set. |
| 1428 | The default for this option is: | 1436 | The default for this option is: |
| 1429 | .Bd -literal -offset 3n | 1437 | .Bd -literal -offset 3n |
| 1430 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
| 1431 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1438 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 1432 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 1439 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 1433 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 1440 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 1434 | sk-ssh-ed25519-cert-v01@openssh.com, | 1441 | sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, |
| 1435 | ssh-ed25519-cert-v01@openssh.com, | 1442 | ssh-ed25519-cert-v01@openssh.com, |
| 1443 | sk-ssh-ed25519-cert-v01@openssh.com, | ||
| 1436 | rsa-sha2-512-cert-v01@openssh.com, | 1444 | rsa-sha2-512-cert-v01@openssh.com, |
| 1437 | rsa-sha2-256-cert-v01@openssh.com, | 1445 | rsa-sha2-256-cert-v01@openssh.com, |
| 1438 | ssh-rsa-cert-v01@openssh.com, | 1446 | ssh-rsa-cert-v01@openssh.com, |
| 1439 | sk-ecdsa-sha2-nistp256@openssh.com, | ||
| 1440 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 1447 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 1441 | sk-ssh-ed25519@openssh.com, | 1448 | sk-ecdsa-sha2-nistp256@openssh.com, |
| 1442 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | 1449 | ssh-ed25519,sk-ssh-ed25519@openssh.com, |
| 1450 | rsa-sha2-512,rsa-sha2-256,ssh-rsa | ||
| 1443 | .Ed | 1451 | .Ed |
| 1444 | .Pp | 1452 | .Pp |
| 1445 | The list of available key types may also be obtained using | 1453 | The list of available key types may also be obtained using |
| @@ -1518,6 +1526,10 @@ will be bound to this | |||
| 1518 | If the routing domain is set to | 1526 | If the routing domain is set to |
| 1519 | .Cm \&%D , | 1527 | .Cm \&%D , |
| 1520 | then the domain in which the incoming connection was received will be applied. | 1528 | then the domain in which the incoming connection was received will be applied. |
| 1529 | .It Cm SecurityKeyProvider | ||
| 1530 | Specifies a path to a security key provider library that will be used when | ||
| 1531 | loading any security key-hosted keys, overriding the default of using | ||
| 1532 | the built-in support for USB HID keys. | ||
| 1521 | .It Cm SetEnv | 1533 | .It Cm SetEnv |
| 1522 | Specifies one or more environment variables to set in child sessions started | 1534 | Specifies one or more environment variables to set in child sessions started |
| 1523 | by | 1535 | by |