upstream: reorder CASignatureAlgorithms, and add them to the

various -o lists; ok djm OpenBSD-Commit-ID: ecb88baecc3c54988b4d1654446ea033da359288
author: jmc@openbsd.org <jmc@openbsd.org> 2018-09-20 06:58:48 +0000
committer: Damien Miller <djm@mindrot.org> 2018-09-21 09:41:10 +1000
commit: e6933a2ffa0659d57f3c7b7c457b2c62b2a84613 (patch)
tree: 3eb1d7864ad1439ec7ca2960a2748c22bca16855
parent: aa083aa9624ea7b764d5a81c4c676719a1a3e42b (diff)
4 files changed, 22 insertions, 19 deletions
diff --git a/scp.1 b/scp.1
index 92abcaf07..0e5cc1b2d 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.80 2018/07/19 10:28:47 dtucker Exp $
+.\" $OpenBSD: scp.1,v 1.81 2018/09/20 06:58:48 jmc Exp $
 .\"
-.Dd $Mdocdate: July 19 2018 $
+.Dd $Mdocdate: September 20 2018 $
 .Dt SCP 1
 .Os
 .Sh NAME
@@ -130,6 +130,7 @@ For full details of the options listed below, and their possible values, see
 .It CanonicalizeHostname
 .It CanonicalizeMaxDots
 .It CanonicalizePermittedCNAMEs
+.It CASignatureAlgorithms
 .It CertificateFile
 .It ChallengeResponseAuthentication
 .It CheckHostIP
diff --git a/sftp.1 b/sftp.1
index a25d3890b..0fd54cae0 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.119 2018/07/23 19:53:55 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.120 2018/09/20 06:58:48 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 23 2018 $
+.Dd $Mdocdate: September 20 2018 $
 .Dt SFTP 1
 .Os
 .Sh NAME
@@ -200,6 +200,7 @@ For full details of the options listed below, and their possible values, see
 .It CanonicalizeHostname
 .It CanonicalizeMaxDots
 .It CanonicalizePermittedCNAMEs
+.It CASignatureAlgorithms
 .It CertificateFile
 .It ChallengeResponseAuthentication
 .It CheckHostIP
diff --git a/ssh.1 b/ssh.1
index 191f35ad4..7760c3075 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.398 2018/09/12 01:30:10 djm Exp $
+.\" $OpenBSD: ssh.1,v 1.399 2018/09/20 06:58:48 jmc Exp $
-.Dd $Mdocdate: September 12 2018 $
+.Dd $Mdocdate: September 20 2018 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -469,6 +469,7 @@ For full details of the options listed below, and their possible values, see
 .It CanonicalizeHostname
 .It CanonicalizeMaxDots
 .It CanonicalizePermittedCNAMEs
+.It CASignatureAlgorithms
 .It CertificateFile
 .It ChallengeResponseAuthentication
 .It CheckHostIP
diff --git a/ssh_config.5 b/ssh_config.5
index a9b44cc44..c7192665f 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.282 2018/09/20 03:30:44 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.283 2018/09/20 06:58:48 jmc Exp $
 .Dd $Mdocdate: September 20 2018 $
 .Dt SSH_CONFIG 5
 .Os
@@ -261,18 +261,6 @@ Only useful on systems with more than one address.
 .It Cm BindInterface
 Use the address of the specified interface on the local machine as the
 source address of the connection.
-.It Cm CASignatureAlgorithms
-Specifies which algorithms are allowed for signing of certificates
-by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
-.Pp
-.Xr ssh 1
-will not accept host certificates signed using algorithms other than those
-specified.
 .It Cm CanonicalDomains
 When
 .Cm CanonicalizeHostname
@@ -348,6 +336,18 @@ to be canonicalized to names in the
 or
 .Qq *.c.example.com
 domains.
+.It Cm CASignatureAlgorithms
+Specifies which algorithms are allowed for signing of certificates
+by certificate authorities (CAs).
+The default is:
+.Bd -literal -offset indent
+ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+.Ed
+.Pp
+.Xr ssh 1
+will not accept host certificates signed using algorithms other than those
+specified.
 .It Cm CertificateFile
 Specifies a file from which the user's certificate is read.
 A corresponding private key must be provided separately in order
author	jmc@openbsd.org <jmc@openbsd.org>	2018-09-20 06:58:48 +0000
committer	Damien Miller <djm@mindrot.org>	2018-09-21 09:41:10 +1000
commit	e6933a2ffa0659d57f3c7b7c457b2c62b2a84613 (patch)
tree	3eb1d7864ad1439ec7ca2960a2748c22bca16855
parent	aa083aa9624ea7b764d5a81c4c676719a1a3e42b (diff)

diff --git a/scp.1 b/scp.1 index 92abcaf07..0e5cc1b2d 100644 --- a/scp.1 +++ b/scp.1
@@ -8,9 +8,9 @@
8	.\"	8	.\"
9	.\" Created: Sun May 7 00:14:37 1995 ylo	9	.\" Created: Sun May 7 00:14:37 1995 ylo
10	.\"	10	.\"
11	.\" $OpenBSD: scp.1,v 1.80 2018/07/19 10:28:47 dtucker Exp $	11	.\" $OpenBSD: scp.1,v 1.81 2018/09/20 06:58:48 jmc Exp $
12	.\"	12	.\"
13	.Dd $Mdocdate: July 19 2018 $	13	.Dd $Mdocdate: September 20 2018 $
14	.Dt SCP 1	14	.Dt SCP 1
15	.Os	15	.Os
16	.Sh NAME	16	.Sh NAME
@@ -130,6 +130,7 @@ For full details of the options listed below, and their possible values, see
130	.It CanonicalizeHostname	130	.It CanonicalizeHostname
131	.It CanonicalizeMaxDots	131	.It CanonicalizeMaxDots
132	.It CanonicalizePermittedCNAMEs	132	.It CanonicalizePermittedCNAMEs
		133	.It CASignatureAlgorithms
133	.It CertificateFile	134	.It CertificateFile
134	.It ChallengeResponseAuthentication	135	.It ChallengeResponseAuthentication
135	.It CheckHostIP	136	.It CheckHostIP


diff --git a/sftp.1 b/sftp.1 index a25d3890b..0fd54cae0 100644 --- a/sftp.1 +++ b/sftp.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: sftp.1,v 1.119 2018/07/23 19:53:55 jmc Exp $	1	.\" $OpenBSD: sftp.1,v 1.120 2018/09/20 06:58:48 jmc Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2001 Damien Miller. All rights reserved.	3	.\" Copyright (c) 2001 Damien Miller. All rights reserved.
4	.\"	4	.\"
@@ -22,7 +22,7 @@
22	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	22	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	23	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24	.\"	24	.\"
25	.Dd $Mdocdate: July 23 2018 $	25	.Dd $Mdocdate: September 20 2018 $
26	.Dt SFTP 1	26	.Dt SFTP 1
27	.Os	27	.Os
28	.Sh NAME	28	.Sh NAME
@@ -200,6 +200,7 @@ For full details of the options listed below, and their possible values, see
200	.It CanonicalizeHostname	200	.It CanonicalizeHostname
201	.It CanonicalizeMaxDots	201	.It CanonicalizeMaxDots
202	.It CanonicalizePermittedCNAMEs	202	.It CanonicalizePermittedCNAMEs
		203	.It CASignatureAlgorithms
203	.It CertificateFile	204	.It CertificateFile
204	.It ChallengeResponseAuthentication	205	.It ChallengeResponseAuthentication
205	.It CheckHostIP	206	.It CheckHostIP


diff --git a/ssh.1 b/ssh.1 index 191f35ad4..7760c3075 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.398 2018/09/12 01:30:10 djm Exp $	36	.\" $OpenBSD: ssh.1,v 1.399 2018/09/20 06:58:48 jmc Exp $
37	.Dd $Mdocdate: September 12 2018 $	37	.Dd $Mdocdate: September 20 2018 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -469,6 +469,7 @@ For full details of the options listed below, and their possible values, see
469	.It CanonicalizeHostname	469	.It CanonicalizeHostname
470	.It CanonicalizeMaxDots	470	.It CanonicalizeMaxDots
471	.It CanonicalizePermittedCNAMEs	471	.It CanonicalizePermittedCNAMEs
		472	.It CASignatureAlgorithms
472	.It CertificateFile	473	.It CertificateFile
473	.It ChallengeResponseAuthentication	474	.It ChallengeResponseAuthentication
474	.It CheckHostIP	475	.It CheckHostIP


diff --git a/ssh_config.5 b/ssh_config.5 index a9b44cc44..c7192665f 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,7 +33,7 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.282 2018/09/20 03:30:44 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.283 2018/09/20 06:58:48 jmc Exp $
37	.Dd $Mdocdate: September 20 2018 $	37	.Dd $Mdocdate: September 20 2018 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
@@ -261,18 +261,6 @@ Only useful on systems with more than one address.
261	.It Cm BindInterface	261	.It Cm BindInterface
262	Use the address of the specified interface on the local machine as the	262	Use the address of the specified interface on the local machine as the
263	source address of the connection.	263	source address of the connection.
264	.It Cm CASignatureAlgorithms
265	Specifies which algorithms are allowed for signing of certificates
266	by certificate authorities (CAs).
267	The default is:
268	.Bd -literal -offset indent
269	ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
270	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
271	.Ed
272	.Pp
273	.Xr ssh 1
274	will not accept host certificates signed using algorithms other than those
275	specified.
276	.It Cm CanonicalDomains	264	.It Cm CanonicalDomains
277	When	265	When
278	.Cm CanonicalizeHostname	266	.Cm CanonicalizeHostname
@@ -348,6 +336,18 @@ to be canonicalized to names in the
348	or	336	or
349	.Qq *.c.example.com	337	.Qq *.c.example.com
350	domains.	338	domains.
		339	.It Cm CASignatureAlgorithms
		340	Specifies which algorithms are allowed for signing of certificates
		341	by certificate authorities (CAs).
		342	The default is:
		343	.Bd -literal -offset indent
		344	ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		345	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
		346	.Ed
		347	.Pp
		348	.Xr ssh 1
		349	will not accept host certificates signed using algorithms other than those
		350	specified.
351	.It Cm CertificateFile	351	.It Cm CertificateFile
352	Specifies a file from which the user's certificate is read.	352	Specifies a file from which the user's certificate is read.
353	A corresponding private key must be provided separately in order	353	A corresponding private key must be provided separately in order