upstream commit

sync crypto algorithm lists in ssh_config(5) and sshd_config(5) with current reality. bz#2527 Upstream-ID: d7fd1b6c1ed848d866236bcb1d7049d2bb9b2ff6
author: djm@openbsd.org <djm@openbsd.org> 2016-02-11 02:56:32 +0000
committer: Damien Miller <djm@mindrot.org> 2016-02-11 13:58:57 +1100
commit: e4c918a6c721410792b287c9fd21356a1bed5805 (patch)
tree: 02bad6311c2e56a04681076f449438e510e71bcc
parent: e30cabfa4ab456a30b3224f7f545f1bdfc4a2517 (diff)
2 files changed, 15 insertions, 20 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 2ede53ff4..5b09547dd 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.223 2015/11/15 23:58:04 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.224 2016/02/11 02:56:32 djm Exp $
-.Dd $Mdocdate: November 15 2015 $
+.Dd $Mdocdate: February 11 2016 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -486,9 +486,7 @@ The default is:
 chacha20-poly1305@openssh.com,
 aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-arcfour256,arcfour128,
+aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
-aes192-cbc,aes256-cbc,arcfour
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -876,7 +874,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The
@@ -899,7 +897,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
@@ -1189,13 +1187,9 @@ The default is:
 .Bd -literal -offset indent
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-sha1-etm@openssh.com,
 umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,
+hmac-sha2-256,hmac-sha2-512,hmac-sha1
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,
-hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
-hmac-md5,hmac-sha1,hmac-ripemd160,
-hmac-sha1-96,hmac-md5-96
 .Ed
 .Pp
 The list of available MAC algorithms may also be obtained using the
@@ -1340,7 +1334,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The
diff --git a/sshd_config.5 b/sshd_config.5
index c8444610b..fa5cff2fb 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.216 2016/02/05 02:37:56 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.217 2016/02/11 02:56:32 djm Exp $
-.Dd $Mdocdate: February 5 2016 $
+.Dd $Mdocdate: February 11 2016 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -664,7 +664,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The
@@ -759,7 +759,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using the
@@ -1027,8 +1027,9 @@ The default is:
 .Bd -literal -offset indent
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+hmac-sha1-etm@openssh.com,
 umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512
+hmac-sha2-256,hmac-sha2-512,hmac-sha1
 .Ed
 .Pp
 The list of available MAC algorithms may also be obtained using the
@@ -1363,7 +1364,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The
author	djm@openbsd.org <djm@openbsd.org>	2016-02-11 02:56:32 +0000
committer	Damien Miller <djm@mindrot.org>	2016-02-11 13:58:57 +1100
commit	e4c918a6c721410792b287c9fd21356a1bed5805 (patch)
tree	02bad6311c2e56a04681076f449438e510e71bcc
parent	e30cabfa4ab456a30b3224f7f545f1bdfc4a2517 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 2ede53ff4..5b09547dd 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.223 2015/11/15 23:58:04 jmc Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.224 2016/02/11 02:56:32 djm Exp $
37	.Dd $Mdocdate: November 15 2015 $	37	.Dd $Mdocdate: February 11 2016 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -486,9 +486,7 @@ The default is:
486	chacha20-poly1305@openssh.com,	486	chacha20-poly1305@openssh.com,
487	aes128-ctr,aes192-ctr,aes256-ctr,	487	aes128-ctr,aes192-ctr,aes256-ctr,
488	aes128-gcm@openssh.com,aes256-gcm@openssh.com,	488	aes128-gcm@openssh.com,aes256-gcm@openssh.com,
489	arcfour256,arcfour128,	489	aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
490	aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
491	aes192-cbc,aes256-cbc,arcfour
492	.Ed	490	.Ed
493	.Pp	491	.Pp
494	The list of available ciphers may also be obtained using the	492	The list of available ciphers may also be obtained using the
@@ -876,7 +874,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
876	ssh-ed25519-cert-v01@openssh.com,	874	ssh-ed25519-cert-v01@openssh.com,
877	ssh-rsa-cert-v01@openssh.com,	875	ssh-rsa-cert-v01@openssh.com,
878	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	876	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
879	ssh-ed25519,ssh-rsa	877	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
880	.Ed	878	.Ed
881	.Pp	879	.Pp
882	The	880	The
@@ -899,7 +897,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
899	ssh-ed25519-cert-v01@openssh.com,	897	ssh-ed25519-cert-v01@openssh.com,
900	ssh-rsa-cert-v01@openssh.com,	898	ssh-rsa-cert-v01@openssh.com,
901	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	899	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
902	ssh-ed25519,ssh-rsa	900	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
903	.Ed	901	.Ed
904	.Pp	902	.Pp
905	If hostkeys are known for the destination host then this default is modified	903	If hostkeys are known for the destination host then this default is modified
@@ -1189,13 +1187,9 @@ The default is:
1189	.Bd -literal -offset indent	1187	.Bd -literal -offset indent
1190	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	1188	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1191	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,	1189	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
		1190	hmac-sha1-etm@openssh.com,
1192	umac-64@openssh.com,umac-128@openssh.com,	1191	umac-64@openssh.com,umac-128@openssh.com,
1193	hmac-sha2-256,hmac-sha2-512,	1192	hmac-sha2-256,hmac-sha2-512,hmac-sha1
1194	hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
1195	hmac-ripemd160-etm@openssh.com,
1196	hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
1197	hmac-md5,hmac-sha1,hmac-ripemd160,
1198	hmac-sha1-96,hmac-md5-96
1199	.Ed	1193	.Ed
1200	.Pp	1194	.Pp
1201	The list of available MAC algorithms may also be obtained using the	1195	The list of available MAC algorithms may also be obtained using the
@@ -1340,7 +1334,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
1340	ssh-ed25519-cert-v01@openssh.com,	1334	ssh-ed25519-cert-v01@openssh.com,
1341	ssh-rsa-cert-v01@openssh.com,	1335	ssh-rsa-cert-v01@openssh.com,
1342	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	1336	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1343	ssh-ed25519,ssh-rsa	1337	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1344	.Ed	1338	.Ed
1345	.Pp	1339	.Pp
1346	The	1340	The


diff --git a/sshd_config.5 b/sshd_config.5 index c8444610b..fa5cff2fb 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.216 2016/02/05 02:37:56 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.217 2016/02/11 02:56:32 djm Exp $
37	.Dd $Mdocdate: February 5 2016 $	37	.Dd $Mdocdate: February 11 2016 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -664,7 +664,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
664	ssh-ed25519-cert-v01@openssh.com,	664	ssh-ed25519-cert-v01@openssh.com,
665	ssh-rsa-cert-v01@openssh.com,	665	ssh-rsa-cert-v01@openssh.com,
666	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	666	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
667	ssh-ed25519,ssh-rsa	667	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
668	.Ed	668	.Ed
669	.Pp	669	.Pp
670	The	670	The
@@ -759,7 +759,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
759	ssh-ed25519-cert-v01@openssh.com,	759	ssh-ed25519-cert-v01@openssh.com,
760	ssh-rsa-cert-v01@openssh.com,	760	ssh-rsa-cert-v01@openssh.com,
761	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	761	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
762	ssh-ed25519,ssh-rsa	762	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
763	.Ed	763	.Ed
764	.Pp	764	.Pp
765	The list of available key types may also be obtained using the	765	The list of available key types may also be obtained using the
@@ -1027,8 +1027,9 @@ The default is:
1027	.Bd -literal -offset indent	1027	.Bd -literal -offset indent
1028	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	1028	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
1029	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,	1029	hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
		1030	hmac-sha1-etm@openssh.com,
1030	umac-64@openssh.com,umac-128@openssh.com,	1031	umac-64@openssh.com,umac-128@openssh.com,
1031	hmac-sha2-256,hmac-sha2-512	1032	hmac-sha2-256,hmac-sha2-512,hmac-sha1
1032	.Ed	1033	.Ed
1033	.Pp	1034	.Pp
1034	The list of available MAC algorithms may also be obtained using the	1035	The list of available MAC algorithms may also be obtained using the
@@ -1363,7 +1364,7 @@ ecdsa-sha2-nistp521-cert-v01@openssh.com,
1363	ssh-ed25519-cert-v01@openssh.com,	1364	ssh-ed25519-cert-v01@openssh.com,
1364	ssh-rsa-cert-v01@openssh.com,	1365	ssh-rsa-cert-v01@openssh.com,
1365	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	1366	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1366	ssh-ed25519,ssh-rsa	1367	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1367	.Ed	1368	.Ed
1368	.Pp	1369	.Pp
1369	The	1370	The