summaryrefslogtreecommitdiff
path: root/myproposal.h
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-12-15 18:57:30 +0000
committerDamien Miller <djm@mindrot.org>2019-12-16 14:19:41 +1100
commit56584cce75f3d20aaa30befc7cbd331d922927f3 (patch)
treed3e9c2b7c9104b6528758b19eb7fa56dae2fcea6 /myproposal.h
parent5af6fd5461bb709304e6979c8b7856c7af921c9e (diff)
upstream: allow security keys to act as host keys as well as user
keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
Diffstat (limited to 'myproposal.h')
-rw-r--r--myproposal.h40
1 files changed, 11 insertions, 29 deletions
diff --git a/myproposal.h b/myproposal.h
index b393db8b0..6688c3066 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: myproposal.h,v 1.62 2019/12/10 22:43:19 djm Exp $ */ 1/* $OpenBSD: myproposal.h,v 1.63 2019/12/15 18:57:30 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -39,32 +39,30 @@
39# define HOSTKEY_ECDSA_CERT_METHODS \ 39# define HOSTKEY_ECDSA_CERT_METHODS \
40 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ 40 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
41 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ 41 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
42 "ecdsa-sha2-nistp521-cert-v01@openssh.com," 42 "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
43 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
43# define HOSTKEY_ECDSA_METHODS \ 44# define HOSTKEY_ECDSA_METHODS \
44 "ecdsa-sha2-nistp256," \ 45 "ecdsa-sha2-nistp256," \
45 "ecdsa-sha2-nistp384," \ 46 "ecdsa-sha2-nistp384," \
46 "ecdsa-sha2-nistp521," 47 "ecdsa-sha2-nistp521," \
48 "sk-ecdsa-sha2-nistp256@openssh.com,"
47# else /* OPENSSL_HAS_NISTP521 */ 49# else /* OPENSSL_HAS_NISTP521 */
48# define KEX_ECDH_METHODS \ 50# define KEX_ECDH_METHODS \
49 "ecdh-sha2-nistp256," \ 51 "ecdh-sha2-nistp256," \
50 "ecdh-sha2-nistp384," 52 "ecdh-sha2-nistp384,"
51# define HOSTKEY_ECDSA_CERT_METHODS \ 53# define HOSTKEY_ECDSA_CERT_METHODS \
52 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ 54 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
53 "ecdsa-sha2-nistp384-cert-v01@openssh.com," 55 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
56 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
54# define HOSTKEY_ECDSA_METHODS \ 57# define HOSTKEY_ECDSA_METHODS \
55 "ecdsa-sha2-nistp256," \ 58 "ecdsa-sha2-nistp256," \
56 "ecdsa-sha2-nistp384," 59 "ecdsa-sha2-nistp384," \
57# endif /* OPENSSL_HAS_NISTP521 */
58# define USERKEY_ECDSA_SK_CERT_METHODS \
59 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
60# define USERKEY_ECDSA_SK_METHODS \
61 "sk-ecdsa-sha2-nistp256@openssh.com," 60 "sk-ecdsa-sha2-nistp256@openssh.com,"
61# endif /* OPENSSL_HAS_NISTP521 */
62#else /* OPENSSL_HAS_ECC */ 62#else /* OPENSSL_HAS_ECC */
63# define KEX_ECDH_METHODS 63# define KEX_ECDH_METHODS
64# define HOSTKEY_ECDSA_CERT_METHODS 64# define HOSTKEY_ECDSA_CERT_METHODS
65# define HOSTKEY_ECDSA_METHODS 65# define HOSTKEY_ECDSA_METHODS
66# define USERKEY_ECDSA_SK_CERT_METHODS
67# define USERKEY_ECDSA_SK_METHODS
68#endif /* OPENSSL_HAS_ECC */ 66#endif /* OPENSSL_HAS_ECC */
69 67
70#ifdef OPENSSL_HAVE_EVPGCM 68#ifdef OPENSSL_HAVE_EVPGCM
@@ -110,11 +108,13 @@
110#define KEX_DEFAULT_PK_ALG \ 108#define KEX_DEFAULT_PK_ALG \
111 HOSTKEY_ECDSA_CERT_METHODS \ 109 HOSTKEY_ECDSA_CERT_METHODS \
112 "ssh-ed25519-cert-v01@openssh.com," \ 110 "ssh-ed25519-cert-v01@openssh.com," \
111 "sk-ssh-ed25519-cert-v01@openssh.com," \
113 "rsa-sha2-512-cert-v01@openssh.com," \ 112 "rsa-sha2-512-cert-v01@openssh.com," \
114 "rsa-sha2-256-cert-v01@openssh.com," \ 113 "rsa-sha2-256-cert-v01@openssh.com," \
115 "ssh-rsa-cert-v01@openssh.com," \ 114 "ssh-rsa-cert-v01@openssh.com," \
116 HOSTKEY_ECDSA_METHODS \ 115 HOSTKEY_ECDSA_METHODS \
117 "ssh-ed25519," \ 116 "ssh-ed25519," \
117 "sk-ssh-ed25519@openssh.com," \
118 "rsa-sha2-512," \ 118 "rsa-sha2-512," \
119 "rsa-sha2-256," \ 119 "rsa-sha2-256," \
120 "ssh-rsa" 120 "ssh-rsa"
@@ -145,29 +145,12 @@
145/* Not a KEX value, but here so all the algorithm defaults are together */ 145/* Not a KEX value, but here so all the algorithm defaults are together */
146#define SSH_ALLOWED_CA_SIGALGS \ 146#define SSH_ALLOWED_CA_SIGALGS \
147 HOSTKEY_ECDSA_METHODS \ 147 HOSTKEY_ECDSA_METHODS \
148 USERKEY_ECDSA_SK_METHODS \
149 "ssh-ed25519," \ 148 "ssh-ed25519," \
150 "sk-ssh-ed25519@openssh.com," \ 149 "sk-ssh-ed25519@openssh.com," \
151 "rsa-sha2-512," \ 150 "rsa-sha2-512," \
152 "rsa-sha2-256," \ 151 "rsa-sha2-256," \
153 "ssh-rsa" 152 "ssh-rsa"
154 153
155#define PUBKEY_DEFAULT_PK_ALG \
156 USERKEY_ECDSA_SK_CERT_METHODS \
157 HOSTKEY_ECDSA_CERT_METHODS \
158 "sk-ssh-ed25519-cert-v01@openssh.com," \
159 "ssh-ed25519-cert-v01@openssh.com," \
160 "rsa-sha2-512-cert-v01@openssh.com," \
161 "rsa-sha2-256-cert-v01@openssh.com," \
162 "ssh-rsa-cert-v01@openssh.com," \
163 USERKEY_ECDSA_SK_METHODS \
164 HOSTKEY_ECDSA_METHODS \
165 "sk-ssh-ed25519@openssh.com," \
166 "ssh-ed25519," \
167 "rsa-sha2-512," \
168 "rsa-sha2-256," \
169 "ssh-rsa"
170
171#else /* WITH_OPENSSL */ 154#else /* WITH_OPENSSL */
172 155
173#define KEX_SERVER_KEX \ 156#define KEX_SERVER_KEX \
@@ -176,7 +159,6 @@
176#define KEX_DEFAULT_PK_ALG \ 159#define KEX_DEFAULT_PK_ALG \
177 "ssh-ed25519-cert-v01@openssh.com," \ 160 "ssh-ed25519-cert-v01@openssh.com," \
178 "ssh-ed25519" 161 "ssh-ed25519"
179#define PUBKEY_DEFAULT_PK_ALG KEX_DEFAULT_PK_ALG
180#define KEX_SERVER_ENCRYPT \ 162#define KEX_SERVER_ENCRYPT \
181 "chacha20-poly1305@openssh.com," \ 163 "chacha20-poly1305@openssh.com," \
182 "aes128-ctr,aes192-ctr,aes256-ctr" 164 "aes128-ctr,aes192-ctr,aes256-ctr"
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-10 17:18:45 +0000