- djm@cvs.openbsd.org 2010/04/16 01:47:26

     [PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
     [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
     [sshconnect.c sshconnect2.c sshd.c]
     revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
     following changes:

     move the nonce field to the beginning of the certificate where it can
     better protect against chosen-prefix attacks on the signature hash

     Rename "constraints" field to "critical options"

     Add a new non-critical "extensions" field

     Add a serial number

     The older format is still support for authentication and cert generation
     (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)

     ok markus@

1 files changed, 7 insertions, 4 deletions

diff --git a/myproposal.h b/myproposal.h
index 98f27fd15..7bedfab0a 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.24 2010/02/26 20:29:54 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.25 2010/04/16 01:47:26 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -40,9 +40,12 @@
         "diffie-hellman-group1-sha1"
 #endif
 
-#define KEX_DEFAULT_PK_ALG      "ssh-rsa-cert-v00@openssh.com," \
-                                "ssh-dss-cert-v00@openssh.com," \
-                                "ssh-rsa,ssh-dss"
+#define KEX_DEFAULT_PK_ALG      \
+                                "ssh-rsa-cert-v01@openssh.com," \
+                                "ssh-dss-cert-v01@openssh.com," \
+                                "ssh-rsa-cert-v00@openssh.com," \
+                                "ssh-dss-cert-v00@openssh.com," \
+                                "ssh-rsa,ssh-dss"
 
 #define KEX_DEFAULT_ENCRYPT \
         "aes128-ctr,aes192-ctr,aes256-ctr," \