upstream: When signing certificates with an RSA key, default to

using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH < 7.2 unless the default is overridden. Document the ability of the ssh-keygen -t flag to override the signature algorithm when signing certificates, and the new default. ok deraadt@ OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
author: djm@openbsd.org <djm@openbsd.org> 2019-05-20 00:20:35 +0000
committer: Damien Miller <djm@mindrot.org> 2019-05-20 10:21:58 +1000
commit: 476e3551b2952ef73acc43d995e832539bf9bc4d (patch)
tree: 326f23ca0f27d7fd4242ce88892d0af9a2da2c3c /ssh-keygen.1
parent: 606077ee1e77af5908431d003fb28461ef7be092 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index f29774249..673bf6e2f 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.158 2019/04/19 05:47:44 dtucker Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.159 2019/05/20 00:20:35 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 19 2019 $
+.Dd $Mdocdate: May 20 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -577,6 +577,15 @@ The possible values are
 .Dq ed25519 ,
 or
 .Dq rsa .
+.Pp
+This flag may also be used to specify the desired signature type when
+signing certificates using a RSA CA key.
+The available RSA signature variants are
+.Dq ssh-rsa
+(SHA1 signatures, not recommended),
+.Dq rsa-sha2-256
+.Dq rsa-sha2-512
+(the default).
 .It Fl U
 When used in combination with
 .Fl s ,
author	djm@openbsd.org <djm@openbsd.org>	2019-05-20 00:20:35 +0000
committer	Damien Miller <djm@mindrot.org>	2019-05-20 10:21:58 +1000
commit	476e3551b2952ef73acc43d995e832539bf9bc4d (patch)
tree	326f23ca0f27d7fd4242ce88892d0af9a2da2c3c /ssh-keygen.1
parent	606077ee1e77af5908431d003fb28461ef7be092 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index f29774249..673bf6e2f 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.158 2019/04/19 05:47:44 dtucker Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.159 2019/05/20 00:20:35 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: April 19 2019 $	38	.Dd $Mdocdate: May 20 2019 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -577,6 +577,15 @@ The possible values are
577	.Dq ed25519 ,	577	.Dq ed25519 ,
578	or	578	or
579	.Dq rsa .	579	.Dq rsa .
		580	.Pp
		581	This flag may also be used to specify the desired signature type when
		582	signing certificates using a RSA CA key.
		583	The available RSA signature variants are
		584	.Dq ssh-rsa
		585	(SHA1 signatures, not recommended),
		586	.Dq rsa-sha2-256
		587	.Dq rsa-sha2-512
		588	(the default).
580	.It Fl U	589	.It Fl U
581	When used in combination with	590	When used in combination with
582	.Fl s ,	591	.Fl s ,