upstream commit

Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@ Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
author: djm@openbsd.org <djm@openbsd.org> 2015-07-30 00:01:34 +0000
committer: Damien Miller <djm@mindrot.org> 2015-07-30 12:32:16 +1000
commit: f9eca249d4961f28ae4b09186d7dc91de74b5895 (patch)
tree: f4c86ae2043499a6ed7f8c736f0cd5e1f483102c /ssh_config.5
parent: 5cefe769105a2a2e3ca7479d28d9a325d5ef0163 (diff)
1 files changed, 29 insertions, 2 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index e51439849..5b0975f87 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.213 2015/07/10 06:21:53 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $
-.Dd $Mdocdate: July 10 2015 $
+.Dd $Mdocdate: July 30 2015 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -373,6 +373,11 @@ The default is
 Specifies the ciphers allowed for protocol version 2
 in order of preference.
 Multiple ciphers must be comma-separated.
+If the specified value begins with a
+.Sq +
+character, then the specified ciphers will be appended to the default set
+instead of replacing them.
+.Pp
 The supported ciphers are:
 .Pp
 .Bl -item -compact -offset indent
@@ -781,6 +786,10 @@ is similar to
 .It Cm HostbasedKeyTypes
 Specifies the key types that will be used for hostbased authentication
 as a comma-separated pattern list.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified key types will be appended to the default set
+instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -800,6 +809,10 @@ may be used to list supported key types.
 .It Cm HostKeyAlgorithms
 Specifies the protocol version 2 host key algorithms
 that the client wants to use in order of preference.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified key types will be appended to the default set
+instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -981,6 +994,10 @@ and
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified methods will be appended to the default set
+instead of replacing them.
 The default is:
 .Bd -literal -offset indent
 curve25519-sha256@libssh.org,
@@ -1069,10 +1086,16 @@ in order of preference.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+If the specified value begins with a
+.Sq +
+character, then the specified algorithms will be appended to the default set
+instead of replacing them.
+.Pp
 The algorithms that contain
 .Dq -etm
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
+.Pp
 The default is:
 .Bd -literal -offset indent
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
@@ -1216,6 +1239,10 @@ The default is
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be used for public key authentication
 as a comma-separated pattern list.
+Alternately if the specified value begins with a
+.Sq +
+character, then the key types after it will be appended to the default
+instead of replacing it.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
author	djm@openbsd.org <djm@openbsd.org>	2015-07-30 00:01:34 +0000
committer	Damien Miller <djm@mindrot.org>	2015-07-30 12:32:16 +1000
commit	f9eca249d4961f28ae4b09186d7dc91de74b5895 (patch)
tree	f4c86ae2043499a6ed7f8c736f0cd5e1f483102c /ssh_config.5
parent	5cefe769105a2a2e3ca7479d28d9a325d5ef0163 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index e51439849..5b0975f87 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.213 2015/07/10 06:21:53 markus Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.214 2015/07/30 00:01:34 djm Exp $
37	.Dd $Mdocdate: July 10 2015 $	37	.Dd $Mdocdate: July 30 2015 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -373,6 +373,11 @@ The default is
373	Specifies the ciphers allowed for protocol version 2	373	Specifies the ciphers allowed for protocol version 2
374	in order of preference.	374	in order of preference.
375	Multiple ciphers must be comma-separated.	375	Multiple ciphers must be comma-separated.
		376	If the specified value begins with a
		377	.Sq +
		378	character, then the specified ciphers will be appended to the default set
		379	instead of replacing them.
		380	.Pp
376	The supported ciphers are:	381	The supported ciphers are:
377	.Pp	382	.Pp
378	.Bl -item -compact -offset indent	383	.Bl -item -compact -offset indent
@@ -781,6 +786,10 @@ is similar to
781	.It Cm HostbasedKeyTypes	786	.It Cm HostbasedKeyTypes
782	Specifies the key types that will be used for hostbased authentication	787	Specifies the key types that will be used for hostbased authentication
783	as a comma-separated pattern list.	788	as a comma-separated pattern list.
		789	Alternately if the specified value begins with a
		790	.Sq +
		791	character, then the specified key types will be appended to the default set
		792	instead of replacing them.
784	The default for this option is:	793	The default for this option is:
785	.Bd -literal -offset 3n	794	.Bd -literal -offset 3n
786	ecdsa-sha2-nistp256-cert-v01@openssh.com,	795	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -800,6 +809,10 @@ may be used to list supported key types.
800	.It Cm HostKeyAlgorithms	809	.It Cm HostKeyAlgorithms
801	Specifies the protocol version 2 host key algorithms	810	Specifies the protocol version 2 host key algorithms
802	that the client wants to use in order of preference.	811	that the client wants to use in order of preference.
		812	Alternately if the specified value begins with a
		813	.Sq +
		814	character, then the specified key types will be appended to the default set
		815	instead of replacing them.
803	The default for this option is:	816	The default for this option is:
804	.Bd -literal -offset 3n	817	.Bd -literal -offset 3n
805	ecdsa-sha2-nistp256-cert-v01@openssh.com,	818	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -981,6 +994,10 @@ and
981	.It Cm KexAlgorithms	994	.It Cm KexAlgorithms
982	Specifies the available KEX (Key Exchange) algorithms.	995	Specifies the available KEX (Key Exchange) algorithms.
983	Multiple algorithms must be comma-separated.	996	Multiple algorithms must be comma-separated.
		997	Alternately if the specified value begins with a
		998	.Sq +
		999	character, then the specified methods will be appended to the default set
		1000	instead of replacing them.
984	The default is:	1001	The default is:
985	.Bd -literal -offset indent	1002	.Bd -literal -offset indent
986	curve25519-sha256@libssh.org,	1003	curve25519-sha256@libssh.org,
@@ -1069,10 +1086,16 @@ in order of preference.
1069	The MAC algorithm is used in protocol version 2	1086	The MAC algorithm is used in protocol version 2
1070	for data integrity protection.	1087	for data integrity protection.
1071	Multiple algorithms must be comma-separated.	1088	Multiple algorithms must be comma-separated.
		1089	If the specified value begins with a
		1090	.Sq +
		1091	character, then the specified algorithms will be appended to the default set
		1092	instead of replacing them.
		1093	.Pp
1072	The algorithms that contain	1094	The algorithms that contain
1073	.Dq -etm	1095	.Dq -etm
1074	calculate the MAC after encryption (encrypt-then-mac).	1096	calculate the MAC after encryption (encrypt-then-mac).
1075	These are considered safer and their use recommended.	1097	These are considered safer and their use recommended.
		1098	.Pp
1076	The default is:	1099	The default is:
1077	.Bd -literal -offset indent	1100	.Bd -literal -offset indent
1078	umac-64-etm@openssh.com,umac-128-etm@openssh.com,	1101	umac-64-etm@openssh.com,umac-128-etm@openssh.com,
@@ -1216,6 +1239,10 @@ The default is
1216	.It Cm PubkeyAcceptedKeyTypes	1239	.It Cm PubkeyAcceptedKeyTypes
1217	Specifies the key types that will be used for public key authentication	1240	Specifies the key types that will be used for public key authentication
1218	as a comma-separated pattern list.	1241	as a comma-separated pattern list.
		1242	Alternately if the specified value begins with a
		1243	.Sq +
		1244	character, then the key types after it will be appended to the default
		1245	instead of replacing it.
1219	The default for this option is:	1246	The default for this option is:
1220	.Bd -literal -offset 3n	1247	.Bd -literal -offset 3n
1221	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1248	ecdsa-sha2-nistp256-cert-v01@openssh.com,