upstream: add CASignatureAlgorithms option for the client, allowing

it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f
author: djm@openbsd.org <djm@openbsd.org> 2018-09-20 03:30:44 +0000
committer: Damien Miller <djm@mindrot.org> 2018-09-20 14:00:29 +1000
commit: ecac7e1f7add6b28874959a11f2238d149dc2c07 (patch)
tree: 58cde218f604646101ff838423b7beeafb46b909 /ssh_config.5
parent: 86e5737c39153af134158f24d0cab5827cbd5852 (diff)
1 files changed, 14 insertions, 2 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index f499396a3..a9b44cc44 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.281 2018/07/23 19:02:49 kn Exp $
+.\" $OpenBSD: ssh_config.5,v 1.282 2018/09/20 03:30:44 djm Exp $
-.Dd $Mdocdate: July 23 2018 $
+.Dd $Mdocdate: September 20 2018 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -261,6 +261,18 @@ Only useful on systems with more than one address.
 .It Cm BindInterface
 Use the address of the specified interface on the local machine as the
 source address of the connection.
+.It Cm CASignatureAlgorithms
+Specifies which algorithms are allowed for signing of certificates
+by certificate authorities (CAs).
+The default is:
+.Bd -literal -offset indent
+ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+.Ed
+.Pp
+.Xr ssh 1
+will not accept host certificates signed using algorithms other than those
+specified.
 .It Cm CanonicalDomains
 When
 .Cm CanonicalizeHostname
author	djm@openbsd.org <djm@openbsd.org>	2018-09-20 03:30:44 +0000
committer	Damien Miller <djm@mindrot.org>	2018-09-20 14:00:29 +1000
commit	ecac7e1f7add6b28874959a11f2238d149dc2c07 (patch)
tree	58cde218f604646101ff838423b7beeafb46b909 /ssh_config.5
parent	86e5737c39153af134158f24d0cab5827cbd5852 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index f499396a3..a9b44cc44 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.281 2018/07/23 19:02:49 kn Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.282 2018/09/20 03:30:44 djm Exp $
37	.Dd $Mdocdate: July 23 2018 $	37	.Dd $Mdocdate: September 20 2018 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -261,6 +261,18 @@ Only useful on systems with more than one address.
261	.It Cm BindInterface	261	.It Cm BindInterface
262	Use the address of the specified interface on the local machine as the	262	Use the address of the specified interface on the local machine as the
263	source address of the connection.	263	source address of the connection.
		264	.It Cm CASignatureAlgorithms
		265	Specifies which algorithms are allowed for signing of certificates
		266	by certificate authorities (CAs).
		267	The default is:
		268	.Bd -literal -offset indent
		269	ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		270	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
		271	.Ed
		272	.Pp
		273	.Xr ssh 1
		274	will not accept host certificates signed using algorithms other than those
		275	specified.
264	.It Cm CanonicalDomains	276	.It Cm CanonicalDomains
265	When	277	When
266	.Cm CanonicalizeHostname	278	.Cm CanonicalizeHostname