diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-07-03 11:39:54 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-07-03 23:26:36 +1000 |
| commit | 4ba0d54794814ec0de1ec87987d0c3b89379b436 (patch) | |
| tree | b8d904880f8927374b377b2e4d5661213c1138b6 /ssh_config.5 | |
| parent | 95344c257412b51199ead18d54eaed5bafb75617 (diff) | |
upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
Diffstat (limited to 'ssh_config.5')
| -rw-r--r-- | ssh_config.5 | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/ssh_config.5 b/ssh_config.5 index e5eadcaaf..eff9c5e61 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: ssh_config.5,v 1.277 2018/06/09 06:36:31 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.278 2018/07/03 11:39:54 djm Exp $ |
| 37 | .Dd $Mdocdate: June 9 2018 $ | 37 | .Dd $Mdocdate: July 3 2018 $ |
| 38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -772,9 +772,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, | |||
| 772 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 772 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 773 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 773 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 774 | ssh-ed25519-cert-v01@openssh.com, | 774 | ssh-ed25519-cert-v01@openssh.com, |
| 775 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
| 775 | ssh-rsa-cert-v01@openssh.com, | 776 | ssh-rsa-cert-v01@openssh.com, |
| 776 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 777 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 777 | ssh-ed25519,ssh-rsa | 778 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
| 778 | .Ed | 779 | .Ed |
| 779 | .Pp | 780 | .Pp |
| 780 | The | 781 | The |
| @@ -799,9 +800,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, | |||
| 799 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 800 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 800 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 801 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 801 | ssh-ed25519-cert-v01@openssh.com, | 802 | ssh-ed25519-cert-v01@openssh.com, |
| 803 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
| 802 | ssh-rsa-cert-v01@openssh.com, | 804 | ssh-rsa-cert-v01@openssh.com, |
| 803 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 805 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 804 | ssh-ed25519,ssh-rsa | 806 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
| 805 | .Ed | 807 | .Ed |
| 806 | .Pp | 808 | .Pp |
| 807 | If hostkeys are known for the destination host then this default is modified | 809 | If hostkeys are known for the destination host then this default is modified |
| @@ -1255,9 +1257,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, | |||
| 1255 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 1257 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 1256 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 1258 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 1257 | ssh-ed25519-cert-v01@openssh.com, | 1259 | ssh-ed25519-cert-v01@openssh.com, |
| 1260 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
| 1258 | ssh-rsa-cert-v01@openssh.com, | 1261 | ssh-rsa-cert-v01@openssh.com, |
| 1259 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 1262 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 1260 | ssh-ed25519,ssh-rsa | 1263 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
| 1261 | .Ed | 1264 | .Ed |
| 1262 | .Pp | 1265 | .Pp |
| 1263 | The list of available key types may also be obtained using | 1266 | The list of available key types may also be obtained using |