diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-07-03 11:39:54 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-07-03 23:26:36 +1000 |
| commit | 4ba0d54794814ec0de1ec87987d0c3b89379b436 (patch) | |
| tree | b8d904880f8927374b377b2e4d5661213c1138b6 /sshd_config.5 | |
| parent | 95344c257412b51199ead18d54eaed5bafb75617 (diff) | |
upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
Diffstat (limited to 'sshd_config.5')
| -rw-r--r-- | sshd_config.5 | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 60c5f4bd3..cc019ec7d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,7 +33,7 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.278 2018/07/03 10:59:35 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.279 2018/07/03 11:39:54 djm Exp $ |
| 37 | .Dd $Mdocdate: July 3 2018 $ | 37 | .Dd $Mdocdate: July 3 2018 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| @@ -674,9 +674,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, | |||
| 674 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 674 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 675 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 675 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 676 | ssh-ed25519-cert-v01@openssh.com, | 676 | ssh-ed25519-cert-v01@openssh.com, |
| 677 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
| 677 | ssh-rsa-cert-v01@openssh.com, | 678 | ssh-rsa-cert-v01@openssh.com, |
| 678 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 679 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 679 | ssh-ed25519,ssh-rsa | 680 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
| 680 | .Ed | 681 | .Ed |
| 681 | .Pp | 682 | .Pp |
| 682 | The list of available key types may also be obtained using | 683 | The list of available key types may also be obtained using |
| @@ -751,9 +752,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, | |||
| 751 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 752 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 752 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 753 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 753 | ssh-ed25519-cert-v01@openssh.com, | 754 | ssh-ed25519-cert-v01@openssh.com, |
| 755 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
| 754 | ssh-rsa-cert-v01@openssh.com, | 756 | ssh-rsa-cert-v01@openssh.com, |
| 755 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 757 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 756 | ssh-ed25519,ssh-rsa | 758 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
| 757 | .Ed | 759 | .Ed |
| 758 | .Pp | 760 | .Pp |
| 759 | The list of available key types may also be obtained using | 761 | The list of available key types may also be obtained using |
| @@ -1399,9 +1401,10 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, | |||
| 1399 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | 1401 | ecdsa-sha2-nistp384-cert-v01@openssh.com, |
| 1400 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | 1402 | ecdsa-sha2-nistp521-cert-v01@openssh.com, |
| 1401 | ssh-ed25519-cert-v01@openssh.com, | 1403 | ssh-ed25519-cert-v01@openssh.com, |
| 1404 | rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, | ||
| 1402 | ssh-rsa-cert-v01@openssh.com, | 1405 | ssh-rsa-cert-v01@openssh.com, |
| 1403 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | 1406 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 1404 | ssh-ed25519,ssh-rsa | 1407 | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
| 1405 | .Ed | 1408 | .Ed |
| 1406 | .Pp | 1409 | .Pp |
| 1407 | The list of available key types may also be obtained using | 1410 | The list of available key types may also be obtained using |