upstream: Document that security key-hosted keys can act as host

keys. Update the list of default host key algorithms in ssh_config.5 and sshd_config.5. Copy the description of the SecurityKeyProvider option to sshd_config.5. ok jmc@ OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
author: naddy@openbsd.org <naddy@openbsd.org> 2019-12-19 15:09:30 +0000
committer: Darren Tucker <dtucker@dtucker.net> 2019-12-20 14:25:08 +1100
commit: ae024b22c4fd68e7f39681d605585889f9511108 (patch)
tree: 13b0f16f9f778ba7169ccc5a7ab11a62dec36368 /sshd_config.5
parent: bc2dc091e0ac4ff6245c43a61ebe12c7e9ea0b7f (diff)
1 files changed, 21 insertions, 9 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 8bfb3b6c8..222193170 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.295 2019/11/30 07:07:59 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $
-.Dd $Mdocdate: November 30 2019 $
+.Dd $Mdocdate: December 19 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -689,12 +689,16 @@ The default for this option is:
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
+sk-ssh-ed25519-cert-v01@openssh.com,
 rsa-sha2-512-cert-v01@openssh.com,
 rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+sk-ecdsa-sha2-nistp256@openssh.com,
+ssh-ed25519,sk-ssh-ed25519@openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -768,12 +772,16 @@ The default for this option is:
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
+sk-ssh-ed25519-cert-v01@openssh.com,
 rsa-sha2-512-cert-v01@openssh.com,
 rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+sk-ecdsa-sha2-nistp256@openssh.com,
+ssh-ed25519,sk-ssh-ed25519@openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -1427,19 +1435,19 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
+sk-ssh-ed25519-cert-v01@openssh.com,
 rsa-sha2-512-cert-v01@openssh.com,
 rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
+sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+ssh-ed25519,sk-ssh-ed25519@openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -1518,6 +1526,10 @@ will be bound to this
 If the routing domain is set to
 .Cm \&%D ,
 then the domain in which the incoming connection was received will be applied.
+.It Cm SecurityKeyProvider
+Specifies a path to a security key provider library that will be used when
+loading any security key-hosted keys, overriding the default of using
+the built-in support for USB HID keys.
 .It Cm SetEnv
 Specifies one or more environment variables to set in child sessions started
 by
author	naddy@openbsd.org <naddy@openbsd.org>	2019-12-19 15:09:30 +0000
committer	Darren Tucker <dtucker@dtucker.net>	2019-12-20 14:25:08 +1100
commit	ae024b22c4fd68e7f39681d605585889f9511108 (patch)
tree	13b0f16f9f778ba7169ccc5a7ab11a62dec36368 /sshd_config.5
parent	bc2dc091e0ac4ff6245c43a61ebe12c7e9ea0b7f (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 8bfb3b6c8..222193170 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.295 2019/11/30 07:07:59 jmc Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $
37	.Dd $Mdocdate: November 30 2019 $	37	.Dd $Mdocdate: December 19 2019 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -689,12 +689,16 @@ The default for this option is:
689	ecdsa-sha2-nistp256-cert-v01@openssh.com,	689	ecdsa-sha2-nistp256-cert-v01@openssh.com,
690	ecdsa-sha2-nistp384-cert-v01@openssh.com,	690	ecdsa-sha2-nistp384-cert-v01@openssh.com,
691	ecdsa-sha2-nistp521-cert-v01@openssh.com,	691	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		692	sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
692	ssh-ed25519-cert-v01@openssh.com,	693	ssh-ed25519-cert-v01@openssh.com,
		694	sk-ssh-ed25519-cert-v01@openssh.com,
693	rsa-sha2-512-cert-v01@openssh.com,	695	rsa-sha2-512-cert-v01@openssh.com,
694	rsa-sha2-256-cert-v01@openssh.com,	696	rsa-sha2-256-cert-v01@openssh.com,
695	ssh-rsa-cert-v01@openssh.com,	697	ssh-rsa-cert-v01@openssh.com,
696	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	698	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
697	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	699	sk-ecdsa-sha2-nistp256@openssh.com,
		700	ssh-ed25519,sk-ssh-ed25519@openssh.com,
		701	rsa-sha2-512,rsa-sha2-256,ssh-rsa
698	.Ed	702	.Ed
699	.Pp	703	.Pp
700	The list of available key types may also be obtained using	704	The list of available key types may also be obtained using
@@ -768,12 +772,16 @@ The default for this option is:
768	ecdsa-sha2-nistp256-cert-v01@openssh.com,	772	ecdsa-sha2-nistp256-cert-v01@openssh.com,
769	ecdsa-sha2-nistp384-cert-v01@openssh.com,	773	ecdsa-sha2-nistp384-cert-v01@openssh.com,
770	ecdsa-sha2-nistp521-cert-v01@openssh.com,	774	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		775	sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
771	ssh-ed25519-cert-v01@openssh.com,	776	ssh-ed25519-cert-v01@openssh.com,
		777	sk-ssh-ed25519-cert-v01@openssh.com,
772	rsa-sha2-512-cert-v01@openssh.com,	778	rsa-sha2-512-cert-v01@openssh.com,
773	rsa-sha2-256-cert-v01@openssh.com,	779	rsa-sha2-256-cert-v01@openssh.com,
774	ssh-rsa-cert-v01@openssh.com,	780	ssh-rsa-cert-v01@openssh.com,
775	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	781	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
776	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	782	sk-ecdsa-sha2-nistp256@openssh.com,
		783	ssh-ed25519,sk-ssh-ed25519@openssh.com,
		784	rsa-sha2-512,rsa-sha2-256,ssh-rsa
777	.Ed	785	.Ed
778	.Pp	786	.Pp
779	The list of available key types may also be obtained using	787	The list of available key types may also be obtained using
@@ -1427,19 +1435,19 @@ character, then the specified key types will be placed at the head of the
1427	default set.	1435	default set.
1428	The default for this option is:	1436	The default for this option is:
1429	.Bd -literal -offset 3n	1437	.Bd -literal -offset 3n
1430	sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1431	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1438	ecdsa-sha2-nistp256-cert-v01@openssh.com,
1432	ecdsa-sha2-nistp384-cert-v01@openssh.com,	1439	ecdsa-sha2-nistp384-cert-v01@openssh.com,
1433	ecdsa-sha2-nistp521-cert-v01@openssh.com,	1440	ecdsa-sha2-nistp521-cert-v01@openssh.com,
1434	sk-ssh-ed25519-cert-v01@openssh.com,	1441	sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1435	ssh-ed25519-cert-v01@openssh.com,	1442	ssh-ed25519-cert-v01@openssh.com,
		1443	sk-ssh-ed25519-cert-v01@openssh.com,
1436	rsa-sha2-512-cert-v01@openssh.com,	1444	rsa-sha2-512-cert-v01@openssh.com,
1437	rsa-sha2-256-cert-v01@openssh.com,	1445	rsa-sha2-256-cert-v01@openssh.com,
1438	ssh-rsa-cert-v01@openssh.com,	1446	ssh-rsa-cert-v01@openssh.com,
1439	sk-ecdsa-sha2-nistp256@openssh.com,
1440	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	1447	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1441	sk-ssh-ed25519@openssh.com,	1448	sk-ecdsa-sha2-nistp256@openssh.com,
1442	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	1449	ssh-ed25519,sk-ssh-ed25519@openssh.com,
		1450	rsa-sha2-512,rsa-sha2-256,ssh-rsa
1443	.Ed	1451	.Ed
1444	.Pp	1452	.Pp
1445	The list of available key types may also be obtained using	1453	The list of available key types may also be obtained using
@@ -1518,6 +1526,10 @@ will be bound to this
1518	If the routing domain is set to	1526	If the routing domain is set to
1519	.Cm \&%D ,	1527	.Cm \&%D ,
1520	then the domain in which the incoming connection was received will be applied.	1528	then the domain in which the incoming connection was received will be applied.
		1529	.It Cm SecurityKeyProvider
		1530	Specifies a path to a security key provider library that will be used when
		1531	loading any security key-hosted keys, overriding the default of using
		1532	the built-in support for USB HID keys.
1521	.It Cm SetEnv	1533	.It Cm SetEnv
1522	Specifies one or more environment variables to set in child sessions started	1534	Specifies one or more environment variables to set in child sessions started
1523	by	1535	by