upstream commit

Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
author: markus@openbsd.org <markus@openbsd.org> 2015-07-10 06:21:53 +0000
committer: Damien Miller <djm@mindrot.org> 2015-07-15 15:38:02 +1000
commit: 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9 (patch)
tree: e74e4219344349a4f9a4393aa4c2c6b7baecb127 /sshd_config.5
parent: 16db0a7ee9a87945cc594d13863cfcb86038db59 (diff)
1 files changed, 51 insertions, 9 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index edd4cc9b9..b49e91910 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.205 2015/07/03 03:49:45 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.206 2015/07/10 06:21:53 markus Exp $
-.Dd $Mdocdate: July 3 2015 $
+.Dd $Mdocdate: July 10 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -640,9 +640,17 @@ The default is
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
-The default
+The default for this option is:
-.Dq *
+.Bd -literal -offset 3n
-will allow all key types.
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
 The
 .Fl Q
 option of
@@ -694,9 +702,15 @@ for protocol version 1, and
 and
 .Pa /etc/ssh/ssh_host_rsa_key
 for protocol version 2.
+.Pp
 Note that
 .Xr sshd 8
-will refuse to use a file if it is group/world-accessible.
+will refuse to use a file if it is group/world-accessible
+and that the
+.Cm HostKeyAlgorithms
+option restricts which of the keys are actually used by
+.Xr sshd 8 .
+.Pp
 It is possible to have multiple host key files.
 .Dq rsa1
 keys are used for version 1 and
@@ -718,6 +732,26 @@ If
 is specified, the location of the socket will be read from the
 .Ev SSH_AUTH_SOCK
 environment variable.
+.It Cm HostKeyAlgorithms
+Specifies the protocol version 2 host key algorithms
+that the server offers.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
+The list of available key types may also be obtained using the
+.Fl Q
+option of
+.Xr ssh 1
+with an argument of
+.Dq key .
 .It Cm IgnoreRhosts
 Specifies that
 .Pa .rhosts
@@ -1279,9 +1313,17 @@ is identical to
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be accepted for public key authentication
 as a comma-separated pattern list.
-The default
+The default for this option is:
-.Dq *
+.Bd -literal -offset 3n
-will allow all key types.
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
 The
 .Fl Q
 option of
author	markus@openbsd.org <markus@openbsd.org>	2015-07-10 06:21:53 +0000
committer	Damien Miller <djm@mindrot.org>	2015-07-15 15:38:02 +1000
commit	3a1638dda19bbc73d0ae02b4c251ce08e564b4b9 (patch)
tree	e74e4219344349a4f9a4393aa4c2c6b7baecb127 /sshd_config.5
parent	16db0a7ee9a87945cc594d13863cfcb86038db59 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index edd4cc9b9..b49e91910 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.205 2015/07/03 03:49:45 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.206 2015/07/10 06:21:53 markus Exp $
37	.Dd $Mdocdate: July 3 2015 $	37	.Dd $Mdocdate: July 10 2015 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -640,9 +640,17 @@ The default is
640	.It Cm HostbasedAcceptedKeyTypes	640	.It Cm HostbasedAcceptedKeyTypes
641	Specifies the key types that will be accepted for hostbased authentication	641	Specifies the key types that will be accepted for hostbased authentication
642	as a comma-separated pattern list.	642	as a comma-separated pattern list.
643	The default	643	The default for this option is:
644	.Dq *	644	.Bd -literal -offset 3n
645	will allow all key types.	645	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		646	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		647	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		648	ssh-ed25519-cert-v01@openssh.com,
		649	ssh-rsa-cert-v01@openssh.com,
		650	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		651	ssh-ed25519,ssh-rsa
		652	.Ed
		653	.Pp
646	The	654	The
647	.Fl Q	655	.Fl Q
648	option of	656	option of
@@ -694,9 +702,15 @@ for protocol version 1, and
694	and	702	and
695	.Pa /etc/ssh/ssh_host_rsa_key	703	.Pa /etc/ssh/ssh_host_rsa_key
696	for protocol version 2.	704	for protocol version 2.
		705	.Pp
697	Note that	706	Note that
698	.Xr sshd 8	707	.Xr sshd 8
699	will refuse to use a file if it is group/world-accessible.	708	will refuse to use a file if it is group/world-accessible
		709	and that the
		710	.Cm HostKeyAlgorithms
		711	option restricts which of the keys are actually used by
		712	.Xr sshd 8 .
		713	.Pp
700	It is possible to have multiple host key files.	714	It is possible to have multiple host key files.
701	.Dq rsa1	715	.Dq rsa1
702	keys are used for version 1 and	716	keys are used for version 1 and
@@ -718,6 +732,26 @@ If
718	is specified, the location of the socket will be read from the	732	is specified, the location of the socket will be read from the
719	.Ev SSH_AUTH_SOCK	733	.Ev SSH_AUTH_SOCK
720	environment variable.	734	environment variable.
		735	.It Cm HostKeyAlgorithms
		736	Specifies the protocol version 2 host key algorithms
		737	that the server offers.
		738	The default for this option is:
		739	.Bd -literal -offset 3n
		740	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		741	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		742	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		743	ssh-ed25519-cert-v01@openssh.com,
		744	ssh-rsa-cert-v01@openssh.com,
		745	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		746	ssh-ed25519,ssh-rsa
		747	.Ed
		748	.Pp
		749	The list of available key types may also be obtained using the
		750	.Fl Q
		751	option of
		752	.Xr ssh 1
		753	with an argument of
		754	.Dq key .
721	.It Cm IgnoreRhosts	755	.It Cm IgnoreRhosts
722	Specifies that	756	Specifies that
723	.Pa .rhosts	757	.Pa .rhosts
@@ -1279,9 +1313,17 @@ is identical to
1279	.It Cm PubkeyAcceptedKeyTypes	1313	.It Cm PubkeyAcceptedKeyTypes
1280	Specifies the key types that will be accepted for public key authentication	1314	Specifies the key types that will be accepted for public key authentication
1281	as a comma-separated pattern list.	1315	as a comma-separated pattern list.
1282	The default	1316	The default for this option is:
1283	.Dq *	1317	.Bd -literal -offset 3n
1284	will allow all key types.	1318	ecdsa-sha2-nistp256-cert-v01@openssh.com,
		1319	ecdsa-sha2-nistp384-cert-v01@openssh.com,
		1320	ecdsa-sha2-nistp521-cert-v01@openssh.com,
		1321	ssh-ed25519-cert-v01@openssh.com,
		1322	ssh-rsa-cert-v01@openssh.com,
		1323	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		1324	ssh-ed25519,ssh-rsa
		1325	.Ed
		1326	.Pp
1285	The	1327	The
1286	.Fl Q	1328	.Fl Q
1287	option of	1329	option of