diff options
author | markus@openbsd.org <markus@openbsd.org> | 2015-07-10 06:21:53 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-07-15 15:38:02 +1000 |
commit | 3a1638dda19bbc73d0ae02b4c251ce08e564b4b9 (patch) | |
tree | e74e4219344349a4f9a4393aa4c2c6b7baecb127 /sshd_config.5 | |
parent | 16db0a7ee9a87945cc594d13863cfcb86038db59 (diff) |
upstream commit
Turn off DSA by default; add HostKeyAlgorithms to the
server and PubkeyAcceptedKeyTypes to the client side, so it still can be
tested or turned back on; feedback and ok djm@
Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 60 |
1 files changed, 51 insertions, 9 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index edd4cc9b9..b49e91910 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.205 2015/07/03 03:49:45 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.206 2015/07/10 06:21:53 markus Exp $ |
37 | .Dd $Mdocdate: July 3 2015 $ | 37 | .Dd $Mdocdate: July 10 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -640,9 +640,17 @@ The default is | |||
640 | .It Cm HostbasedAcceptedKeyTypes | 640 | .It Cm HostbasedAcceptedKeyTypes |
641 | Specifies the key types that will be accepted for hostbased authentication | 641 | Specifies the key types that will be accepted for hostbased authentication |
642 | as a comma-separated pattern list. | 642 | as a comma-separated pattern list. |
643 | The default | 643 | The default for this option is: |
644 | .Dq * | 644 | .Bd -literal -offset 3n |
645 | will allow all key types. | 645 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
646 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
647 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
648 | ssh-ed25519-cert-v01@openssh.com, | ||
649 | ssh-rsa-cert-v01@openssh.com, | ||
650 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
651 | ssh-ed25519,ssh-rsa | ||
652 | .Ed | ||
653 | .Pp | ||
646 | The | 654 | The |
647 | .Fl Q | 655 | .Fl Q |
648 | option of | 656 | option of |
@@ -694,9 +702,15 @@ for protocol version 1, and | |||
694 | and | 702 | and |
695 | .Pa /etc/ssh/ssh_host_rsa_key | 703 | .Pa /etc/ssh/ssh_host_rsa_key |
696 | for protocol version 2. | 704 | for protocol version 2. |
705 | .Pp | ||
697 | Note that | 706 | Note that |
698 | .Xr sshd 8 | 707 | .Xr sshd 8 |
699 | will refuse to use a file if it is group/world-accessible. | 708 | will refuse to use a file if it is group/world-accessible |
709 | and that the | ||
710 | .Cm HostKeyAlgorithms | ||
711 | option restricts which of the keys are actually used by | ||
712 | .Xr sshd 8 . | ||
713 | .Pp | ||
700 | It is possible to have multiple host key files. | 714 | It is possible to have multiple host key files. |
701 | .Dq rsa1 | 715 | .Dq rsa1 |
702 | keys are used for version 1 and | 716 | keys are used for version 1 and |
@@ -718,6 +732,26 @@ If | |||
718 | is specified, the location of the socket will be read from the | 732 | is specified, the location of the socket will be read from the |
719 | .Ev SSH_AUTH_SOCK | 733 | .Ev SSH_AUTH_SOCK |
720 | environment variable. | 734 | environment variable. |
735 | .It Cm HostKeyAlgorithms | ||
736 | Specifies the protocol version 2 host key algorithms | ||
737 | that the server offers. | ||
738 | The default for this option is: | ||
739 | .Bd -literal -offset 3n | ||
740 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | ||
741 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
742 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
743 | ssh-ed25519-cert-v01@openssh.com, | ||
744 | ssh-rsa-cert-v01@openssh.com, | ||
745 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
746 | ssh-ed25519,ssh-rsa | ||
747 | .Ed | ||
748 | .Pp | ||
749 | The list of available key types may also be obtained using the | ||
750 | .Fl Q | ||
751 | option of | ||
752 | .Xr ssh 1 | ||
753 | with an argument of | ||
754 | .Dq key . | ||
721 | .It Cm IgnoreRhosts | 755 | .It Cm IgnoreRhosts |
722 | Specifies that | 756 | Specifies that |
723 | .Pa .rhosts | 757 | .Pa .rhosts |
@@ -1279,9 +1313,17 @@ is identical to | |||
1279 | .It Cm PubkeyAcceptedKeyTypes | 1313 | .It Cm PubkeyAcceptedKeyTypes |
1280 | Specifies the key types that will be accepted for public key authentication | 1314 | Specifies the key types that will be accepted for public key authentication |
1281 | as a comma-separated pattern list. | 1315 | as a comma-separated pattern list. |
1282 | The default | 1316 | The default for this option is: |
1283 | .Dq * | 1317 | .Bd -literal -offset 3n |
1284 | will allow all key types. | 1318 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
1319 | ecdsa-sha2-nistp384-cert-v01@openssh.com, | ||
1320 | ecdsa-sha2-nistp521-cert-v01@openssh.com, | ||
1321 | ssh-ed25519-cert-v01@openssh.com, | ||
1322 | ssh-rsa-cert-v01@openssh.com, | ||
1323 | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, | ||
1324 | ssh-ed25519,ssh-rsa | ||
1325 | .Ed | ||
1326 | .Pp | ||
1285 | The | 1327 | The |
1286 | .Fl Q | 1328 | .Fl Q |
1287 | option of | 1329 | option of |