upstream: Allow prepending a list of algorithms to the default set

by starting the list with the '^' character, e.g. HostKeyAlgorithms ^ssh-ed25519 Ciphers ^aes128-gcm@openssh.com,aes256-gcm@openssh.com ok djm@ dtucker@ OpenBSD-Commit-ID: 1e1996fac0dc8a4b0d0ff58395135848287f6f97
author: naddy@openbsd.org <naddy@openbsd.org> 2019-09-06 14:45:34 +0000
committer: Damien Miller <djm@mindrot.org> 2019-09-08 14:49:04 +1000
commit: 91a2135f32acdd6378476c5bae475a6e7811a6a2 (patch)
tree: da8ddb5e4236cb12f3c70ab939e3abe674aa8ba4 /sshd_config.5
parent: c8bdd2db77ac2369d5cdee237656f266c8f41552 (diff)
1 files changed, 22 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index f42d10417..9486f2a1c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.289 2019/09/04 20:31:15 naddy Exp $
+.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
-.Dd $Mdocdate: September 4 2019 $
+.Dd $Mdocdate: September 6 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -462,6 +462,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
 .Pp
 The supported ciphers are:
 .Pp
@@ -676,6 +680,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -881,6 +889,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
@@ -998,6 +1010,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1403,6 +1419,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
author	naddy@openbsd.org <naddy@openbsd.org>	2019-09-06 14:45:34 +0000
committer	Damien Miller <djm@mindrot.org>	2019-09-08 14:49:04 +1000
commit	91a2135f32acdd6378476c5bae475a6e7811a6a2 (patch)
tree	da8ddb5e4236cb12f3c70ab939e3abe674aa8ba4 /sshd_config.5
parent	c8bdd2db77ac2369d5cdee237656f266c8f41552 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index f42d10417..9486f2a1c 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.289 2019/09/04 20:31:15 naddy Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
37	.Dd $Mdocdate: September 4 2019 $	37	.Dd $Mdocdate: September 6 2019 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -462,6 +462,10 @@ If the specified list begins with a
462	.Sq -	462	.Sq -
463	character, then the specified ciphers (including wildcards) will be removed	463	character, then the specified ciphers (including wildcards) will be removed
464	from the default set instead of replacing them.	464	from the default set instead of replacing them.
		465	If the specified list begins with a
		466	.Sq ^
		467	character, then the specified ciphers will be placed at the head of the
		468	default set.
465	.Pp	469	.Pp
466	The supported ciphers are:	470	The supported ciphers are:
467	.Pp	471	.Pp
@@ -676,6 +680,10 @@ If the specified list begins with a
676	.Sq -	680	.Sq -
677	character, then the specified key types (including wildcards) will be removed	681	character, then the specified key types (including wildcards) will be removed
678	from the default set instead of replacing them.	682	from the default set instead of replacing them.
		683	If the specified list begins with a
		684	.Sq ^
		685	character, then the specified key types will be placed at the head of the
		686	default set.
679	The default for this option is:	687	The default for this option is:
680	.Bd -literal -offset 3n	688	.Bd -literal -offset 3n
681	ecdsa-sha2-nistp256-cert-v01@openssh.com,	689	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -881,6 +889,10 @@ If the specified list begins with a
881	.Sq -	889	.Sq -
882	character, then the specified methods (including wildcards) will be removed	890	character, then the specified methods (including wildcards) will be removed
883	from the default set instead of replacing them.	891	from the default set instead of replacing them.
		892	If the specified list begins with a
		893	.Sq ^
		894	character, then the specified methods will be placed at the head of the
		895	default set.
884	The supported algorithms are:	896	The supported algorithms are:
885	.Pp	897	.Pp
886	.Bl -item -compact -offset indent	898	.Bl -item -compact -offset indent
@@ -998,6 +1010,10 @@ If the specified list begins with a
998	.Sq -	1010	.Sq -
999	character, then the specified algorithms (including wildcards) will be removed	1011	character, then the specified algorithms (including wildcards) will be removed
1000	from the default set instead of replacing them.	1012	from the default set instead of replacing them.
		1013	If the specified list begins with a
		1014	.Sq ^
		1015	character, then the specified algorithms will be placed at the head of the
		1016	default set.
1001	.Pp	1017	.Pp
1002	The algorithms that contain	1018	The algorithms that contain
1003	.Qq -etm	1019	.Qq -etm
@@ -1403,6 +1419,10 @@ If the specified list begins with a
1403	.Sq -	1419	.Sq -
1404	character, then the specified key types (including wildcards) will be removed	1420	character, then the specified key types (including wildcards) will be removed
1405	from the default set instead of replacing them.	1421	from the default set instead of replacing them.
		1422	If the specified list begins with a
		1423	.Sq ^
		1424	character, then the specified key types will be placed at the head of the
		1425	default set.
1406	The default for this option is:	1426	The default for this option is:
1407	.Bd -literal -offset 3n	1427	.Bd -literal -offset 3n
1408	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1428	ecdsa-sha2-nistp256-cert-v01@openssh.com,