upstream commit

Allow ssh_config and sshd_config kex parameters options be prefixed by a '+' to indicate that the specified items be appended to the default rather than replacing it. approach suggested by dtucker@, feedback dlg@, ok markus@ Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a
author: djm@openbsd.org <djm@openbsd.org> 2015-07-30 00:01:34 +0000
committer: Damien Miller <djm@mindrot.org> 2015-07-30 12:32:16 +1000
commit: f9eca249d4961f28ae4b09186d7dc91de74b5895 (patch)
tree: f4c86ae2043499a6ed7f8c736f0cd5e1f483102c /sshd_config.5
parent: 5cefe769105a2a2e3ca7479d28d9a325d5ef0163 (diff)
1 files changed, 24 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 0614531c5..2808576a9 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.207 2015/07/20 00:30:01 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.208 2015/07/30 00:01:34 djm Exp $
-.Dd $Mdocdate: July 20 2015 $
+.Dd $Mdocdate: July 30 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -434,6 +434,11 @@ The default is not to
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
+If the specified value begins with a
+.Sq +
+character, then the specified ciphers will be appended to the default set
+instead of replacing them.
+.Pp
 The supported ciphers are:
 .Pp
 .Bl -item -compact -offset indent
@@ -640,6 +645,10 @@ The default is
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified key types will be appended to the default set
+instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -855,6 +864,10 @@ The default is
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified methods will be appended to the default set
+instead of replacing them.
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
@@ -953,6 +966,11 @@ Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used in protocol version 2
 for data integrity protection.
 Multiple algorithms must be comma-separated.
+If the specified value begins with a
+.Sq +
+character, then the specified algorithms will be appended to the default set
+instead of replacing them.
+.Pp
 The algorithms that contain
 .Dq -etm
 calculate the MAC after encryption (encrypt-then-mac).
@@ -1313,6 +1331,10 @@ is identical to
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be accepted for public key authentication
 as a comma-separated pattern list.
+Alternately if the specified value begins with a
+.Sq +
+character, then the specified key types will be appended to the default set
+instead of replacing them.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
author	djm@openbsd.org <djm@openbsd.org>	2015-07-30 00:01:34 +0000
committer	Damien Miller <djm@mindrot.org>	2015-07-30 12:32:16 +1000
commit	f9eca249d4961f28ae4b09186d7dc91de74b5895 (patch)
tree	f4c86ae2043499a6ed7f8c736f0cd5e1f483102c /sshd_config.5
parent	5cefe769105a2a2e3ca7479d28d9a325d5ef0163 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 0614531c5..2808576a9 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.207 2015/07/20 00:30:01 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.208 2015/07/30 00:01:34 djm Exp $
37	.Dd $Mdocdate: July 20 2015 $	37	.Dd $Mdocdate: July 30 2015 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -434,6 +434,11 @@ The default is not to
434	.It Cm Ciphers	434	.It Cm Ciphers
435	Specifies the ciphers allowed for protocol version 2.	435	Specifies the ciphers allowed for protocol version 2.
436	Multiple ciphers must be comma-separated.	436	Multiple ciphers must be comma-separated.
		437	If the specified value begins with a
		438	.Sq +
		439	character, then the specified ciphers will be appended to the default set
		440	instead of replacing them.
		441	.Pp
437	The supported ciphers are:	442	The supported ciphers are:
438	.Pp	443	.Pp
439	.Bl -item -compact -offset indent	444	.Bl -item -compact -offset indent
@@ -640,6 +645,10 @@ The default is
640	.It Cm HostbasedAcceptedKeyTypes	645	.It Cm HostbasedAcceptedKeyTypes
641	Specifies the key types that will be accepted for hostbased authentication	646	Specifies the key types that will be accepted for hostbased authentication
642	as a comma-separated pattern list.	647	as a comma-separated pattern list.
		648	Alternately if the specified value begins with a
		649	.Sq +
		650	character, then the specified key types will be appended to the default set
		651	instead of replacing them.
643	The default for this option is:	652	The default for this option is:
644	.Bd -literal -offset 3n	653	.Bd -literal -offset 3n
645	ecdsa-sha2-nistp256-cert-v01@openssh.com,	654	ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -855,6 +864,10 @@ The default is
855	.It Cm KexAlgorithms	864	.It Cm KexAlgorithms
856	Specifies the available KEX (Key Exchange) algorithms.	865	Specifies the available KEX (Key Exchange) algorithms.
857	Multiple algorithms must be comma-separated.	866	Multiple algorithms must be comma-separated.
		867	Alternately if the specified value begins with a
		868	.Sq +
		869	character, then the specified methods will be appended to the default set
		870	instead of replacing them.
858	The supported algorithms are:	871	The supported algorithms are:
859	.Pp	872	.Pp
860	.Bl -item -compact -offset indent	873	.Bl -item -compact -offset indent
@@ -953,6 +966,11 @@ Specifies the available MAC (message authentication code) algorithms.
953	The MAC algorithm is used in protocol version 2	966	The MAC algorithm is used in protocol version 2
954	for data integrity protection.	967	for data integrity protection.
955	Multiple algorithms must be comma-separated.	968	Multiple algorithms must be comma-separated.
		969	If the specified value begins with a
		970	.Sq +
		971	character, then the specified algorithms will be appended to the default set
		972	instead of replacing them.
		973	.Pp
956	The algorithms that contain	974	The algorithms that contain
957	.Dq -etm	975	.Dq -etm
958	calculate the MAC after encryption (encrypt-then-mac).	976	calculate the MAC after encryption (encrypt-then-mac).
@@ -1313,6 +1331,10 @@ is identical to
1313	.It Cm PubkeyAcceptedKeyTypes	1331	.It Cm PubkeyAcceptedKeyTypes
1314	Specifies the key types that will be accepted for public key authentication	1332	Specifies the key types that will be accepted for public key authentication
1315	as a comma-separated pattern list.	1333	as a comma-separated pattern list.
		1334	Alternately if the specified value begins with a
		1335	.Sq +
		1336	character, then the specified key types will be appended to the default set
		1337	instead of replacing them.
1316	The default for this option is:	1338	The default for this option is:
1317	.Bd -literal -offset 3n	1339	.Bd -literal -offset 3n
1318	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1340	ecdsa-sha2-nistp256-cert-v01@openssh.com,