upstream commit

add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. Feedback & ok markus@
author: djm@openbsd.org <djm@openbsd.org> 2015-01-13 07:39:19 +0000
committer: Damien Miller <djm@mindrot.org> 2015-01-13 19:27:18 +1100
commit: 1f729f0614d1376c3332fa1edb6a5e5cec7e9e03 (patch)
tree: f651f10aa00dcecdf8e9362c0abb6282bbc99c95 /sshd_config.5
parent: 816d1538c24209a93ba0560b27c4fda57c3fff65 (diff)
1 files changed, 26 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index cec2a023a..88fe90193 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.188 2014/12/22 09:05:17 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.189 2015/01/13 07:39:19 djm Exp $
-.Dd $Mdocdate: December 22 2014 $
+.Dd $Mdocdate: January 13 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -561,6 +561,17 @@ on logout.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
+.It Cm HostbasedAcceptedKeyTypes
+Specifies the key types that will be accepted for hostbased authentication
+as a comma-separated pattern list.
+The default
+.Dq *
+will allow all key types.
+The
+.Fl Q
+option of
+.Xr ssh 1
+may be used to list supported key types.
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
@@ -962,6 +973,7 @@ Available keywords are
 .Cm ForceCommand ,
 .Cm GatewayPorts ,
 .Cm GSSAPIAuthentication ,
+.Cm HostbasedAcceptedKeyTypes ,
 .Cm HostbasedAuthentication ,
 .Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
@@ -975,6 +987,7 @@ Available keywords are
 .Cm PermitTTY ,
 .Cm PermitTunnel ,
 .Cm PermitUserRC ,
+.Cm PubkeyAcceptedKeyTypes ,
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RhostsRSAAuthentication ,
@@ -1182,6 +1195,17 @@ Specifying
 .Dq 2,1
 is identical to
 .Dq 1,2 .
+.It Cm PubkeyAcceptedKeyTypes
+Specifies the key types that will be accepted for public key authentication
+as a comma-separated pattern list.
+The default
+.Dq *
+will allow all key types.
+The
+.Fl Q
+option of
+.Xr ssh 1
+may be used to list supported key types.
 .It Cm PubkeyAuthentication
 Specifies whether public key authentication is allowed.
 The default is
author	djm@openbsd.org <djm@openbsd.org>	2015-01-13 07:39:19 +0000
committer	Damien Miller <djm@mindrot.org>	2015-01-13 19:27:18 +1100
commit	1f729f0614d1376c3332fa1edb6a5e5cec7e9e03 (patch)
tree	f651f10aa00dcecdf8e9362c0abb6282bbc99c95 /sshd_config.5
parent	816d1538c24209a93ba0560b27c4fda57c3fff65 (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index cec2a023a..88fe90193 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.188 2014/12/22 09:05:17 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.189 2015/01/13 07:39:19 djm Exp $
37	.Dd $Mdocdate: December 22 2014 $	37	.Dd $Mdocdate: January 13 2015 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -561,6 +561,17 @@ on logout.
561	The default is	561	The default is
562	.Dq yes .	562	.Dq yes .
563	Note that this option applies to protocol version 2 only.	563	Note that this option applies to protocol version 2 only.
		564	.It Cm HostbasedAcceptedKeyTypes
		565	Specifies the key types that will be accepted for hostbased authentication
		566	as a comma-separated pattern list.
		567	The default
		568	.Dq *
		569	will allow all key types.
		570	The
		571	.Fl Q
		572	option of
		573	.Xr ssh 1
		574	may be used to list supported key types.
564	.It Cm HostbasedAuthentication	575	.It Cm HostbasedAuthentication
565	Specifies whether rhosts or /etc/hosts.equiv authentication together	576	Specifies whether rhosts or /etc/hosts.equiv authentication together
566	with successful public key client host authentication is allowed	577	with successful public key client host authentication is allowed
@@ -962,6 +973,7 @@ Available keywords are
962	.Cm ForceCommand ,	973	.Cm ForceCommand ,
963	.Cm GatewayPorts ,	974	.Cm GatewayPorts ,
964	.Cm GSSAPIAuthentication ,	975	.Cm GSSAPIAuthentication ,
		976	.Cm HostbasedAcceptedKeyTypes ,
965	.Cm HostbasedAuthentication ,	977	.Cm HostbasedAuthentication ,
966	.Cm HostbasedUsesNameFromPacketOnly ,	978	.Cm HostbasedUsesNameFromPacketOnly ,
967	.Cm KbdInteractiveAuthentication ,	979	.Cm KbdInteractiveAuthentication ,
@@ -975,6 +987,7 @@ Available keywords are
975	.Cm PermitTTY ,	987	.Cm PermitTTY ,
976	.Cm PermitTunnel ,	988	.Cm PermitTunnel ,
977	.Cm PermitUserRC ,	989	.Cm PermitUserRC ,
		990	.Cm PubkeyAcceptedKeyTypes ,
978	.Cm PubkeyAuthentication ,	991	.Cm PubkeyAuthentication ,
979	.Cm RekeyLimit ,	992	.Cm RekeyLimit ,
980	.Cm RhostsRSAAuthentication ,	993	.Cm RhostsRSAAuthentication ,
@@ -1182,6 +1195,17 @@ Specifying
1182	.Dq 2,1	1195	.Dq 2,1
1183	is identical to	1196	is identical to
1184	.Dq 1,2 .	1197	.Dq 1,2 .
		1198	.It Cm PubkeyAcceptedKeyTypes
		1199	Specifies the key types that will be accepted for public key authentication
		1200	as a comma-separated pattern list.
		1201	The default
		1202	.Dq *
		1203	will allow all key types.
		1204	The
		1205	.Fl Q
		1206	option of
		1207	.Xr ssh 1
		1208	may be used to list supported key types.
1185	.It Cm PubkeyAuthentication	1209	.It Cm PubkeyAuthentication
1186	Specifies whether public key authentication is allowed.	1210	Specifies whether public key authentication is allowed.
1187	The default is	1211	The default is