upstream: Add sshd_config CASignatureAlgorithms option to allow

control over which signature algorithms a CA may use when signing certificates. In particular, this allows a sshd to ban certificates signed with RSA/SHA1. ok markus@ OpenBSD-Commit-ID: b05c86ef8b52b913ed48d54a9b9c1a7714d96bac
author: djm@openbsd.org <djm@openbsd.org> 2018-09-20 03:28:06 +0000
committer: Damien Miller <djm@mindrot.org> 2018-09-20 14:00:29 +1000
commit: 86e5737c39153af134158f24d0cab5827cbd5852 (patch)
tree: 1add30c99e83b544792233280451f70f03053586 /sshd_config.5
parent: f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index e1b54ba20..c6484370b 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.281 2018/07/20 05:01:10 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.282 2018/09/20 03:28:06 djm Exp $
-.Dd $Mdocdate: July 20 2018 $
+.Dd $Mdocdate: September 20 2018 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -382,6 +382,17 @@ If the argument is
 .Cm none
 then no banner is displayed.
 By default, no banner is displayed.
+.It Cm CASignatureAlgorithms
+Specifies which algorithms are allowed for signing of certificates
+by certificate authorities (CAs).
+The default is:
+.Bd -literal -offset indent
+ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+.Ed
+.Pp
+Certificates signed using other algorithms will not be accepted for
+public key or host-based authentication.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
 PAM or through authentication styles supported in
author	djm@openbsd.org <djm@openbsd.org>	2018-09-20 03:28:06 +0000
committer	Damien Miller <djm@mindrot.org>	2018-09-20 14:00:29 +1000
commit	86e5737c39153af134158f24d0cab5827cbd5852 (patch)
tree	1add30c99e83b544792233280451f70f03053586 /sshd_config.5
parent	f80e68ea7d62e2dfafc12f1a60ab544ae4033a0f (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index e1b54ba20..c6484370b 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.281 2018/07/20 05:01:10 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.282 2018/09/20 03:28:06 djm Exp $
37	.Dd $Mdocdate: July 20 2018 $	37	.Dd $Mdocdate: September 20 2018 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -382,6 +382,17 @@ If the argument is
382	.Cm none	382	.Cm none
383	then no banner is displayed.	383	then no banner is displayed.
384	By default, no banner is displayed.	384	By default, no banner is displayed.
		385	.It Cm CASignatureAlgorithms
		386	Specifies which algorithms are allowed for signing of certificates
		387	by certificate authorities (CAs).
		388	The default is:
		389	.Bd -literal -offset indent
		390	ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
		391	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
		392	.Ed
		393	.Pp
		394	Certificates signed using other algorithms will not be accepted for
		395	public key or host-based authentication.
385	.It Cm ChallengeResponseAuthentication	396	.It Cm ChallengeResponseAuthentication
386	Specifies whether challenge-response authentication is allowed (e.g. via	397	Specifies whether challenge-response authentication is allowed (e.g. via
387	PAM or through authentication styles supported in	398	PAM or through authentication styles supported in