2 files changed, 27 insertions, 4 deletions

diff --git a/myproposal.h b/myproposal.h
index 45db30e5b..5f528e4e1 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.58 2019/02/23 08:20:43 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.59 2019/10/31 21:17:49 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -144,6 +144,24 @@
         "rsa-sha2-256," \
         "ssh-rsa"
 
+#define PUBKEY_DEFAULT_PK_ALG   \
+        "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+        "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+        "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
+        "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
+        "ssh-ed25519-cert-v01@openssh.com," \
+        "rsa-sha2-512-cert-v01@openssh.com," \
+        "rsa-sha2-256-cert-v01@openssh.com," \
+        "ssh-rsa-cert-v01@openssh.com," \
+        "sk-ecdsa-sha2-nistp256@openssh.com," \
+        "ecdsa-sha2-nistp256," \
+        "ecdsa-sha2-nistp384," \
+        "ecdsa-sha2-nistp521," \
+        "ssh-ed25519," \
+        "rsa-sha2-512," \
+        "rsa-sha2-256," \
+        "ssh-rsa"
+
 #else /* WITH_OPENSSL */
 
 #define KEX_SERVER_KEX          \
@@ -152,6 +170,7 @@
 #define KEX_DEFAULT_PK_ALG      \
         "ssh-ed25519-cert-v01@openssh.com," \
         "ssh-ed25519"
+#define PUBKEY_DEFAULT_PK_ALG KEX_DEFAULT_PK_ALG
 #define KEX_SERVER_ENCRYPT \
         "chacha20-poly1305@openssh.com," \
         "aes128-ctr,aes192-ctr,aes256-ctr"
@@ -173,6 +192,10 @@
 
 #define SSH_ALLOWED_CA_SIGALGS  "ssh-ed25519"
 
+#define PUBKEY_DEFAULT_PK_ALG   \
+        "ssh-ed25519-cert-v01@openssh.com," \
+        "ssh-ed25519"
+
 #endif /* WITH_OPENSSL */
 
 #define KEX_DEFAULT_COMP        "none,zlib@openssh.com"
diff --git a/servconf.c b/servconf.c
index e76f9c39e..e2f44d38d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.352 2019/09/06 14:45:34 naddy Exp $ */
+/* $OpenBSD: servconf.c,v 1.353 2019/10/31 21:17:49 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -210,7 +210,7 @@ assemble_algorithms(ServerOptions *o)
         ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
         ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
         ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
-        ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
+        ASSEMBLE(pubkey_key_types, PUBKEY_DEFAULT_PK_ALG, all_key);
         ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
 #undef ASSEMBLE
         free(all_cipher);
@@ -2641,7 +2641,7 @@ dump_config(ServerOptions *o)
         dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
             o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
         dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
-            o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
+            o->pubkey_key_types : PUBKEY_DEFAULT_PK_ALG);
         dump_cfg_string(sRDomain, o->routing_domain);
 
         /* string arguments requiring a lookup */