12 files changed, 173 insertions, 66 deletions

diff --git a/clientloop.c b/clientloop.c
index dc0e557ad..87ceb3dab 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.274 2015/07/01 02:26:31 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -100,6 +100,7 @@
 #include "key.h"
 #include "cipher.h"
 #include "kex.h"
+#include "myproposal.h"
 #include "log.h"
 #include "misc.h"
 #include "readconf.h"
@@ -2362,10 +2363,11 @@ client_input_hostkeys(void)
                 debug3("%s: received %s key %s", __func__,
                     sshkey_type(key), fp);
                 free(fp);
+
                 /* Check that the key is accepted in HostkeyAlgorithms */
-                if (options.hostkeyalgorithms != NULL &&
-                    match_pattern_list(sshkey_ssh_name(key),
-                    options.hostkeyalgorithms, 0) != 1) {
+                if (match_pattern_list(sshkey_ssh_name(key),
+                    options.hostkeyalgorithms ? options.hostkeyalgorithms :
+                    KEX_DEFAULT_PK_ALG, 0) != 1) {
                         debug3("%s: %s key not permitted by HostkeyAlgorithms",
                             __func__, sshkey_ssh_name(key));
                         continue;
diff --git a/myproposal.h b/myproposal.h
index 371f27cae..46e5b988d 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.46 2015/07/03 03:47:00 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.47 2015/07/10 06:21:53 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -99,11 +99,9 @@
         HOSTKEY_ECDSA_CERT_METHODS \
         "ssh-ed25519-cert-v01@openssh.com," \
         "ssh-rsa-cert-v01@openssh.com," \
-        "ssh-dss-cert-v01@openssh.com," \
         HOSTKEY_ECDSA_METHODS \
         "ssh-ed25519," \
-        "ssh-rsa," \
-        "ssh-dss"
+        "ssh-rsa" \
 
 /* the actual algorithms */
 
diff --git a/readconf.c b/readconf.c
index db7d0bbbf..f1c860b9c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.237 2015/06/26 05:13:20 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.238 2015/07/10 06:21:53 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -157,6 +157,7 @@ typedef enum {
         oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
         oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
         oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
+        oPubkeyAcceptedKeyTypes,
         oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -275,6 +276,7 @@ static struct {
         { "fingerprinthash", oFingerprintHash },
         { "updatehostkeys", oUpdateHostkeys },
         { "hostbasedkeytypes", oHostbasedKeyTypes },
+        { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
         { "ignoreunknown", oIgnoreUnknown },
 
         { NULL, oBadOption }
@@ -1115,14 +1117,17 @@ parse_int:
                 break;
 
         case oHostKeyAlgorithms:
+                charptr = &options->hostkeyalgorithms;
+parse_keytypes:
                 arg = strdelim(&s);
                 if (!arg || *arg == '\0')
-                        fatal("%.200s line %d: Missing argument.", filename, linenum);
+                        fatal("%.200s line %d: Missing argument.",
+                            filename, linenum);
                 if (!sshkey_names_valid2(arg, 1))
-                        fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
-                            filename, linenum, arg ? arg : "<NONE>");
-                if (*activep && options->hostkeyalgorithms == NULL)
-                        options->hostkeyalgorithms = xstrdup(arg);
+                        fatal("%s line %d: Bad key types '%s'.",
+                                filename, linenum, arg ? arg : "<NONE>");
+                if (*activep && *charptr == NULL)
+                        *charptr = xstrdup(arg);
                 break;
 
         case oProtocol:
@@ -1485,16 +1490,11 @@ parse_int:
 
         case oHostbasedKeyTypes:
                 charptr = &options->hostbased_key_types;
-                arg = strdelim(&s);
-                if (!arg || *arg == '\0')
-                        fatal("%.200s line %d: Missing argument.",
-                            filename, linenum);
-                if (!sshkey_names_valid2(arg, 1))
-                        fatal("%s line %d: Bad key types '%s'.",
-                                filename, linenum, arg ? arg : "<NONE>");
-                if (*activep && *charptr == NULL)
-                        *charptr = xstrdup(arg);
-                break;
+                goto parse_keytypes;
+
+        case oPubkeyAcceptedKeyTypes:
+                charptr = &options->pubkey_key_types;
+                goto parse_keytypes;
 
         case oDeprecated:
                 debug("%s line %d: Deprecated option \"%s\"",
@@ -1676,6 +1676,7 @@ initialize_options(Options * options)
         options->fingerprint_hash = -1;
         options->update_hostkeys = -1;
         options->hostbased_key_types = NULL;
+        options->pubkey_key_types = NULL;
 }
 
 /*
@@ -1858,7 +1859,9 @@ fill_default_options(Options * options)
         if (options->update_hostkeys == -1)
                 options->update_hostkeys = 0;
         if (options->hostbased_key_types == NULL)
-                options->hostbased_key_types = xstrdup("*");
+                options->hostbased_key_types = xstrdup(KEX_DEFAULT_PK_ALG);
+        if (options->pubkey_key_types == NULL)
+                options->pubkey_key_types = xstrdup(KEX_DEFAULT_PK_ALG);
 
 #define CLEAR_ON_NONE(v) \
         do { \
diff --git a/readconf.h b/readconf.h
index 576b9e352..bb2d55283 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.109 2015/02/16 22:13:32 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.110 2015/07/10 06:21:53 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -150,7 +150,8 @@ typedef struct {
 
         int      update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
 
-        char    *hostbased_key_types;
+        char   *hostbased_key_types;
+        char   *pubkey_key_types;
 
         char    *ignored_unknown; /* Pattern list of unknown tokens to ignore */
 }       Options;
diff --git a/scp.1 b/scp.1
index 0e84780e0..279b0d70b 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.66 2015/01/30 11:43:14 djm Exp $
+.\" $OpenBSD: scp.1,v 1.67 2015/07/10 06:21:53 markus Exp $
 .\"
-.Dd $Mdocdate: January 30 2015 $
+.Dd $Mdocdate: July 10 2015 $
 .Dt SCP 1
 .Os
 .Sh NAME
@@ -170,6 +170,7 @@ For full details of the options listed below, and their possible values, see
 .It PreferredAuthentications
 .It Protocol
 .It ProxyCommand
+.It PubkeyAcceptedKeyTypes
 .It PubkeyAuthentication
 .It RekeyLimit
 .It RhostsRSAAuthentication
diff --git a/servconf.c b/servconf.c
index 80465ecc1..018f251ca 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.275 2015/07/01 02:39:06 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.276 2015/07/10 06:21:53 markus Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -108,6 +108,7 @@ initialize_server_options(ServerOptions *options)
         options->hostbased_authentication = -1;
         options->hostbased_uses_name_from_packet_only = -1;
         options->hostbased_key_types = NULL;
+        options->hostkeyalgorithms = NULL;
         options->rsa_authentication = -1;
         options->pubkey_authentication = -1;
         options->pubkey_key_types = NULL;
@@ -259,13 +260,15 @@ fill_default_server_options(ServerOptions *options)
         if (options->hostbased_uses_name_from_packet_only == -1)
                 options->hostbased_uses_name_from_packet_only = 0;
         if (options->hostbased_key_types == NULL)
-                options->hostbased_key_types = xstrdup("*");
+                options->hostbased_key_types = xstrdup(KEX_DEFAULT_PK_ALG);
+        if (options->hostkeyalgorithms == NULL)
+                options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
         if (options->rsa_authentication == -1)
                 options->rsa_authentication = 1;
         if (options->pubkey_authentication == -1)
                 options->pubkey_authentication = 1;
         if (options->pubkey_key_types == NULL)
-                options->pubkey_key_types = xstrdup("*");
+                options->pubkey_key_types = xstrdup(KEX_DEFAULT_PK_ALG);
         if (options->kerberos_authentication == -1)
                 options->kerberos_authentication = 0;
         if (options->kerberos_or_local_passwd == -1)
@@ -400,6 +403,7 @@ typedef enum {
         sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
         sBanner, sUseDNS, sHostbasedAuthentication,
         sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+        sHostKeyAlgorithms,
         sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
         sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
         sAcceptEnv, sPermitTunnel,
@@ -450,6 +454,7 @@ static struct {
         { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
         { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
         { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
+        { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
         { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
         { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
         { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
@@ -1183,6 +1188,10 @@ process_server_config_line(ServerOptions *options, char *line,
                         *charptr = xstrdup(arg);
                 break;
 
+        case sHostKeyAlgorithms:
+                charptr = &options->hostkeyalgorithms;
+                goto parse_keytypes;
+
         case sRSAAuthentication:
                 intptr = &options->rsa_authentication;
                 goto parse_flag;
@@ -2280,6 +2289,8 @@ dump_config(ServerOptions *o)
             o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
         dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
             o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
+        dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
+            o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
         dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
             o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
 
diff --git a/servconf.h b/servconf.h
index 606d80c9d..f4137af7d 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.119 2015/05/22 03:50:02 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.120 2015/07/10 06:21:53 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -102,6 +102,7 @@ typedef struct {
         int     hostbased_authentication;       /* If true, permit ssh2 hostbased auth */
         int     hostbased_uses_name_from_packet_only; /* experimental */
         char   *hostbased_key_types;    /* Key types allowed for hostbased */
+        char   *hostkeyalgorithms;      /* SSH2 server key types */
         int     rsa_authentication;     /* If true, permit RSA authentication. */
         int     pubkey_authentication;  /* If true, permit ssh2 pubkey authentication. */
         char   *pubkey_key_types;       /* Key types allowed for public key */
diff --git a/ssh.1 b/ssh.1
index df7ac86af..fa87c2795 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.358 2015/05/22 05:28:45 djm Exp $
-.Dd $Mdocdate: May 22 2015 $
+.\" $OpenBSD: ssh.1,v 1.359 2015/07/10 06:21:53 markus Exp $
+.Dd $Mdocdate: July 10 2015 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -470,6 +470,7 @@ For full details of the options listed below, and their possible values, see
 .It Protocol
 .It ProxyCommand
 .It ProxyUseFdpass
+.It PubkeyAcceptedKeyTypes
 .It PubkeyAuthentication
 .It RekeyLimit
 .It RemoteForward
diff --git a/ssh_config.5 b/ssh_config.5
index d29963c15..e51439849 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.212 2015/07/03 03:47:00 djm Exp $
-.Dd $Mdocdate: July 3 2015 $
+.\" $OpenBSD: ssh_config.5,v 1.213 2015/07/10 06:21:53 markus Exp $
+.Dd $Mdocdate: July 10 2015 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -781,9 +781,17 @@ is similar to
 .It Cm HostbasedKeyTypes
 Specifies the key types that will be used for hostbased authentication
 as a comma-separated pattern list.
-The default
-.Dq *
-will allow all key types.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
 The
 .Fl Q
 option of
@@ -798,10 +806,9 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
-ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,ssh-rsa,ssh-dss
+ssh-ed25519,ssh-rsa
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
@@ -1206,6 +1213,25 @@ will pass a connected file descriptor back to
 instead of continuing to execute and pass data.
 The default is
 .Dq no .
+.It Cm PubkeyAcceptedKeyTypes
+Specifies the key types that will be used for public key authentication
+as a comma-separated pattern list.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
+The
+.Fl Q
+option of
+.Xr ssh 1
+may be used to list supported key types.
 .It Cm PubkeyAuthentication
 Specifies whether to try public key authentication.
 The argument to this keyword must be
diff --git a/sshconnect2.c b/sshconnect2.c
index fcaed6b01..34dbf9a77 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.224 2015/05/04 06:10:48 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.225 2015/07/10 06:21:53 markus Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -190,6 +190,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
                 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
                     compat_pkalg_proposal(options.hostkeyalgorithms);
         else {
+                /* Enforce default */
+                options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
                 /* Prefer algorithms that we already have keys for */
                 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
                     compat_pkalg_proposal(
@@ -1315,6 +1317,26 @@ pubkey_cleanup(Authctxt *authctxt)
         }
 }
 
+static int
+try_identity(Identity *id)
+{
+        if (!id->key)
+                return (0);
+        if (match_pattern_list(sshkey_ssh_name(id->key),
+            options.pubkey_key_types, 0) != 1) {
+                debug("Skipping %s key %s for not in PubkeyAcceptedKeyTypes",
+                    sshkey_ssh_name(id->key), id->filename);
+                return (0);
+        }
+        if (key_type_plain(id->key->type) == KEY_RSA &&
+            (datafellows & SSH_BUG_RSASIGMD5) != 0) {
+                debug("Skipped %s key %s for RSA/MD5 server",
+                    key_type(id->key), id->filename);
+                return (0);
+        }
+        return (id->key->type != KEY_RSA1);
+}
+
 int
 userauth_pubkey(Authctxt *authctxt)
 {
@@ -1333,11 +1355,7 @@ userauth_pubkey(Authctxt *authctxt)
                  * private key instead
                  */
                 if (id->key != NULL) {
-                        if (key_type_plain(id->key->type) == KEY_RSA &&
-                            (datafellows & SSH_BUG_RSASIGMD5) != 0) {
-                                debug("Skipped %s key %s for RSA/MD5 server",
-                                    key_type(id->key), id->filename);
-                        } else if (id->key->type != KEY_RSA1) {
+                        if (try_identity(id)) {
                                 debug("Offering %s public key: %s",
                                     key_type(id->key), id->filename);
                                 sent = send_pubkey_test(authctxt, id);
@@ -1347,13 +1365,8 @@ userauth_pubkey(Authctxt *authctxt)
                         id->key = load_identity_file(id->filename,
                             id->userprovided);
                         if (id->key != NULL) {
-                                id->isprivate = 1;
-                                if (key_type_plain(id->key->type) == KEY_RSA &&
-                                    (datafellows & SSH_BUG_RSASIGMD5) != 0) {
-                                        debug("Skipped %s key %s for RSA/MD5 "
-                                            "server", key_type(id->key),
-                                            id->filename);
-                                } else {
+                                if (try_identity(id)) {
+                                        id->isprivate = 1;
                                         sent = sign_and_send_pubkey(
                                             authctxt, id);
                                 }
diff --git a/sshd.c b/sshd.c
index 86b3c643b..81a9b8245 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.453 2015/07/03 03:49:45 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.454 2015/07/10 06:21:53 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -95,6 +95,7 @@
 #include "log.h"
 #include "buffer.h"
 #include "misc.h"
+#include "match.h"
 #include "servconf.h"
 #include "uidswap.h"
 #include "compat.h"
@@ -799,6 +800,13 @@ list_hostkey_types(void)
                         key = sensitive_data.host_pubkeys[i];
                 if (key == NULL)
                         continue;
+                /* Check that the key is accepted in HostkeyAlgorithms */
+                if (match_pattern_list(sshkey_ssh_name(key),
+                    options.hostkeyalgorithms, 0) != 1) {
+                        debug3("%s: %s key not permitted by HostkeyAlgorithms",
+                            __func__, sshkey_ssh_name(key));
+                        continue;
+                }
                 switch (key->type) {
                 case KEY_RSA:
                 case KEY_DSA:
diff --git a/sshd_config.5 b/sshd_config.5
index edd4cc9b9..b49e91910 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.205 2015/07/03 03:49:45 djm Exp $
-.Dd $Mdocdate: July 3 2015 $
+.\" $OpenBSD: sshd_config.5,v 1.206 2015/07/10 06:21:53 markus Exp $
+.Dd $Mdocdate: July 10 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -640,9 +640,17 @@ The default is
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
-The default
-.Dq *
-will allow all key types.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
 The
 .Fl Q
 option of
@@ -694,9 +702,15 @@ for protocol version 1, and
 and
 .Pa /etc/ssh/ssh_host_rsa_key
 for protocol version 2.
+.Pp
 Note that
 .Xr sshd 8
-will refuse to use a file if it is group/world-accessible.
+will refuse to use a file if it is group/world-accessible
+and that the
+.Cm HostKeyAlgorithms
+option restricts which of the keys are actually used by
+.Xr sshd 8 .
+.Pp
 It is possible to have multiple host key files.
 .Dq rsa1
 keys are used for version 1 and
@@ -718,6 +732,26 @@ If
 is specified, the location of the socket will be read from the
 .Ev SSH_AUTH_SOCK
 environment variable.
+.It Cm HostKeyAlgorithms
+Specifies the protocol version 2 host key algorithms
+that the server offers.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
+The list of available key types may also be obtained using the
+.Fl Q
+option of
+.Xr ssh 1
+with an argument of
+.Dq key .
 .It Cm IgnoreRhosts
 Specifies that
 .Pa .rhosts
@@ -1279,9 +1313,17 @@ is identical to
 .It Cm PubkeyAcceptedKeyTypes
 Specifies the key types that will be accepted for public key authentication
 as a comma-separated pattern list.
-The default
-.Dq *
-will allow all key types.
+The default for this option is:
+.Bd -literal -offset 3n
+ecdsa-sha2-nistp256-cert-v01@openssh.com,
+ecdsa-sha2-nistp384-cert-v01@openssh.com,
+ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
+ssh-rsa-cert-v01@openssh.com,
+ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,ssh-rsa
+.Ed
+.Pp
 The
 .Fl Q
 option of