diff options
-rw-r--r-- | compat.c | 48 | ||||
-rw-r--r-- | kex.c | 21 | ||||
-rw-r--r-- | match.c | 31 | ||||
-rw-r--r-- | match.h | 3 | ||||
-rw-r--r-- | readconf.c | 12 | ||||
-rw-r--r-- | servconf.c | 12 | ||||
-rw-r--r-- | ssh_config.5 | 28 | ||||
-rw-r--r-- | sshd_config.5 | 24 |
8 files changed, 120 insertions, 59 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: compat.c,v 1.99 2016/05/24 02:31:57 dtucker Exp $ */ | 1 | /* $OpenBSD: compat.c,v 1.100 2017/02/03 23:01:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -37,6 +37,7 @@ | |||
37 | #include "compat.h" | 37 | #include "compat.h" |
38 | #include "log.h" | 38 | #include "log.h" |
39 | #include "match.h" | 39 | #include "match.h" |
40 | #include "kex.h" | ||
40 | 41 | ||
41 | int compat13 = 0; | 42 | int compat13 = 0; |
42 | int compat20 = 0; | 43 | int compat20 = 0; |
@@ -250,42 +251,14 @@ proto_spec(const char *spec) | |||
250 | return ret; | 251 | return ret; |
251 | } | 252 | } |
252 | 253 | ||
253 | /* | ||
254 | * Filters a proposal string, excluding any algorithm matching the 'filter' | ||
255 | * pattern list. | ||
256 | */ | ||
257 | static char * | ||
258 | filter_proposal(char *proposal, const char *filter) | ||
259 | { | ||
260 | Buffer b; | ||
261 | char *orig_prop, *fix_prop; | ||
262 | char *cp, *tmp; | ||
263 | |||
264 | buffer_init(&b); | ||
265 | tmp = orig_prop = xstrdup(proposal); | ||
266 | while ((cp = strsep(&tmp, ",")) != NULL) { | ||
267 | if (match_pattern_list(cp, filter, 0) != 1) { | ||
268 | if (buffer_len(&b) > 0) | ||
269 | buffer_append(&b, ",", 1); | ||
270 | buffer_append(&b, cp, strlen(cp)); | ||
271 | } else | ||
272 | debug2("Compat: skipping algorithm \"%s\"", cp); | ||
273 | } | ||
274 | buffer_append(&b, "\0", 1); | ||
275 | fix_prop = xstrdup((char *)buffer_ptr(&b)); | ||
276 | buffer_free(&b); | ||
277 | free(orig_prop); | ||
278 | |||
279 | return fix_prop; | ||
280 | } | ||
281 | |||
282 | char * | 254 | char * |
283 | compat_cipher_proposal(char *cipher_prop) | 255 | compat_cipher_proposal(char *cipher_prop) |
284 | { | 256 | { |
285 | if (!(datafellows & SSH_BUG_BIGENDIANAES)) | 257 | if (!(datafellows & SSH_BUG_BIGENDIANAES)) |
286 | return cipher_prop; | 258 | return cipher_prop; |
287 | debug2("%s: original cipher proposal: %s", __func__, cipher_prop); | 259 | debug2("%s: original cipher proposal: %s", __func__, cipher_prop); |
288 | cipher_prop = filter_proposal(cipher_prop, "aes*"); | 260 | if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL) |
261 | fatal("match_filter_list failed"); | ||
289 | debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); | 262 | debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); |
290 | if (*cipher_prop == '\0') | 263 | if (*cipher_prop == '\0') |
291 | fatal("No supported ciphers found"); | 264 | fatal("No supported ciphers found"); |
@@ -298,7 +271,8 @@ compat_pkalg_proposal(char *pkalg_prop) | |||
298 | if (!(datafellows & SSH_BUG_RSASIGMD5)) | 271 | if (!(datafellows & SSH_BUG_RSASIGMD5)) |
299 | return pkalg_prop; | 272 | return pkalg_prop; |
300 | debug2("%s: original public key proposal: %s", __func__, pkalg_prop); | 273 | debug2("%s: original public key proposal: %s", __func__, pkalg_prop); |
301 | pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa"); | 274 | if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL) |
275 | fatal("match_filter_list failed"); | ||
302 | debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); | 276 | debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); |
303 | if (*pkalg_prop == '\0') | 277 | if (*pkalg_prop == '\0') |
304 | fatal("No supported PK algorithms found"); | 278 | fatal("No supported PK algorithms found"); |
@@ -312,10 +286,14 @@ compat_kex_proposal(char *p) | |||
312 | return p; | 286 | return p; |
313 | debug2("%s: original KEX proposal: %s", __func__, p); | 287 | debug2("%s: original KEX proposal: %s", __func__, p); |
314 | if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) | 288 | if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) |
315 | p = filter_proposal(p, "curve25519-sha256@libssh.org"); | 289 | if ((p = match_filter_list(p, |
290 | "curve25519-sha256@libssh.org")) == NULL) | ||
291 | fatal("match_filter_list failed"); | ||
316 | if ((datafellows & SSH_OLD_DHGEX) != 0) { | 292 | if ((datafellows & SSH_OLD_DHGEX) != 0) { |
317 | p = filter_proposal(p, "diffie-hellman-group-exchange-sha256"); | 293 | if ((p = match_filter_list(p, |
318 | p = filter_proposal(p, "diffie-hellman-group-exchange-sha1"); | 294 | "diffie-hellman-group-exchange-sha256," |
295 | "diffie-hellman-group-exchange-sha1")) == NULL) | ||
296 | fatal("match_filter_list failed"); | ||
319 | } | 297 | } |
320 | debug2("%s: compat KEX proposal: %s", __func__, p); | 298 | debug2("%s: compat KEX proposal: %s", __func__, p); |
321 | if (*p == '\0') | 299 | if (*p == '\0') |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */ | 1 | /* $OpenBSD: kex.c,v 1.128 2017/02/03 23:01:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -211,7 +211,8 @@ kex_names_cat(const char *a, const char *b) | |||
211 | /* | 211 | /* |
212 | * Assemble a list of algorithms from a default list and a string from a | 212 | * Assemble a list of algorithms from a default list and a string from a |
213 | * configuration file. The user-provided string may begin with '+' to | 213 | * configuration file. The user-provided string may begin with '+' to |
214 | * indicate that it should be appended to the default. | 214 | * indicate that it should be appended to the default or '-' that the |
215 | * specified names should be removed. | ||
215 | */ | 216 | */ |
216 | int | 217 | int |
217 | kex_assemble_names(const char *def, char **list) | 218 | kex_assemble_names(const char *def, char **list) |
@@ -222,14 +223,18 @@ kex_assemble_names(const char *def, char **list) | |||
222 | *list = strdup(def); | 223 | *list = strdup(def); |
223 | return 0; | 224 | return 0; |
224 | } | 225 | } |
225 | if (**list != '+') { | 226 | if (**list == '+') { |
226 | return 0; | 227 | if ((ret = kex_names_cat(def, *list + 1)) == NULL) |
228 | return SSH_ERR_ALLOC_FAIL; | ||
229 | free(*list); | ||
230 | *list = ret; | ||
231 | } else if (**list == '-') { | ||
232 | if ((ret = match_filter_list(def, *list + 1)) == NULL) | ||
233 | return SSH_ERR_ALLOC_FAIL; | ||
234 | free(*list); | ||
235 | *list = ret; | ||
227 | } | 236 | } |
228 | 237 | ||
229 | if ((ret = kex_names_cat(def, *list + 1)) == NULL) | ||
230 | return SSH_ERR_ALLOC_FAIL; | ||
231 | free(*list); | ||
232 | *list = ret; | ||
233 | return 0; | 238 | return 0; |
234 | } | 239 | } |
235 | 240 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: match.c,v 1.33 2016/11/06 05:46:37 djm Exp $ */ | 1 | /* $OpenBSD: match.c,v 1.34 2017/02/03 23:01:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -284,3 +284,32 @@ match_list(const char *client, const char *server, u_int *next) | |||
284 | free(s); | 284 | free(s); |
285 | return NULL; | 285 | return NULL; |
286 | } | 286 | } |
287 | |||
288 | /* | ||
289 | * Filters a comma-separated list of strings, excluding any entry matching | ||
290 | * the 'filter' pattern list. Caller must free returned string. | ||
291 | */ | ||
292 | char * | ||
293 | match_filter_list(const char *proposal, const char *filter) | ||
294 | { | ||
295 | size_t len = strlen(proposal) + 1; | ||
296 | char *fix_prop = malloc(len); | ||
297 | char *orig_prop = strdup(proposal); | ||
298 | char *cp, *tmp; | ||
299 | |||
300 | if (fix_prop == NULL || orig_prop == NULL) | ||
301 | return NULL; | ||
302 | |||
303 | tmp = orig_prop; | ||
304 | *fix_prop = '\0'; | ||
305 | while ((cp = strsep(&tmp, ",")) != NULL) { | ||
306 | if (match_pattern_list(cp, filter, 0) != 1) { | ||
307 | if (*fix_prop != '\0') | ||
308 | strlcat(fix_prop, ",", len); | ||
309 | strlcat(fix_prop, cp, len); | ||
310 | } | ||
311 | } | ||
312 | free(orig_prop); | ||
313 | return fix_prop; | ||
314 | } | ||
315 | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: match.h,v 1.16 2015/05/04 06:10:48 djm Exp $ */ | 1 | /* $OpenBSD: match.h,v 1.17 2017/02/03 23:01:19 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -20,6 +20,7 @@ int match_hostname(const char *, const char *); | |||
20 | int match_host_and_ip(const char *, const char *, const char *); | 20 | int match_host_and_ip(const char *, const char *, const char *); |
21 | int match_user(const char *, const char *, const char *, const char *); | 21 | int match_user(const char *, const char *, const char *, const char *); |
22 | char *match_list(const char *, const char *, u_int *); | 22 | char *match_list(const char *, const char *, u_int *); |
23 | char *match_filter_list(const char *, const char *); | ||
23 | 24 | ||
24 | /* addrmatch.c */ | 25 | /* addrmatch.c */ |
25 | int addr_match_list(const char *, const char *); | 26 | int addr_match_list(const char *, const char *); |
diff --git a/readconf.c b/readconf.c index 6c934406e..e51481b10 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.267 2017/02/03 05:05:56 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.268 2017/02/03 23:01:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1194,7 +1194,7 @@ parse_int: | |||
1194 | arg = strdelim(&s); | 1194 | arg = strdelim(&s); |
1195 | if (!arg || *arg == '\0') | 1195 | if (!arg || *arg == '\0') |
1196 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 1196 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
1197 | if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) | 1197 | if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) |
1198 | fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", | 1198 | fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", |
1199 | filename, linenum, arg ? arg : "<NONE>"); | 1199 | filename, linenum, arg ? arg : "<NONE>"); |
1200 | if (*activep && options->ciphers == NULL) | 1200 | if (*activep && options->ciphers == NULL) |
@@ -1205,7 +1205,7 @@ parse_int: | |||
1205 | arg = strdelim(&s); | 1205 | arg = strdelim(&s); |
1206 | if (!arg || *arg == '\0') | 1206 | if (!arg || *arg == '\0') |
1207 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 1207 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
1208 | if (!mac_valid(*arg == '+' ? arg + 1 : arg)) | 1208 | if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) |
1209 | fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", | 1209 | fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", |
1210 | filename, linenum, arg ? arg : "<NONE>"); | 1210 | filename, linenum, arg ? arg : "<NONE>"); |
1211 | if (*activep && options->macs == NULL) | 1211 | if (*activep && options->macs == NULL) |
@@ -1217,7 +1217,8 @@ parse_int: | |||
1217 | if (!arg || *arg == '\0') | 1217 | if (!arg || *arg == '\0') |
1218 | fatal("%.200s line %d: Missing argument.", | 1218 | fatal("%.200s line %d: Missing argument.", |
1219 | filename, linenum); | 1219 | filename, linenum); |
1220 | if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) | 1220 | if (*arg != '-' && |
1221 | !kex_names_valid(*arg == '+' ? arg + 1 : arg)) | ||
1221 | fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", | 1222 | fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", |
1222 | filename, linenum, arg ? arg : "<NONE>"); | 1223 | filename, linenum, arg ? arg : "<NONE>"); |
1223 | if (*activep && options->kex_algorithms == NULL) | 1224 | if (*activep && options->kex_algorithms == NULL) |
@@ -1231,7 +1232,8 @@ parse_keytypes: | |||
1231 | if (!arg || *arg == '\0') | 1232 | if (!arg || *arg == '\0') |
1232 | fatal("%.200s line %d: Missing argument.", | 1233 | fatal("%.200s line %d: Missing argument.", |
1233 | filename, linenum); | 1234 | filename, linenum); |
1234 | if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) | 1235 | if (*arg != '-' && |
1236 | !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) | ||
1235 | fatal("%s line %d: Bad key types '%s'.", | 1237 | fatal("%s line %d: Bad key types '%s'.", |
1236 | filename, linenum, arg ? arg : "<NONE>"); | 1238 | filename, linenum, arg ? arg : "<NONE>"); |
1237 | if (*activep && *charptr == NULL) | 1239 | if (*activep && *charptr == NULL) |
diff --git a/servconf.c b/servconf.c index 1880b8cfd..2f8e29d4c 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.303 2017/02/03 05:05:56 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.304 2017/02/03 23:01:19 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -1177,7 +1177,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1177 | if (!arg || *arg == '\0') | 1177 | if (!arg || *arg == '\0') |
1178 | fatal("%s line %d: Missing argument.", | 1178 | fatal("%s line %d: Missing argument.", |
1179 | filename, linenum); | 1179 | filename, linenum); |
1180 | if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) | 1180 | if (*arg != '-' && |
1181 | !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) | ||
1181 | fatal("%s line %d: Bad key types '%s'.", | 1182 | fatal("%s line %d: Bad key types '%s'.", |
1182 | filename, linenum, arg ? arg : "<NONE>"); | 1183 | filename, linenum, arg ? arg : "<NONE>"); |
1183 | if (*activep && *charptr == NULL) | 1184 | if (*activep && *charptr == NULL) |
@@ -1436,7 +1437,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1436 | arg = strdelim(&cp); | 1437 | arg = strdelim(&cp); |
1437 | if (!arg || *arg == '\0') | 1438 | if (!arg || *arg == '\0') |
1438 | fatal("%s line %d: Missing argument.", filename, linenum); | 1439 | fatal("%s line %d: Missing argument.", filename, linenum); |
1439 | if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) | 1440 | if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg)) |
1440 | fatal("%s line %d: Bad SSH2 cipher spec '%s'.", | 1441 | fatal("%s line %d: Bad SSH2 cipher spec '%s'.", |
1441 | filename, linenum, arg ? arg : "<NONE>"); | 1442 | filename, linenum, arg ? arg : "<NONE>"); |
1442 | if (options->ciphers == NULL) | 1443 | if (options->ciphers == NULL) |
@@ -1447,7 +1448,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1447 | arg = strdelim(&cp); | 1448 | arg = strdelim(&cp); |
1448 | if (!arg || *arg == '\0') | 1449 | if (!arg || *arg == '\0') |
1449 | fatal("%s line %d: Missing argument.", filename, linenum); | 1450 | fatal("%s line %d: Missing argument.", filename, linenum); |
1450 | if (!mac_valid(*arg == '+' ? arg + 1 : arg)) | 1451 | if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg)) |
1451 | fatal("%s line %d: Bad SSH2 mac spec '%s'.", | 1452 | fatal("%s line %d: Bad SSH2 mac spec '%s'.", |
1452 | filename, linenum, arg ? arg : "<NONE>"); | 1453 | filename, linenum, arg ? arg : "<NONE>"); |
1453 | if (options->macs == NULL) | 1454 | if (options->macs == NULL) |
@@ -1459,7 +1460,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1459 | if (!arg || *arg == '\0') | 1460 | if (!arg || *arg == '\0') |
1460 | fatal("%s line %d: Missing argument.", | 1461 | fatal("%s line %d: Missing argument.", |
1461 | filename, linenum); | 1462 | filename, linenum); |
1462 | if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) | 1463 | if (*arg != '-' && |
1464 | !kex_names_valid(*arg == '+' ? arg + 1 : arg)) | ||
1463 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", | 1465 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", |
1464 | filename, linenum, arg ? arg : "<NONE>"); | 1466 | filename, linenum, arg ? arg : "<NONE>"); |
1465 | if (options->kex_algorithms == NULL) | 1467 | if (options->kex_algorithms == NULL) |
diff --git a/ssh_config.5 b/ssh_config.5 index 591365f34..016adbc73 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.240 2016/10/15 19:56:25 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.241 2017/02/03 23:01:19 djm Exp $ |
37 | .Dd $Mdocdate: October 15 2016 $ | 37 | .Dd $Mdocdate: February 3 2017 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -415,6 +415,10 @@ If the specified value begins with a | |||
415 | .Sq + | 415 | .Sq + |
416 | character, then the specified ciphers will be appended to the default set | 416 | character, then the specified ciphers will be appended to the default set |
417 | instead of replacing them. | 417 | instead of replacing them. |
418 | If the specified value begins with a | ||
419 | .Sq - | ||
420 | character, then the specified ciphers (including wildcards) will be removed | ||
421 | from the default set instead of replacing them. | ||
418 | .Pp | 422 | .Pp |
419 | The supported ciphers are: | 423 | The supported ciphers are: |
420 | .Bd -literal -offset indent | 424 | .Bd -literal -offset indent |
@@ -784,6 +788,10 @@ Alternately if the specified value begins with a | |||
784 | .Sq + | 788 | .Sq + |
785 | character, then the specified key types will be appended to the default set | 789 | character, then the specified key types will be appended to the default set |
786 | instead of replacing them. | 790 | instead of replacing them. |
791 | If the specified value begins with a | ||
792 | .Sq - | ||
793 | character, then the specified key types (including wildcards) will be removed | ||
794 | from the default set instead of replacing them. | ||
787 | The default for this option is: | 795 | The default for this option is: |
788 | .Bd -literal -offset 3n | 796 | .Bd -literal -offset 3n |
789 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 797 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -807,6 +815,10 @@ Alternately if the specified value begins with a | |||
807 | .Sq + | 815 | .Sq + |
808 | character, then the specified key types will be appended to the default set | 816 | character, then the specified key types will be appended to the default set |
809 | instead of replacing them. | 817 | instead of replacing them. |
818 | If the specified value begins with a | ||
819 | .Sq - | ||
820 | character, then the specified key types (including wildcards) will be removed | ||
821 | from the default set instead of replacing them. | ||
810 | The default for this option is: | 822 | The default for this option is: |
811 | .Bd -literal -offset 3n | 823 | .Bd -literal -offset 3n |
812 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 824 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -1027,6 +1039,10 @@ Alternately if the specified value begins with a | |||
1027 | .Sq + | 1039 | .Sq + |
1028 | character, then the specified methods will be appended to the default set | 1040 | character, then the specified methods will be appended to the default set |
1029 | instead of replacing them. | 1041 | instead of replacing them. |
1042 | If the specified value begins with a | ||
1043 | .Sq - | ||
1044 | character, then the specified methods (including wildcards) will be removed | ||
1045 | from the default set instead of replacing them. | ||
1030 | The default is: | 1046 | The default is: |
1031 | .Bd -literal -offset indent | 1047 | .Bd -literal -offset indent |
1032 | curve25519-sha256,curve25519-sha256@libssh.org, | 1048 | curve25519-sha256,curve25519-sha256@libssh.org, |
@@ -1102,6 +1118,10 @@ If the specified value begins with a | |||
1102 | .Sq + | 1118 | .Sq + |
1103 | character, then the specified algorithms will be appended to the default set | 1119 | character, then the specified algorithms will be appended to the default set |
1104 | instead of replacing them. | 1120 | instead of replacing them. |
1121 | If the specified value begins with a | ||
1122 | .Sq - | ||
1123 | character, then the specified algorithms (including wildcards) will be removed | ||
1124 | from the default set instead of replacing them. | ||
1105 | .Pp | 1125 | .Pp |
1106 | The algorithms that contain | 1126 | The algorithms that contain |
1107 | .Qq -etm | 1127 | .Qq -etm |
@@ -1264,6 +1284,10 @@ Alternately if the specified value begins with a | |||
1264 | .Sq + | 1284 | .Sq + |
1265 | character, then the key types after it will be appended to the default | 1285 | character, then the key types after it will be appended to the default |
1266 | instead of replacing it. | 1286 | instead of replacing it. |
1287 | If the specified value begins with a | ||
1288 | .Sq - | ||
1289 | character, then the specified key types (including wildcards) will be removed | ||
1290 | from the default set instead of replacing them. | ||
1267 | The default for this option is: | 1291 | The default for this option is: |
1268 | .Bd -literal -offset 3n | 1292 | .Bd -literal -offset 3n |
1269 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1293 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
diff --git a/sshd_config.5 b/sshd_config.5 index 935fda4b7..454e46e0b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.241 2017/01/06 16:28:12 jmc Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.242 2017/02/03 23:01:19 djm Exp $ |
37 | .Dd $Mdocdate: January 6 2017 $ | 37 | .Dd $Mdocdate: February 3 2017 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -437,6 +437,10 @@ If the specified value begins with a | |||
437 | .Sq + | 437 | .Sq + |
438 | character, then the specified ciphers will be appended to the default set | 438 | character, then the specified ciphers will be appended to the default set |
439 | instead of replacing them. | 439 | instead of replacing them. |
440 | If the specified value begins with a | ||
441 | .Sq - | ||
442 | character, then the specified ciphers (including wildcards) will be removed | ||
443 | from the default set instead of replacing them. | ||
440 | .Pp | 444 | .Pp |
441 | The supported ciphers are: | 445 | The supported ciphers are: |
442 | .Pp | 446 | .Pp |
@@ -649,6 +653,10 @@ Alternately if the specified value begins with a | |||
649 | .Sq + | 653 | .Sq + |
650 | character, then the specified key types will be appended to the default set | 654 | character, then the specified key types will be appended to the default set |
651 | instead of replacing them. | 655 | instead of replacing them. |
656 | If the specified value begins with a | ||
657 | .Sq - | ||
658 | character, then the specified key types (including wildcards) will be removed | ||
659 | from the default set instead of replacing them. | ||
652 | The default for this option is: | 660 | The default for this option is: |
653 | .Bd -literal -offset 3n | 661 | .Bd -literal -offset 3n |
654 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 662 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |
@@ -843,6 +851,10 @@ Alternately if the specified value begins with a | |||
843 | .Sq + | 851 | .Sq + |
844 | character, then the specified methods will be appended to the default set | 852 | character, then the specified methods will be appended to the default set |
845 | instead of replacing them. | 853 | instead of replacing them. |
854 | If the specified value begins with a | ||
855 | .Sq - | ||
856 | character, then the specified methods (including wildcards) will be removed | ||
857 | from the default set instead of replacing them. | ||
846 | The supported algorithms are: | 858 | The supported algorithms are: |
847 | .Pp | 859 | .Pp |
848 | .Bl -item -compact -offset indent | 860 | .Bl -item -compact -offset indent |
@@ -933,6 +945,10 @@ If the specified value begins with a | |||
933 | .Sq + | 945 | .Sq + |
934 | character, then the specified algorithms will be appended to the default set | 946 | character, then the specified algorithms will be appended to the default set |
935 | instead of replacing them. | 947 | instead of replacing them. |
948 | If the specified value begins with a | ||
949 | .Sq - | ||
950 | character, then the specified algorithms (including wildcards) will be removed | ||
951 | from the default set instead of replacing them. | ||
936 | .Pp | 952 | .Pp |
937 | The algorithms that contain | 953 | The algorithms that contain |
938 | .Qq -etm | 954 | .Qq -etm |
@@ -1280,6 +1296,10 @@ Alternately if the specified value begins with a | |||
1280 | .Sq + | 1296 | .Sq + |
1281 | character, then the specified key types will be appended to the default set | 1297 | character, then the specified key types will be appended to the default set |
1282 | instead of replacing them. | 1298 | instead of replacing them. |
1299 | If the specified value begins with a | ||
1300 | .Sq - | ||
1301 | character, then the specified key types (including wildcards) will be removed | ||
1302 | from the default set instead of replacing them. | ||
1283 | The default for this option is: | 1303 | The default for this option is: |
1284 | .Bd -literal -offset 3n | 1304 | .Bd -literal -offset 3n |
1285 | ecdsa-sha2-nistp256-cert-v01@openssh.com, | 1305 | ecdsa-sha2-nistp256-cert-v01@openssh.com, |