From ae024b22c4fd68e7f39681d605585889f9511108 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Thu, 19 Dec 2019 15:09:30 +0000 Subject: upstream: Document that security key-hosted keys can act as host keys. Update the list of default host key algorithms in ssh_config.5 and sshd_config.5. Copy the description of the SecurityKeyProvider option to sshd_config.5. ok jmc@ OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0 --- sshd_config.5 | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) (limited to 'sshd_config.5') diff --git a/sshd_config.5 b/sshd_config.5 index 8bfb3b6c8..222193170 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.295 2019/11/30 07:07:59 jmc Exp $ -.Dd $Mdocdate: November 30 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $ +.Dd $Mdocdate: December 19 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -689,12 +689,16 @@ The default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,sk-ssh-ed25519@openssh.com, +rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp The list of available key types may also be obtained using @@ -768,12 +772,16 @@ The default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,sk-ssh-ed25519@openssh.com, +rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp The list of available key types may also be obtained using @@ -1427,19 +1435,19 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, +sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com, -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,sk-ssh-ed25519@openssh.com, +rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp The list of available key types may also be obtained using @@ -1518,6 +1526,10 @@ will be bound to this If the routing domain is set to .Cm \&%D , then the domain in which the incoming connection was received will be applied. +.It Cm SecurityKeyProvider +Specifies a path to a security key provider library that will be used when +loading any security key-hosted keys, overriding the default of using +the built-in support for USB HID keys. .It Cm SetEnv Specifies one or more environment variables to set in child sessions started by -- cgit v1.2.3