From: djm Date: Wed, 12 Sep 2018 01:34:02 +0000 (+0000) Subject: add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=9d70765c61813381db41b29574f432e4aedc5efa;p=openbsd add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa. ok markus@ --- diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h index 5ba525aa3d3..bd46b55fb67 100644 --- a/usr.bin/ssh/myproposal.h +++ b/usr.bin/ssh/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.56 2018/07/03 11:39:54 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.57 2018/09/12 01:34:02 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -82,6 +82,16 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +/* Not a KEX value, but here so all the algorithm defaults are together */ +#define SSH_ALLOWED_CA_SIGALGS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp521," \ + "ssh-ed25519," \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" + #else /* WITH_OPENSSL */ #define KEX_SERVER_KEX \ @@ -109,6 +119,8 @@ #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519" + #endif /* WITH_OPENSSL */ #define KEX_DEFAULT_COMP "none,zlib@openssh.com"