From 71ae1114819ff58f380296276b4b4ed8cd6a33a2 Mon Sep 17 00:00:00 2001 From: dtucker Date: Fri, 22 Jan 2021 02:44:58 +0000 Subject: [PATCH] Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. While the two were originally equivalent, this actually specifies the signature algorithms that are accepted. Some key types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is becoming increasingly misleading. The old name is retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@ --- usr.bin/ssh/auth2-pubkey.c | 6 +++--- usr.bin/ssh/monitor.c | 4 ++-- usr.bin/ssh/readconf.c | 27 ++++++++++++++------------- usr.bin/ssh/readconf.h | 4 ++-- usr.bin/ssh/scp.1 | 6 +++--- usr.bin/ssh/servconf.c | 25 +++++++++++++------------ usr.bin/ssh/servconf.h | 6 +++--- usr.bin/ssh/sftp.1 | 6 +++--- usr.bin/ssh/ssh.c | 5 +++-- usr.bin/ssh/ssh_config.5 | 18 +++++++++--------- usr.bin/ssh/sshconnect2.c | 22 +++++++++++----------- usr.bin/ssh/sshd_config.5 | 20 ++++++++++---------- 12 files changed, 76 insertions(+), 73 deletions(-) diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c index f06a30e688e..9b5cd2441ca 100644 --- a/usr.bin/ssh/auth2-pubkey.c +++ b/usr.bin/ssh/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.103 2020/12/22 00:12:22 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.104 2021/01/22 02:44:58 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -147,8 +147,8 @@ userauth_pubkey(struct ssh *ssh) logit("refusing previously-used %s key", sshkey_type(key)); goto done; } - if (match_pattern_list(pkalg, options.pubkey_key_types, 0) != 1) { - logit_f("key type %s not in PubkeyAcceptedKeyTypes", + if (match_pattern_list(pkalg, options.pubkey_accepted_algos, 0) != 1) { + logit_f("key type %s not in PubkeyAcceptedAlgorithms", sshkey_ssh_name(key)); goto done; } diff --git a/usr.bin/ssh/monitor.c b/usr.bin/ssh/monitor.c index e4e7d49eb55..477167df502 100644 --- a/usr.bin/ssh/monitor.c +++ b/usr.bin/ssh/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.219 2020/12/29 00:59:15 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.220 2021/01/22 02:44:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -937,7 +937,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m) if (auth2_key_already_used(authctxt, key)) break; if (!key_base_type_match(auth_method, key, - options.pubkey_key_types)) + options.pubkey_accepted_algos)) break; allowed = user_key_allowed(ssh, authctxt->pw, key, pubkey_auth_attempt, &opts); diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index b8690842788..e2fd3f234c8 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.348 2021/01/08 04:49:13 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.349 2021/01/22 02:44:58 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -157,7 +157,7 @@ typedef enum { oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, - oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, + oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump, oSecurityKeyProvider, oKnownHostsCommand, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -293,7 +293,8 @@ static struct { { "fingerprinthash", oFingerprintHash }, { "updatehostkeys", oUpdateHostkeys }, { "hostbasedkeytypes", oHostbasedKeyTypes }, - { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, + { "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */ + { "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms }, { "ignoreunknown", oIgnoreUnknown }, { "proxyjump", oProxyJump }, { "securitykeyprovider", oSecurityKeyProvider }, @@ -1359,7 +1360,7 @@ parse_int: case oHostKeyAlgorithms: charptr = &options->hostkeyalgorithms; -parse_keytypes: +parse_pubkey_algos: arg = strdelim(&s); if (!arg || *arg == '\0') { error("%.200s line %d: Missing argument.", @@ -1379,7 +1380,7 @@ parse_keytypes: case oCASignatureAlgorithms: charptr = &options->ca_sign_algorithms; - goto parse_keytypes; + goto parse_pubkey_algos; case oLogLevel: log_level_ptr = &options->log_level; @@ -1920,11 +1921,11 @@ parse_keytypes: case oHostbasedKeyTypes: charptr = &options->hostbased_key_types; - goto parse_keytypes; + goto parse_pubkey_algos; - case oPubkeyAcceptedKeyTypes: - charptr = &options->pubkey_key_types; - goto parse_keytypes; + case oPubkeyAcceptedAlgorithms: + charptr = &options->pubkey_accepted_algos; + goto parse_pubkey_algos; case oAddKeysToAgent: arg = strdelim(&s); @@ -2207,7 +2208,7 @@ initialize_options(Options * options) options->fingerprint_hash = -1; options->update_hostkeys = -1; options->hostbased_key_types = NULL; - options->pubkey_key_types = NULL; + options->pubkey_accepted_algos = NULL; options->known_hosts_command = NULL; } @@ -2419,7 +2420,7 @@ fill_default_options(Options * options) ASSEMBLE(macs, def_mac, all_mac); ASSEMBLE(kex_algorithms, def_kex, all_kex); ASSEMBLE(hostbased_key_types, def_key, all_key); - ASSEMBLE(pubkey_key_types, def_key, all_key); + ASSEMBLE(pubkey_accepted_algos, def_key, all_key); ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); #undef ASSEMBLE @@ -2539,7 +2540,7 @@ free_options(Options *o) } free(o->revoked_host_keys); free(o->hostbased_key_types); - free(o->pubkey_key_types); + free(o->pubkey_accepted_algos); free(o->jump_user); free(o->jump_host); free(o->jump_extra); @@ -3080,7 +3081,7 @@ dump_client_config(Options *o, const char *host) #endif dump_cfg_string(oSecurityKeyProvider, o->sk_provider); dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); - dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); + dump_cfg_string(oPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos); dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); dump_cfg_string(oXAuthLocation, o->xauth_location); dump_cfg_string(oKnownHostsCommand, o->known_hosts_command); diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index 85ea2e112a4..4ee730b9559 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.137 2020/12/22 00:15:23 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.138 2021/01/22 02:44:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -162,7 +162,7 @@ typedef struct { int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */ char *hostbased_key_types; - char *pubkey_key_types; + char *pubkey_accepted_algos; char *jump_user; char *jump_host; diff --git a/usr.bin/ssh/scp.1 b/usr.bin/ssh/scp.1 index a5bd723eb56..c0e0082c02c 100644 --- a/usr.bin/ssh/scp.1 +++ b/usr.bin/ssh/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.92 2020/12/22 07:40:26 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.93 2021/01/22 02:44:58 dtucker Exp $ .\" -.Dd $Mdocdate: December 22 2020 $ +.Dd $Mdocdate: January 22 2021 $ .Dt SCP 1 .Os .Sh NAME @@ -195,7 +195,7 @@ For full details of the options listed below, and their possible values, see .It PreferredAuthentications .It ProxyCommand .It ProxyJump -.It PubkeyAcceptedKeyTypes +.It PubkeyAcceptedAlgorithms .It PubkeyAuthentication .It RekeyLimit .It SendEnv diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 8dc395b8d34..e38cd69ffa6 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.373 2021/01/11 04:48:22 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.374 2021/01/22 02:44:58 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -112,7 +112,7 @@ initialize_server_options(ServerOptions *options) options->hostkeyalgorithms = NULL; options->pubkey_authentication = -1; options->pubkey_auth_options = -1; - options->pubkey_key_types = NULL; + options->pubkey_accepted_algos = NULL; options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; @@ -215,7 +215,7 @@ assemble_algorithms(ServerOptions *o) ASSEMBLE(kex_algorithms, def_kex, all_kex); ASSEMBLE(hostkeyalgorithms, def_key, all_key); ASSEMBLE(hostbased_key_types, def_key, all_key); - ASSEMBLE(pubkey_key_types, def_key, all_key); + ASSEMBLE(pubkey_accepted_algos, def_key, all_key); ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); #undef ASSEMBLE free(all_cipher); @@ -498,7 +498,7 @@ typedef enum { sPermitUserEnvironment, sAllowTcpForwarding, sCompression, sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, - sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, + sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, @@ -552,7 +552,8 @@ static struct { { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, { "rsaauthentication", sDeprecated, SSHCFG_ALL }, { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, - { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, + { "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */ + { "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 @@ -1443,7 +1444,7 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sHostbasedAcceptedKeyTypes: charptr = &options->hostbased_key_types; - parse_keytypes: + parse_pubkey_algos: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: Missing argument.", @@ -1459,19 +1460,19 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sHostKeyAlgorithms: charptr = &options->hostkeyalgorithms; - goto parse_keytypes; + goto parse_pubkey_algos; case sCASignatureAlgorithms: charptr = &options->ca_sign_algorithms; - goto parse_keytypes; + goto parse_pubkey_algos; case sPubkeyAuthentication: intptr = &options->pubkey_authentication; goto parse_flag; - case sPubkeyAcceptedKeyTypes: - charptr = &options->pubkey_key_types; - goto parse_keytypes; + case sPubkeyAcceptedAlgorithms: + charptr = &options->pubkey_accepted_algos; + goto parse_pubkey_algos; case sPubkeyAuthOptions: intptr = &options->pubkey_auth_options; @@ -2852,7 +2853,7 @@ dump_config(ServerOptions *o) dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms); dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types); dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms); - dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types); + dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos); dump_cfg_string(sRDomain, o->routing_domain); /* string arguments requiring a lookup */ diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index f4ca62f2b46..1eaeec06d07 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.149 2021/01/09 12:10:02 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.150 2021/01/22 02:44:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -126,7 +126,7 @@ typedef struct { char *hostkeyalgorithms; /* SSH2 server key types */ char *ca_sign_algorithms; /* Allowed CA signature algorithms */ int pubkey_authentication; /* If true, permit ssh2 pubkey authentication. */ - char *pubkey_key_types; /* Key types allowed for public key */ + char *pubkey_accepted_algos; /* Signature algos allowed for pubkey */ int pubkey_auth_options; /* -1 or mask of PUBKEYAUTH_* flags */ int kerberos_authentication; /* If true, permit Kerberos * authentication. */ @@ -270,7 +270,7 @@ TAILQ_HEAD(include_list, include_item); M_CP_STROPT(authorized_principals_command); \ M_CP_STROPT(authorized_principals_command_user); \ M_CP_STROPT(hostbased_key_types); \ - M_CP_STROPT(pubkey_key_types); \ + M_CP_STROPT(pubkey_accepted_algos); \ M_CP_STROPT(ca_sign_algorithms); \ M_CP_STROPT(routing_domain); \ M_CP_STROPT(permit_user_env_allowlist); \ diff --git a/usr.bin/ssh/sftp.1 b/usr.bin/ssh/sftp.1 index ea99aad13e7..685b3ff91f0 100644 --- a/usr.bin/ssh/sftp.1 +++ b/usr.bin/ssh/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.133 2020/12/22 07:40:26 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.134 2021/01/22 02:44:58 dtucker Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -22,7 +22,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 22 2020 $ +.Dd $Mdocdate: January 22 2021 $ .Dt SFTP 1 .Os .Sh NAME @@ -269,7 +269,7 @@ For full details of the options listed below, and their possible values, see .It PreferredAuthentications .It ProxyCommand .It ProxyJump -.It PubkeyAcceptedKeyTypes +.It PubkeyAcceptedAlgorithms .It PubkeyAuthentication .It RekeyLimit .It SendEnv diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index 3ad1cd9123b..6aa92326357 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.546 2020/12/20 23:40:19 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.547 2021/01/22 02:44:58 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -773,7 +773,8 @@ main(int ac, char **av) else if (strcmp(optarg, "key-plain") == 0) cp = sshkey_alg_list(0, 1, 0, '\n'); else if (strcmp(optarg, "key-sig") == 0 || - strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || + strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || /* deprecated name */ + strcasecmp(optarg, "PubkeyAcceptedAlgorithms") == 0 || strcasecmp(optarg, "HostKeyAlgorithms") == 0 || strcasecmp(optarg, "HostbasedKeyTypes") == 0 || strcasecmp(optarg, "HostbasedAcceptedKeyTypes") == 0) diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index 7eca85b569a..7ff12482faa 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.342 2021/01/14 19:45:06 rob Exp $ -.Dd $Mdocdate: January 14 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.343 2021/01/22 02:44:58 dtucker Exp $ +.Dd $Mdocdate: January 22 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -1389,20 +1389,20 @@ will pass a connected file descriptor back to instead of continuing to execute and pass data. The default is .Cm no . -.It Cm PubkeyAcceptedKeyTypes -Specifies the key types that will be used for public key authentication -as a comma-separated list of patterns. +.It Cm PubkeyAcceptedAlgorithms +Specifies the signature algorithms that will be used for public key +authentication as a comma-separated list of patterns. If the specified list begins with a .Sq + -character, then the key types after it will be appended to the default +character, then the algorithms after it will be appended to the default instead of replacing it. If the specified list begins with a .Sq - -character, then the specified key types (including wildcards) will be removed +character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a .Sq ^ -character, then the specified key types will be placed at the head of the +character, then the specified algorithms will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n @@ -1423,7 +1423,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp The list of available key types may also be obtained using -.Qq ssh -Q PubkeyAcceptedKeyTypes . +.Qq ssh -Q PubkeyAcceptedAlgorithms . .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 87011733011..57b7148a4df 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.341 2021/01/08 02:57:24 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.342 2021/01/22 02:44:58 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1184,16 +1184,16 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { /* Filter base key signature alg against our configuration */ return match_list(sshkey_ssh_name(key), - options.pubkey_key_types, NULL); + options.pubkey_accepted_algos, NULL); } /* * For RSA keys/certs, since these might have a different sig type: - * find the first entry in PubkeyAcceptedKeyTypes of the right type + * find the first entry in PubkeyAcceptedAlgorithms of the right type * that also appears in the supported signature algorithms list from * the server. */ - oallowed = allowed = xstrdup(options.pubkey_key_types); + oallowed = allowed = xstrdup(options.pubkey_accepted_algos); while ((cp = strsep(&allowed, ",")) != NULL) { if (sshkey_type_from_name(cp) != key->type) continue; @@ -1590,25 +1590,25 @@ static int key_type_allowed_by_config(struct sshkey *key) { if (match_pattern_list(sshkey_ssh_name(key), - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; /* RSA keys/certs might be allowed by alternate signature types */ switch (key->type) { case KEY_RSA: if (match_pattern_list("rsa-sha2-512", - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; if (match_pattern_list("rsa-sha2-256", - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; break; case KEY_RSA_CERT: if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", - options.pubkey_key_types, 0) == 1) + options.pubkey_accepted_algos, 0) == 1) return 1; break; } @@ -1750,11 +1750,11 @@ pubkey_prepare(Authctxt *authctxt) } /* append remaining keys from the config file */ TAILQ_CONCAT(preferred, &files, next); - /* finally, filter by PubkeyAcceptedKeyTypes */ + /* finally, filter by PubkeyAcceptedAlgorithms */ TAILQ_FOREACH_SAFE(id, preferred, next, id2) { if (id->key != NULL && !key_type_allowed_by_config(id->key)) { debug("Skipping %s key %s - " - "not in PubkeyAcceptedKeyTypes", + "corresponding algo not in PubkeyAcceptedAlgorithms", sshkey_ssh_name(id->key), id->filename); TAILQ_REMOVE(preferred, id, next); sshkey_free(id->key); diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 5936a0fc0ff..1e28cfa5cfc 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.323 2021/01/14 19:45:06 rob Exp $ -.Dd $Mdocdate: January 14 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.324 2021/01/22 02:44:58 dtucker Exp $ +.Dd $Mdocdate: January 22 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1211,7 +1211,7 @@ Available keywords are .Cm PermitTTY , .Cm PermitTunnel , .Cm PermitUserRC , -.Cm PubkeyAcceptedKeyTypes , +.Cm PubkeyAcceptedAlgorithms , .Cm PubkeyAuthentication , .Cm RekeyLimit , .Cm RevokedKeys , @@ -1479,20 +1479,20 @@ when a user logs in interactively. or equivalent.) The default is .Cm yes . -.It Cm PubkeyAcceptedKeyTypes -Specifies the key types that will be accepted for public key authentication -as a list of comma-separated patterns. +.It Cm PubkeyAcceptedAlgorithms +Specifies the signature algorithms that will be accepted for public key +authentication as a list of comma-separated patterns. Alternately if the specified list begins with a .Sq + -character, then the specified key types will be appended to the default set +character, then the specified algorithms will be appended to the default set instead of replacing them. If the specified list begins with a .Sq - -character, then the specified key types (including wildcards) will be removed +character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them. If the specified list begins with a .Sq ^ -character, then the specified key types will be placed at the head of the +character, then the specified algorithms will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n @@ -1513,7 +1513,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp The list of available key types may also be obtained using -.Qq ssh -Q PubkeyAcceptedKeyTypes . +.Qq ssh -Q PubkeyAcceptedAlgorithms . .It Cm PubkeyAuthOptions Sets one or more public key authentication options. The supported keywords are: -- 2.20.1