From 75fef71b36b47f3d1ea81fad88e8f69be1290780 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 12 Aug 2021 23:59:25 +0000 Subject: [PATCH] mention that CASignatureAlgorithms accepts +/- similarly to the other algorithm list directives; ok jmc bz#3335 --- usr.bin/ssh/ssh_config.5 | 19 +++++++++++++++---- usr.bin/ssh/sshd_config.5 | 19 +++++++++++++++---- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index 42525366fbd..88f4b8caaa7 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.361 2021/08/06 05:04:42 dtucker Exp $ -.Dd $Mdocdate: August 6 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $ +.Dd $Mdocdate: August 12 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 .Ed .Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp .Xr ssh 1 will not accept host certificates signed using algorithms other than those specified. diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 15c8dc6c748..947d745f186 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.333 2021/07/27 14:28:46 jmc Exp $ -.Dd $Mdocdate: July 27 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $ +.Dd $Mdocdate: August 12 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -378,11 +378,22 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 .Ed .Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp Certificates signed using other algorithms will not be accepted for public key or host-based authentication. .It Cm ChrootDirectory -- 2.20.1