make `ssh -Q CASignatureAlgorithms` only list signature algorithms that

are valid for CA signing. Previous behaviour was to list all signing
algorithms, including certificate algorithms (OpenSSH certificates do
not support CA chains). part of bz3577; ok dtucker@

2 files changed, 8 insertions, 4 deletions

diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index a3d1ba16399..3d89c7d7f35 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.433 2022/11/28 01:37:36 djm Exp $
-.Dd $Mdocdate: November 28 2022 $
+.\" $OpenBSD: ssh.1,v 1.434 2023/06/21 05:08:32 djm Exp $
+.Dd $Mdocdate: June 21 2023 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -614,6 +614,8 @@ flag),
 (key exchange algorithms),
 .Ar key
 (key types),
+.Ar key-ca-sign
+(valid CA signature algorithms for certificates),
 .Ar key-cert
 (certificate key types),
 .Ar key-plain
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index d31b1a19585..5d828f1cd82 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.588 2023/04/26 01:36:03 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.589 2023/06/21 05:08:32 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -767,8 +767,10 @@ main(int ac, char **av)
 				cp = sshkey_alg_list(1, 0, 0, '\n');
 			else if (strcmp(optarg, "key-plain") == 0)
 				cp = sshkey_alg_list(0, 1, 0, '\n');
+			else if (strcmp(optarg, "key-ca-sign") == 0 ||
+			    strcasecmp(optarg, "CASignatureAlgorithms") == 0)
+				cp = sshkey_alg_list(0, 1, 1, '\n');
 			else if (strcmp(optarg, "key-sig") == 0 ||
-			    strcasecmp(optarg, "CASignatureAlgorithms") == 0 ||
 			    strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || /* deprecated name */
 			    strcasecmp(optarg, "PubkeyAcceptedAlgorithms") == 0 ||
 			    strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||