diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2018-07-03 11:39:55 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2018-07-03 11:39:55 +0000 |
| commit | 3b166c2d40cc287784f1ee0a51902266dc5d5334 (patch) | |
| tree | 164e20b700192ce7604acc9b1d989d3aeb394b74 /usr.bin/ssh/kex.h | |
| parent | 9f298e278e650a6691afa4c7558391b2a676654d (diff) | |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
Diffstat (limited to 'usr.bin/ssh/kex.h')
| -rw-r--r-- | usr.bin/ssh/kex.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.bin/ssh/kex.h b/usr.bin/ssh/kex.h index 76f7328da16..575213e6694 100644 --- a/usr.bin/ssh/kex.h +++ b/usr.bin/ssh/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.83 2017/05/30 14:23:52 markus Exp $ */ +/* $OpenBSD: kex.h,v 1.84 2018/07/03 11:39:54 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -125,7 +125,7 @@ struct kex { int hostkey_type; int hostkey_nid; u_int kex_type; - int rsa_sha2; + char *server_sig_algs; int ext_info_c; struct sshbuf *my; struct sshbuf *peer; |