diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2021-08-12 23:59:26 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2021-08-12 23:59:26 +0000 |
| commit | 3b7c6c1143d64f582ff15e709103655722190fbd (patch) | |
| tree | 72463b1103ffd565f750c46b7d1467470f9354d4 /usr.bin/ssh | |
| parent | 25d461246d5263b3985a4b52be190b9cb3338a01 (diff) | |
mention that CASignatureAlgorithms accepts +/- similarly to the
other algorithm list directives; ok jmc bz#3335
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/ssh_config.5 | 19 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 19 |
2 files changed, 30 insertions, 8 deletions
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5 index 42525366fbd..88f4b8caaa7 100644 --- a/usr.bin/ssh/ssh_config.5 +++ b/usr.bin/ssh/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.361 2021/08/06 05:04:42 dtucker Exp $ -.Dd $Mdocdate: August 6 2021 $ +.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $ +.Dd $Mdocdate: August 12 2021 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 .Ed .Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp .Xr ssh 1 will not accept host certificates signed using algorithms other than those specified. diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 15c8dc6c748..947d745f186 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.333 2021/07/27 14:28:46 jmc Exp $ -.Dd $Mdocdate: July 27 2021 $ +.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $ +.Dd $Mdocdate: August 12 2021 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -378,11 +378,22 @@ Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). The default is: .Bd -literal -offset indent -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +ssh-ed25519,ecdsa-sha2-nistp256, +ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +sk-ssh-ed25519@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, rsa-sha2-512,rsa-sha2-256 .Ed .Pp +If the specified list begins with a +.Sq + +character, then the specified algorithms will be appended to the default set +instead of replacing them. +If the specified list begins with a +.Sq - +character, then the specified algorithms (including wildcards) will be removed +from the default set instead of replacing them. +.Pp Certificates signed using other algorithms will not be accepted for public key or host-based authentication. .It Cm ChrootDirectory |