From cacbe2c0993070f41e9596750d119f1ce6b0805c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 12 Sep 2018 01:34:03 +0000 Subject: add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa. ok markus@ --- usr.bin/ssh/myproposal.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h index 5ba525aa3d3..bd46b55fb67 100644 --- a/usr.bin/ssh/myproposal.h +++ b/usr.bin/ssh/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.56 2018/07/03 11:39:54 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.57 2018/09/12 01:34:02 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -82,6 +82,16 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +/* Not a KEX value, but here so all the algorithm defaults are together */ +#define SSH_ALLOWED_CA_SIGALGS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp521," \ + "ssh-ed25519," \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" + #else /* WITH_OPENSSL */ #define KEX_SERVER_KEX \ @@ -109,6 +119,8 @@ #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519" + #endif /* WITH_OPENSSL */ #define KEX_DEFAULT_COMP "none,zlib@openssh.com" -- cgit v1.2.3