[Bug 3933] New: Inconsistent documentation of options that take algorithm lists

Thu Feb 26 03:48:25 AEDT 2026

https://bugzilla.mindrot.org/show_bug.cgi?id=3933

            Bug ID: 3933
           Summary: Inconsistent documentation of options that take
                    algorithm lists
           Product: Portable OpenSSH
           Version: 10.2p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: xspielinbox+mindrot at protonmail.com

Created attachment 3947
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3947&action=edit
Proposed patch to start unifying documentation of algorithm lists

The documentation of the different options CASignatureAlgorithms,
Ciphers, HostbasedAcceptedAlgorithms, HostKeyAlgorithms, KexAlgorithms,
MACs and PubkeyAcceptedAlgorithms and between ssh_config(5) and
sshd_config(5) differs more than expected. This makes it confusing.

The attached patch proposal would unify parts of that.

There are still some things I didn't change (yet), as I was not sure
whether these are actually correct, e.g.
1. The default lists for CASignatureAlgorithms in the man pages do not
list webauthn-sk-ecdsa-sha2-nistp256 at openssh.com, but
SSH_ALLOWED_CA_SIGALGS in myproposal.h does list it.
2. sk-ssh-ed25519 at openssh.com is listed before
sk-ecdsa-sha2-nistp256 at openssh.com for HostKeyAlgorithms in
sshd_config(5) and in KEX_DEFAULT_PK_ALG in myproposal.h, but after
webauthn-sk-ecdsa-sha2-nistp256 at openssh.com in ssh_config(5).

I would be happy to make changes as requested to improve this
documentation.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.