[openssh-commits] [openssh] 05/07: upstream: Document that security key-hosted keys can act as host

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Dec 20 14:28:44 AEDT 2019 

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit ae024b22c4fd68e7f39681d605585889f9511108
Author: naddy at openbsd.org <naddy at openbsd.org>
Date:   Thu Dec 19 15:09:30 2019 +0000

    upstream: Document that security key-hosted keys can act as host
    
    keys.
    
    Update the list of default host key algorithms in ssh_config.5 and
    sshd_config.5.  Copy the description of the SecurityKeyProvider
    option to sshd_config.5.
    
    ok jmc@
    
    OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
---
 ssh_config.5  | 26 +++++++++++++++++---------
 sshd_config.5 | 30 +++++++++++++++++++++---------
 2 files changed, 38 insertions(+), 18 deletions(-)

diff --git a/ssh_config.5 b/ssh_config.5
index 93029031..dc7a2143 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.310 2019/11/30 07:07:59 jmc Exp $
-.Dd $Mdocdate: November 30 2019 $
+.\" $OpenBSD: ssh_config.5,v 1.311 2019/12/19 15:09:30 naddy Exp $
+.Dd $Mdocdate: December 19 2019 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -809,12 +809,16 @@ The default for this option is:
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ssh-ed25519-cert-v01 at openssh.com,
+sk-ssh-ed25519-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+sk-ecdsa-sha2-nistp256 at openssh.com,
+ssh-ed25519,sk-ssh-ed25519 at openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The
@@ -842,12 +846,16 @@ The default for this option is:
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ssh-ed25519-cert-v01 at openssh.com,
+sk-ssh-ed25519-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+sk-ecdsa-sha2-nistp256 at openssh.com,
+ssh-ed25519,sk-ssh-ed25519 at openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 If hostkeys are known for the destination host then this default is modified
@@ -1323,19 +1331,19 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
-sk-ssh-ed25519-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ssh-ed25519-cert-v01 at openssh.com,
+sk-ssh-ed25519-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
-sk-ecdsa-sha2-nistp256 at openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519 at openssh.com,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+sk-ecdsa-sha2-nistp256 at openssh.com,
+ssh-ed25519,sk-ssh-ed25519 at openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
diff --git a/sshd_config.5 b/sshd_config.5
index 8bfb3b6c..22219317 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.295 2019/11/30 07:07:59 jmc Exp $
-.Dd $Mdocdate: November 30 2019 $
+.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $
+.Dd $Mdocdate: December 19 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -689,12 +689,16 @@ The default for this option is:
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ssh-ed25519-cert-v01 at openssh.com,
+sk-ssh-ed25519-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+sk-ecdsa-sha2-nistp256 at openssh.com,
+ssh-ed25519,sk-ssh-ed25519 at openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -768,12 +772,16 @@ The default for this option is:
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ssh-ed25519-cert-v01 at openssh.com,
+sk-ssh-ed25519-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+sk-ecdsa-sha2-nistp256 at openssh.com,
+ssh-ed25519,sk-ssh-ed25519 at openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -1427,19 +1435,19 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
-sk-ssh-ed25519-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ssh-ed25519-cert-v01 at openssh.com,
+sk-ssh-ed25519-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
-sk-ecdsa-sha2-nistp256 at openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519 at openssh.com,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+sk-ecdsa-sha2-nistp256 at openssh.com,
+ssh-ed25519,sk-ssh-ed25519 at openssh.com,
+rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
@@ -1518,6 +1526,10 @@ will be bound to this
 If the routing domain is set to
 .Cm \&%D ,
 then the domain in which the incoming connection was received will be applied.
+.It Cm SecurityKeyProvider
+Specifies a path to a security key provider library that will be used when
+loading any security key-hosted keys, overriding the default of using
+the built-in support for USB HID keys.
 .It Cm SetEnv
 Specifies one or more environment variables to set in child sessions started
 by

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list