[openssh-commits] [openssh] 01/01: upstream: When signing certificates with an RSA key, default to

git+noreply at mindrot.org git+noreply at mindrot.org
Mon May 20 10:22:08 AEST 2019 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 476e3551b2952ef73acc43d995e832539bf9bc4d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon May 20 00:20:35 2019 +0000

    upstream: When signing certificates with an RSA key, default to
    
    using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
    will therefore be incompatible with OpenSSH < 7.2 unless the default is
    overridden.
    
    Document the ability of the ssh-keygen -t flag to override the
    signature algorithm when signing certificates, and the new default.
    
    ok deraadt@
    
    OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
---
 ssh-keygen.1 | 13 +++++++++++--
 sshkey.c     |  9 ++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index f2977424..673bf6e2 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.158 2019/04/19 05:47:44 dtucker Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.159 2019/05/20 00:20:35 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo at cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 19 2019 $
+.Dd $Mdocdate: May 20 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -577,6 +577,15 @@ The possible values are
 .Dq ed25519 ,
 or
 .Dq rsa .
+.Pp
+This flag may also be used to specify the desired signature type when
+signing certificates using a RSA CA key.
+The available RSA signature variants are
+.Dq ssh-rsa
+(SHA1 signatures, not recommended),
+.Dq rsa-sha2-256
+.Dq rsa-sha2-512
+(the default).
 .It Fl U
 When used in combination with
 .Fl s ,
diff --git a/sshkey.c b/sshkey.c
index 9849cb23..379a579c 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.74 2019/05/03 03:25:18 dtucker Exp $ */
+/* $OpenBSD: sshkey.c,v 1.75 2019/05/20 00:20:35 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -2528,6 +2528,13 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
 	    strcmp(alg, k->cert->signature_type) != 0)
 		return SSH_ERR_INVALID_ARGUMENT;
 
+	/*
+	 * If no signing algorithm or signature_type was specified and we're
+	 * using a RSA key, then default to a good signature algorithm.
+	 */
+	if (alg == NULL && ca->type == KEY_RSA)
+		alg = "rsa-sha2-512";
+
 	if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
 		return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list