[openssh-commits] [openssh] 02/05: upstream: prefer ed25519 signature algorithm variants to ECDSA; ok

git+noreply at mindrot.org git+noreply at mindrot.org
Sat Oct 3 18:31:58 AEST 2020


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 12ae8f95e2e0c273e9e7ef930b01a028ef796a3f
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sat Oct 3 04:15:06 2020 +0000

    upstream: prefer ed25519 signature algorithm variants to ECDSA; ok
    
    markus@
    
    OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
---
 myproposal.h  | 14 +++++++-------
 ssh_config.5  | 29 ++++++++++++++++-------------
 sshd_config.5 | 29 ++++++++++++++++-------------
 3 files changed, 39 insertions(+), 33 deletions(-)

diff --git a/myproposal.h b/myproposal.h
index 5312e605..f03b7dfd 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.67 2020/01/24 00:28:57 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.68 2020/10/03 04:15:06 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -38,21 +38,21 @@
 #define KEX_CLIENT_KEX KEX_SERVER_KEX
 
 #define	KEX_DEFAULT_PK_ALG	\
+	"ssh-ed25519-cert-v01 at openssh.com," \
 	"ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
 	"ecdsa-sha2-nistp384-cert-v01 at openssh.com," \
 	"ecdsa-sha2-nistp521-cert-v01 at openssh.com," \
-	"sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
-	"ssh-ed25519-cert-v01 at openssh.com," \
 	"sk-ssh-ed25519-cert-v01 at openssh.com," \
+	"sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
 	"rsa-sha2-512-cert-v01 at openssh.com," \
 	"rsa-sha2-256-cert-v01 at openssh.com," \
 	"ssh-rsa-cert-v01 at openssh.com," \
+	"ssh-ed25519," \
 	"ecdsa-sha2-nistp256," \
 	"ecdsa-sha2-nistp384," \
 	"ecdsa-sha2-nistp521," \
-	"sk-ecdsa-sha2-nistp256 at openssh.com," \
-	"ssh-ed25519," \
 	"sk-ssh-ed25519 at openssh.com," \
+	"sk-ecdsa-sha2-nistp256 at openssh.com," \
 	"rsa-sha2-512," \
 	"rsa-sha2-256," \
 	"ssh-rsa"
@@ -80,12 +80,12 @@
 
 /* Not a KEX value, but here so all the algorithm defaults are together */
 #define	SSH_ALLOWED_CA_SIGALGS	\
+	"ssh-ed25519," \
 	"ecdsa-sha2-nistp256," \
 	"ecdsa-sha2-nistp384," \
 	"ecdsa-sha2-nistp521," \
-	"sk-ecdsa-sha2-nistp256 at openssh.com," \
-	"ssh-ed25519," \
 	"sk-ssh-ed25519 at openssh.com," \
+	"sk-ecdsa-sha2-nistp256 at openssh.com," \
 	"rsa-sha2-512," \
 	"rsa-sha2-256"
 
diff --git a/ssh_config.5 b/ssh_config.5
index 6be1f1aa..e769493a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.332 2020/08/11 09:49:57 djm Exp $
-.Dd $Mdocdate: August 11 2020 $
+.\" $OpenBSD: ssh_config.5,v 1.333 2020/10/03 04:15:06 djm Exp $
+.Dd $Mdocdate: October 3 2020 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -372,8 +372,8 @@ Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 The default is:
 .Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
+ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 .Xr ssh 1
@@ -825,18 +825,19 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
+ssh-ed25519-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
-ssh-ed25519-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
+ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
-ssh-ed25519,sk-ssh-ed25519 at openssh.com,
 rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
@@ -862,18 +863,19 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
+ssh-ed25519-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
-ssh-ed25519-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
+ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 sk-ecdsa-sha2-nistp256 at openssh.com,
-ssh-ed25519,sk-ssh-ed25519 at openssh.com,
+sk-ssh-ed25519 at openssh.com,
 rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
@@ -1361,18 +1363,19 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
+ssh-ed25519-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
-ssh-ed25519-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
+ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
-ssh-ed25519,sk-ssh-ed25519 at openssh.com,
 rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
diff --git a/sshd_config.5 b/sshd_config.5
index 6fa421ca..f68369f8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.315 2020/08/27 12:34:00 jmc Exp $
-.Dd $Mdocdate: August 27 2020 $
+.\" $OpenBSD: sshd_config.5,v 1.316 2020/10/03 04:15:06 djm Exp $
+.Dd $Mdocdate: October 3 2020 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -377,8 +377,8 @@ Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 The default is:
 .Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
+ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 Certificates signed using other algorithms will not be accepted for
@@ -675,18 +675,19 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
+ssh-ed25519-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
-ssh-ed25519-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
+ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
-ssh-ed25519,sk-ssh-ed25519 at openssh.com,
 rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
@@ -758,18 +759,19 @@ Specifies the host key algorithms
 that the server offers.
 The default for this option is:
 .Bd -literal -offset 3n
+ssh-ed25519-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
-ssh-ed25519-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
+ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
-ssh-ed25519,sk-ssh-ed25519 at openssh.com,
 rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
@@ -1457,18 +1459,19 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
+ssh-ed25519-cert-v01 at openssh.com,
 ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 ecdsa-sha2-nistp384-cert-v01 at openssh.com,
 ecdsa-sha2-nistp521-cert-v01 at openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
-ssh-ed25519-cert-v01 at openssh.com,
 sk-ssh-ed25519-cert-v01 at openssh.com,
+sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,
 rsa-sha2-512-cert-v01 at openssh.com,
 rsa-sha2-256-cert-v01 at openssh.com,
 ssh-rsa-cert-v01 at openssh.com,
+ssh-ed25519,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519 at openssh.com,
 sk-ecdsa-sha2-nistp256 at openssh.com,
-ssh-ed25519,sk-ssh-ed25519 at openssh.com,
 rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list