[openssh-commits] [openssh] 04/04: upstream: mention that CASignatureAlgorithms accepts +/- similarly to

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Aug 13 10:01:30 AEST 2021 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit dcce2a2bcf007bf817a2fb0dce3db83fa9201e92
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Aug 12 23:59:25 2021 +0000

    upstream: mention that CASignatureAlgorithms accepts +/- similarly to
    
    the other algorithm list directives; ok jmc bz#3335
    
    OpenBSD-Commit-ID: 0d46b53995817052c78e2dce9dbd133963b073d9
---
 ssh_config.5  | 19 +++++++++++++++----
 sshd_config.5 | 19 +++++++++++++++----
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/ssh_config.5 b/ssh_config.5
index 199fd608..cd0eea86 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.361 2021/08/06 05:04:42 dtucker Exp $
-.Dd $Mdocdate: August 6 2021 $
+.\" $OpenBSD: ssh_config.5,v 1.362 2021/08/12 23:59:25 djm Exp $
+.Dd $Mdocdate: August 12 2021 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 The default is:
 .Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,
+ssh-ed25519,ecdsa-sha2-nistp256,
+ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519 at openssh.com,
+sk-ecdsa-sha2-nistp256 at openssh.com,
 rsa-sha2-512,rsa-sha2-256
 .Ed
 .Pp
+If the specified list begins with a
+.Sq +
+character, then the specified algorithms will be appended to the default set
+instead of replacing them.
+If the specified list begins with a
+.Sq -
+character, then the specified algorithms (including wildcards) will be removed
+from the default set instead of replacing them.
+.Pp
 .Xr ssh 1
 will not accept host certificates signed using algorithms other than those
 specified.
diff --git a/sshd_config.5 b/sshd_config.5
index a33280e1..69d55206 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.333 2021/07/27 14:28:46 jmc Exp $
-.Dd $Mdocdate: July 27 2021 $
+.\" $OpenBSD: sshd_config.5,v 1.334 2021/08/12 23:59:25 djm Exp $
+.Dd $Mdocdate: August 12 2021 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -377,11 +377,22 @@ Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 The default is:
 .Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,
+ssh-ed25519,ecdsa-sha2-nistp256,
+ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+sk-ssh-ed25519 at openssh.com,
+sk-ecdsa-sha2-nistp256 at openssh.com,
 rsa-sha2-512,rsa-sha2-256
 .Ed
 .Pp
+If the specified list begins with a
+.Sq +
+character, then the specified algorithms will be appended to the default set
+instead of replacing them.
+If the specified list begins with a
+.Sq -
+character, then the specified algorithms (including wildcards) will be removed
+from the default set instead of replacing them.
+.Pp
 Certificates signed using other algorithms will not be accepted for
 public key or host-based authentication.
 .It Cm ChrootDirectory

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list