[openssh-commits] [openssh] 01/02: upstream: Rename PubkeyAcceptedKeyTypes keyword to

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Jan 22 15:05:47 AEDT 2021


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit ee9c0da8035b3168e8e57c1dedc2d1b0daf00eec
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Fri Jan 22 02:44:58 2021 +0000

    upstream: Rename PubkeyAcceptedKeyTypes keyword to
    
    PubkeyAcceptedAlgorithms. While the two were originally equivalent, this
    actually specifies the signature algorithms that are accepted.  Some key
    types (eg RSA) can be used by multiple algorithms (eg ssh-rsa, rsa-sha2-512)
    so the old name is becoming increasingly misleading.  The old name is
    retained as an alias. Prompted by bz#3253, help & ok djm@, man page help jmc@
    
    OpenBSD-Commit-ID: 0346b2f73f54c43d4e001089759d149bfe402ca5
---
 auth2-pubkey.c |  6 +++---
 monitor.c      |  4 ++--
 readconf.c     | 27 ++++++++++++++-------------
 readconf.h     |  4 ++--
 scp.1          |  6 +++---
 servconf.c     | 25 +++++++++++++------------
 servconf.h     |  6 +++---
 sftp.1         |  6 +++---
 ssh.c          |  5 +++--
 ssh_config.5   | 18 +++++++++---------
 sshconnect2.c  | 22 +++++++++++-----------
 sshd_config.5  | 20 ++++++++++----------
 12 files changed, 76 insertions(+), 73 deletions(-)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 14863cbf..6961b0c9 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.103 2020/12/22 00:12:22 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.104 2021/01/22 02:44:58 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -150,8 +150,8 @@ userauth_pubkey(struct ssh *ssh)
 		logit("refusing previously-used %s key", sshkey_type(key));
 		goto done;
 	}
-	if (match_pattern_list(pkalg, options.pubkey_key_types, 0) != 1) {
-		logit_f("key type %s not in PubkeyAcceptedKeyTypes",
+	if (match_pattern_list(pkalg, options.pubkey_accepted_algos, 0) != 1) {
+		logit_f("key type %s not in PubkeyAcceptedAlgorithms",
 		    sshkey_ssh_name(key));
 		goto done;
 	}
diff --git a/monitor.c b/monitor.c
index 79d003ae..559eb9f6 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.219 2020/12/29 00:59:15 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.220 2021/01/22 02:44:58 dtucker Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos at citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus at openbsd.org>
@@ -1186,7 +1186,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m)
 			if (auth2_key_already_used(authctxt, key))
 				break;
 			if (!key_base_type_match(auth_method, key,
-			    options.pubkey_key_types))
+			    options.pubkey_accepted_algos))
 				break;
 			allowed = user_key_allowed(ssh, authctxt->pw, key,
 			    pubkey_auth_attempt, &opts);
diff --git a/readconf.c b/readconf.c
index 37f92e25..c7df93de 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.348 2021/01/08 04:49:13 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.349 2021/01/22 02:44:58 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -171,7 +171,7 @@ typedef enum {
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
 	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
-	oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
+	oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
 	oSecurityKeyProvider, oKnownHostsCommand,
 	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
@@ -307,7 +307,8 @@ static struct {
 	{ "fingerprinthash", oFingerprintHash },
 	{ "updatehostkeys", oUpdateHostkeys },
 	{ "hostbasedkeytypes", oHostbasedKeyTypes },
-	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedAlgorithms }, /* obsolete */
+	{ "pubkeyacceptedalgorithms", oPubkeyAcceptedAlgorithms },
 	{ "ignoreunknown", oIgnoreUnknown },
 	{ "proxyjump", oProxyJump },
 	{ "securitykeyprovider", oSecurityKeyProvider },
@@ -1373,7 +1374,7 @@ parse_int:
 
 	case oHostKeyAlgorithms:
 		charptr = &options->hostkeyalgorithms;
-parse_keytypes:
+parse_pubkey_algos:
 		arg = strdelim(&s);
 		if (!arg || *arg == '\0') {
 			error("%.200s line %d: Missing argument.",
@@ -1393,7 +1394,7 @@ parse_keytypes:
 
 	case oCASignatureAlgorithms:
 		charptr = &options->ca_sign_algorithms;
-		goto parse_keytypes;
+		goto parse_pubkey_algos;
 
 	case oLogLevel:
 		log_level_ptr = &options->log_level;
@@ -1934,11 +1935,11 @@ parse_keytypes:
 
 	case oHostbasedKeyTypes:
 		charptr = &options->hostbased_key_types;
-		goto parse_keytypes;
+		goto parse_pubkey_algos;
 
-	case oPubkeyAcceptedKeyTypes:
-		charptr = &options->pubkey_key_types;
-		goto parse_keytypes;
+	case oPubkeyAcceptedAlgorithms:
+		charptr = &options->pubkey_accepted_algos;
+		goto parse_pubkey_algos;
 
 	case oAddKeysToAgent:
 		arg = strdelim(&s);
@@ -2221,7 +2222,7 @@ initialize_options(Options * options)
 	options->fingerprint_hash = -1;
 	options->update_hostkeys = -1;
 	options->hostbased_key_types = NULL;
-	options->pubkey_key_types = NULL;
+	options->pubkey_accepted_algos = NULL;
 	options->known_hosts_command = NULL;
 }
 
@@ -2440,7 +2441,7 @@ fill_default_options(Options * options)
 	ASSEMBLE(macs, def_mac, all_mac);
 	ASSEMBLE(kex_algorithms, def_kex, all_kex);
 	ASSEMBLE(hostbased_key_types, def_key, all_key);
-	ASSEMBLE(pubkey_key_types, def_key, all_key);
+	ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
 	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
 #undef ASSEMBLE
 
@@ -2560,7 +2561,7 @@ free_options(Options *o)
 	}
 	free(o->revoked_host_keys);
 	free(o->hostbased_key_types);
-	free(o->pubkey_key_types);
+	free(o->pubkey_accepted_algos);
 	free(o->jump_user);
 	free(o->jump_host);
 	free(o->jump_extra);
@@ -3101,7 +3102,7 @@ dump_client_config(Options *o, const char *host)
 #endif
 	dump_cfg_string(oSecurityKeyProvider, o->sk_provider);
 	dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
-	dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
+	dump_cfg_string(oPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
 	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
 	dump_cfg_string(oXAuthLocation, o->xauth_location);
 	dump_cfg_string(oKnownHostsCommand, o->known_hosts_command);
diff --git a/readconf.h b/readconf.h
index 85ea2e11..4ee730b9 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.137 2020/12/22 00:15:23 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.138 2021/01/22 02:44:58 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -162,7 +162,7 @@ typedef struct {
 	int	 update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
 
 	char   *hostbased_key_types;
-	char   *pubkey_key_types;
+	char   *pubkey_accepted_algos;
 
 	char   *jump_user;
 	char   *jump_host;
diff --git a/scp.1 b/scp.1
index a5bd723e..c0e0082c 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.92 2020/12/22 07:40:26 jmc Exp $
+.\" $OpenBSD: scp.1,v 1.93 2021/01/22 02:44:58 dtucker Exp $
 .\"
-.Dd $Mdocdate: December 22 2020 $
+.Dd $Mdocdate: January 22 2021 $
 .Dt SCP 1
 .Os
 .Sh NAME
@@ -195,7 +195,7 @@ For full details of the options listed below, and their possible values, see
 .It PreferredAuthentications
 .It ProxyCommand
 .It ProxyJump
-.It PubkeyAcceptedKeyTypes
+.It PubkeyAcceptedAlgorithms
 .It PubkeyAuthentication
 .It RekeyLimit
 .It SendEnv
diff --git a/servconf.c b/servconf.c
index 8d7ef5dc..a28918e2 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.373 2021/01/11 04:48:22 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.374 2021/01/22 02:44:58 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -130,7 +130,7 @@ initialize_server_options(ServerOptions *options)
 	options->hostkeyalgorithms = NULL;
 	options->pubkey_authentication = -1;
 	options->pubkey_auth_options = -1;
-	options->pubkey_key_types = NULL;
+	options->pubkey_accepted_algos = NULL;
 	options->kerberos_authentication = -1;
 	options->kerberos_or_local_passwd = -1;
 	options->kerberos_ticket_cleanup = -1;
@@ -233,7 +233,7 @@ assemble_algorithms(ServerOptions *o)
 	ASSEMBLE(kex_algorithms, def_kex, all_kex);
 	ASSEMBLE(hostkeyalgorithms, def_key, all_key);
 	ASSEMBLE(hostbased_key_types, def_key, all_key);
-	ASSEMBLE(pubkey_key_types, def_key, all_key);
+	ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
 	ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
 #undef ASSEMBLE
 	free(all_cipher);
@@ -527,7 +527,7 @@ typedef enum {
 	sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
 	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
-	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
+	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
 	sBanner, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
@@ -589,7 +589,8 @@ static struct {
 	{ "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
 	{ "rsaauthentication", sDeprecated, SSHCFG_ALL },
 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
-	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
+	{ "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
+	{ "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
 	{ "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
 #ifdef KRB5
@@ -1501,7 +1502,7 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 
 	case sHostbasedAcceptedKeyTypes:
 		charptr = &options->hostbased_key_types;
- parse_keytypes:
+ parse_pubkey_algos:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
 			fatal("%s line %d: Missing argument.",
@@ -1517,19 +1518,19 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 
 	case sHostKeyAlgorithms:
 		charptr = &options->hostkeyalgorithms;
-		goto parse_keytypes;
+		goto parse_pubkey_algos;
 
 	case sCASignatureAlgorithms:
 		charptr = &options->ca_sign_algorithms;
-		goto parse_keytypes;
+		goto parse_pubkey_algos;
 
 	case sPubkeyAuthentication:
 		intptr = &options->pubkey_authentication;
 		goto parse_flag;
 
-	case sPubkeyAcceptedKeyTypes:
-		charptr = &options->pubkey_key_types;
-		goto parse_keytypes;
+	case sPubkeyAcceptedAlgorithms:
+		charptr = &options->pubkey_accepted_algos;
+		goto parse_pubkey_algos;
 
 	case sPubkeyAuthOptions:
 		intptr = &options->pubkey_auth_options;
@@ -2921,7 +2922,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
 	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types);
 	dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
-	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types);
+	dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
 #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
 	dump_cfg_string(sRDomain, o->routing_domain);
 #endif
diff --git a/servconf.h b/servconf.h
index e0c3ff60..364cd947 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.149 2021/01/09 12:10:02 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.150 2021/01/22 02:44:58 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -126,7 +126,7 @@ typedef struct {
 	char   *hostkeyalgorithms;	/* SSH2 server key types */
 	char   *ca_sign_algorithms;	/* Allowed CA signature algorithms */
 	int     pubkey_authentication;	/* If true, permit ssh2 pubkey authentication. */
-	char   *pubkey_key_types;	/* Key types allowed for public key */
+	char   *pubkey_accepted_algos;	/* Signature algos allowed for pubkey */
 	int	pubkey_auth_options;	/* -1 or mask of PUBKEYAUTH_* flags */
 	int     kerberos_authentication;	/* If true, permit Kerberos
 						 * authentication. */
@@ -272,7 +272,7 @@ TAILQ_HEAD(include_list, include_item);
 		M_CP_STROPT(authorized_principals_command); \
 		M_CP_STROPT(authorized_principals_command_user); \
 		M_CP_STROPT(hostbased_key_types); \
-		M_CP_STROPT(pubkey_key_types); \
+		M_CP_STROPT(pubkey_accepted_algos); \
 		M_CP_STROPT(ca_sign_algorithms); \
 		M_CP_STROPT(routing_domain); \
 		M_CP_STROPT(permit_user_env_allowlist); \
diff --git a/sftp.1 b/sftp.1
index ea99aad1..685b3ff9 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.133 2020/12/22 07:40:26 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.134 2021/01/22 02:44:58 dtucker Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 22 2020 $
+.Dd $Mdocdate: January 22 2021 $
 .Dt SFTP 1
 .Os
 .Sh NAME
@@ -269,7 +269,7 @@ For full details of the options listed below, and their possible values, see
 .It PreferredAuthentications
 .It ProxyCommand
 .It ProxyJump
-.It PubkeyAcceptedKeyTypes
+.It PubkeyAcceptedAlgorithms
 .It PubkeyAuthentication
 .It RekeyLimit
 .It SendEnv
diff --git a/ssh.c b/ssh.c
index 06598c7e..ccba1831 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.546 2020/12/20 23:40:19 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.547 2021/01/22 02:44:58 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -799,7 +799,8 @@ main(int ac, char **av)
 			else if (strcmp(optarg, "key-plain") == 0)
 				cp = sshkey_alg_list(0, 1, 0, '\n');
 			else if (strcmp(optarg, "key-sig") == 0 ||
-			    strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 ||
+			    strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || /* deprecated name */
+			    strcasecmp(optarg, "PubkeyAcceptedAlgorithms") == 0 ||
 			    strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||
 			    strcasecmp(optarg, "HostbasedKeyTypes") == 0 ||
 			    strcasecmp(optarg, "HostbasedAcceptedKeyTypes") == 0)
diff --git a/ssh_config.5 b/ssh_config.5
index 8c70962b..96d6f658 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.342 2021/01/14 19:45:06 rob Exp $
-.Dd $Mdocdate: January 14 2021 $
+.\" $OpenBSD: ssh_config.5,v 1.343 2021/01/22 02:44:58 dtucker Exp $
+.Dd $Mdocdate: January 22 2021 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -1388,20 +1388,20 @@ will pass a connected file descriptor back to
 instead of continuing to execute and pass data.
 The default is
 .Cm no .
-.It Cm PubkeyAcceptedKeyTypes
-Specifies the key types that will be used for public key authentication
-as a comma-separated list of patterns.
+.It Cm PubkeyAcceptedAlgorithms
+Specifies the signature algorithms that will be used for public key
+authentication as a comma-separated list of patterns.
 If the specified list begins with a
 .Sq +
-character, then the key types after it will be appended to the default
+character, then the algorithms after it will be appended to the default
 instead of replacing it.
 If the specified list begins with a
 .Sq -
-character, then the specified key types (including wildcards) will be removed
+character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
-character, then the specified key types will be placed at the head of the
+character, then the specified algorithms will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
@@ -1422,7 +1422,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
-.Qq ssh -Q PubkeyAcceptedKeyTypes .
+.Qq ssh -Q PubkeyAcceptedAlgorithms .
 .It Cm PubkeyAuthentication
 Specifies whether to try public key authentication.
 The argument to this keyword must be
diff --git a/sshconnect2.c b/sshconnect2.c
index 108fd970..de89b761 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.341 2021/01/08 02:57:24 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.342 2021/01/22 02:44:58 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -1191,16 +1191,16 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
 	    (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
 		/* Filter base key signature alg against our configuration */
 		return match_list(sshkey_ssh_name(key),
-		    options.pubkey_key_types, NULL);
+		    options.pubkey_accepted_algos, NULL);
 	}
 
 	/*
 	 * For RSA keys/certs, since these might have a different sig type:
-	 * find the first entry in PubkeyAcceptedKeyTypes of the right type
+	 * find the first entry in PubkeyAcceptedAlgorithms of the right type
 	 * that also appears in the supported signature algorithms list from
 	 * the server.
 	 */
-	oallowed = allowed = xstrdup(options.pubkey_key_types);
+	oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
 	while ((cp = strsep(&allowed, ",")) != NULL) {
 		if (sshkey_type_from_name(cp) != key->type)
 			continue;
@@ -1597,25 +1597,25 @@ static int
 key_type_allowed_by_config(struct sshkey *key)
 {
 	if (match_pattern_list(sshkey_ssh_name(key),
-	    options.pubkey_key_types, 0) == 1)
+	    options.pubkey_accepted_algos, 0) == 1)
 		return 1;
 
 	/* RSA keys/certs might be allowed by alternate signature types */
 	switch (key->type) {
 	case KEY_RSA:
 		if (match_pattern_list("rsa-sha2-512",
-		    options.pubkey_key_types, 0) == 1)
+		    options.pubkey_accepted_algos, 0) == 1)
 			return 1;
 		if (match_pattern_list("rsa-sha2-256",
-		    options.pubkey_key_types, 0) == 1)
+		    options.pubkey_accepted_algos, 0) == 1)
 			return 1;
 		break;
 	case KEY_RSA_CERT:
 		if (match_pattern_list("rsa-sha2-512-cert-v01 at openssh.com",
-		    options.pubkey_key_types, 0) == 1)
+		    options.pubkey_accepted_algos, 0) == 1)
 			return 1;
 		if (match_pattern_list("rsa-sha2-256-cert-v01 at openssh.com",
-		    options.pubkey_key_types, 0) == 1)
+		    options.pubkey_accepted_algos, 0) == 1)
 			return 1;
 		break;
 	}
@@ -1757,11 +1757,11 @@ pubkey_prepare(Authctxt *authctxt)
 	}
 	/* append remaining keys from the config file */
 	TAILQ_CONCAT(preferred, &files, next);
-	/* finally, filter by PubkeyAcceptedKeyTypes */
+	/* finally, filter by PubkeyAcceptedAlgorithms */
 	TAILQ_FOREACH_SAFE(id, preferred, next, id2) {
 		if (id->key != NULL && !key_type_allowed_by_config(id->key)) {
 			debug("Skipping %s key %s - "
-			    "not in PubkeyAcceptedKeyTypes",
+			    "corresponding algo not in PubkeyAcceptedAlgorithms",
 			    sshkey_ssh_name(id->key), id->filename);
 			TAILQ_REMOVE(preferred, id, next);
 			sshkey_free(id->key);
diff --git a/sshd_config.5 b/sshd_config.5
index 1f59ebc6..9b7a8916 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.323 2021/01/14 19:45:06 rob Exp $
-.Dd $Mdocdate: January 14 2021 $
+.\" $OpenBSD: sshd_config.5,v 1.324 2021/01/22 02:44:58 dtucker Exp $
+.Dd $Mdocdate: January 22 2021 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1209,7 +1209,7 @@ Available keywords are
 .Cm PermitTTY ,
 .Cm PermitTunnel ,
 .Cm PermitUserRC ,
-.Cm PubkeyAcceptedKeyTypes ,
+.Cm PubkeyAcceptedAlgorithms ,
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RevokedKeys ,
@@ -1477,20 +1477,20 @@ when a user logs in interactively.
 or equivalent.)
 The default is
 .Cm yes .
-.It Cm PubkeyAcceptedKeyTypes
-Specifies the key types that will be accepted for public key authentication
-as a list of comma-separated patterns.
+.It Cm PubkeyAcceptedAlgorithms
+Specifies the signature algorithms that will be accepted for public key
+authentication as a list of comma-separated patterns.
 Alternately if the specified list begins with a
 .Sq +
-character, then the specified key types will be appended to the default set
+character, then the specified algorithms will be appended to the default set
 instead of replacing them.
 If the specified list begins with a
 .Sq -
-character, then the specified key types (including wildcards) will be removed
+character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
-character, then the specified key types will be placed at the head of the
+character, then the specified algorithms will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
@@ -1511,7 +1511,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
 .Pp
 The list of available key types may also be obtained using
-.Qq ssh -Q PubkeyAcceptedKeyTypes .
+.Qq ssh -Q PubkeyAcceptedAlgorithms .
 .It Cm PubkeyAuthOptions
 Sets one or more public key authentication options.
 The supported keywords are:

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list