[openssh-commits] [openssh] 03/04: upstream: make `ssh -Q CASignatureAlgorithms` only list signature

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Jun 21 15:14:07 AEST 2023 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 4e73cd0f4ab3e5b576c56cac9732da62c8fc0565
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jun 21 05:08:32 2023 +0000

    upstream: make `ssh -Q CASignatureAlgorithms` only list signature
    
    algorithms that are valid for CA signing. Previous behaviour was to list all
    signing algorithms, including certificate algorithms (OpenSSH certificates do
    not support CA chains). part of bz3577; ok dtucker@
    
    OpenBSD-Commit-ID: 99c2b072dbac0f44fd1f2269e3ff6c1b5d7d3e59
---
 ssh.1 | 6 ++++--
 ssh.c | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ssh.1 b/ssh.1
index a3d1ba16..3d89c7d7 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.433 2022/11/28 01:37:36 djm Exp $
-.Dd $Mdocdate: November 28 2022 $
+.\" $OpenBSD: ssh.1,v 1.434 2023/06/21 05:08:32 djm Exp $
+.Dd $Mdocdate: June 21 2023 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -614,6 +614,8 @@ flag),
 (key exchange algorithms),
 .Ar key
 (key types),
+.Ar key-ca-sign
+(valid CA signature algorithms for certificates),
 .Ar key-cert
 (certificate key types),
 .Ar key-plain
diff --git a/ssh.c b/ssh.c
index 3e8b1ebf..6fc99d88 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.588 2023/04/26 01:36:03 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.589 2023/06/21 05:08:32 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -793,8 +793,10 @@ main(int ac, char **av)
 				cp = sshkey_alg_list(1, 0, 0, '\n');
 			else if (strcmp(optarg, "key-plain") == 0)
 				cp = sshkey_alg_list(0, 1, 0, '\n');
+			else if (strcmp(optarg, "key-ca-sign") == 0 ||
+			    strcasecmp(optarg, "CASignatureAlgorithms") == 0)
+				cp = sshkey_alg_list(0, 1, 1, '\n');
 			else if (strcmp(optarg, "key-sig") == 0 ||
-			    strcasecmp(optarg, "CASignatureAlgorithms") == 0 ||
 			    strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || /* deprecated name */
 			    strcasecmp(optarg, "PubkeyAcceptedAlgorithms") == 0 ||
 			    strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list