Call for testing: OpenSSH 8.2

Darren Tucker dtucker at
Thu Feb 6 13:23:09 AEDT 2020

On Thu, 6 Feb 2020 at 12:46, Phil Pennock <phil.pennock at> wrote:
> ssh_config(5) describes for `HostKeyAlgorithms` that:
> } The list of available key types may also be obtained using "ssh -Q key"
> Running `ssh -Q key`, the output does not include these proposed
> replacements.
> Only in sshd_config(5):
>   rsa-sha2-512-cert-v01 at
>   rsa-sha2-256-cert-v01 at
>   rsa-sha2-512
>   rsa-sha2-256

Those are "sign only" algorithms that use the same RSA keys but with a
stronger signature algorithms.  It looks like the advice in
sshd_config(5) is not accurate (I think ssh -Q needs an option that
calls sshkey_alg_list with certs_only=0, plain_only=0 and
include_sigonly=1 for this case).

> Only in `ssh -Q key`:
>   ssh-dss
>   ssh-dss-cert-v01 at

The list in sshd_config(5) is the types allowed by default, and DSA
(aka ssh-dss) keys are no longer allowed by default.

Darren Tucker (dtucker at
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list