diff options
| author |   djm <djm@openbsd.org> | 2018-09-12 01:34:02 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2018-09-12 01:34:02 +0000 |
| commit | 9d70765c61813381db41b29574f432e4aedc5efa (patch) | |
| tree | b145a6ba1d0786fe3f446a35859d74e4bfdbe52b | |
| parent | add sshkey_check_cert_sigtype() that checks a cert->signature_type (diff) | |
| download | wireguard-openbsd-9d70765c61813381db41b29574f432e4aedc5efa.tar.xz wireguard-openbsd-9d70765c61813381db41b29574f432e4aedc5efa.zip | |
add SSH_ALLOWED_CA_SIGALGS - the default list of signature algorithms
that are allowed for CA signatures. Notably excludes ssh-dsa.
ok markus@
| -rw-r--r-- | usr.bin/ssh/myproposal.h | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h index 5ba525aa3d3..bd46b55fb67 100644 --- a/usr.bin/ssh/myproposal.h +++ b/usr.bin/ssh/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.56 2018/07/03 11:39:54 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.57 2018/09/12 01:34:02 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -82,6 +82,16 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +/* Not a KEX value, but here so all the algorithm defaults are together */ +#define SSH_ALLOWED_CA_SIGALGS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp521," \ + "ssh-ed25519," \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" + #else /* WITH_OPENSSL */ #define KEX_SERVER_KEX \ @@ -109,6 +119,8 @@ #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519" + #endif /* WITH_OPENSSL */ #define KEX_DEFAULT_COMP "none,zlib@openssh.com" |