diff options
| author |   djm <djm@openbsd.org> | 2018-07-03 11:39:54 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2018-07-03 11:39:54 +0000 |
| commit | 38a44c4d07519b32af47a95012edb6d362e3efa3 (patch) | |
| tree | c2dfc3f132bc942207e1a3249c45e17c3b6bf382 /sys/dev | |
| parent | allow sshd_config PermitUserEnvironment to accept a pattern-list of (diff) | |
| download | wireguard-openbsd-38a44c4d07519b32af47a95012edb6d362e3efa3.tar.xz wireguard-openbsd-38a44c4d07519b32af47a95012edb6d362e3efa3.zip | |
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
Diffstat (limited to 'sys/dev')
0 files changed, 0 insertions, 0 deletions