upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of

signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa. ok markus@ OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
author: djm@openbsd.org <djm@openbsd.org> 2018-09-12 01:34:02 +0000
committer: Damien Miller <djm@mindrot.org> 2018-09-12 16:49:21 +1000
commit: 4cc259bac699f4d2a5c52b92230f9e488c88a223 (patch)
tree: b677c7abd3a9a698e9e7a0abc8be5e5fe2f615dc /myproposal.h
parent: ba9e788315b1f6a350f910cb2a9e95b2ce584e89 (diff)
download: openssh-git-4cc259bac699f4d2a5c52b92230f9e488c88a223.tar.gz
1 files changed, 13 insertions, 1 deletions
diff --git a/myproposal.h b/myproposal.h
index 08782dd3..27b4a15a 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.56 2018/07/03 11:39:54 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.57 2018/09/12 01:34:02 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -139,6 +139,16 @@
 
 #define KEX_CLIENT_MAC KEX_SERVER_MAC
 
+/* Not a KEX value, but here so all the algorithm defaults are together */
+#define	SSH_ALLOWED_CA_SIGALGS	\
+	"ecdsa-sha2-nistp256," \
+	"ecdsa-sha2-nistp384," \
+	"ecdsa-sha2-nistp521," \
+	"ssh-ed25519," \
+	"rsa-sha2-512," \
+	"rsa-sha2-256," \
+	"ssh-rsa"
+
 #else /* WITH_OPENSSL */
 
 #define KEX_SERVER_KEX		\
@@ -166,6 +176,8 @@
 #define	KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
 #define KEX_CLIENT_MAC KEX_SERVER_MAC
 
+#define	SSH_ALLOWED_CA_SIGALGS	"ssh-ed25519"
+
 #endif /* WITH_OPENSSL */
 
 #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com"
author	djm@openbsd.org <djm@openbsd.org>	2018-09-12 01:34:02 +0000
committer	Damien Miller <djm@mindrot.org>	2018-09-12 16:49:21 +1000
commit	4cc259bac699f4d2a5c52b92230f9e488c88a223 (patch)
tree	b677c7abd3a9a698e9e7a0abc8be5e5fe2f615dc /myproposal.h
parent	ba9e788315b1f6a350f910cb2a9e95b2ce584e89 (diff)
download	openssh-git-4cc259bac699f4d2a5c52b92230f9e488c88a223.tar.gz