CVSROOT: /cvs
Module name: src
Changes by: d...@cvs.openbsd.org 2018/07/03 05:39:54
Modified files:
usr.bin/ssh : PROTOCOL.certkeys auth2-hostbased.c
auth2-pubkey.c authfd.c compat.c compat.h kex.c
kex.h myproposal.h ssh-rsa.c ssh_config.5
sshconnect2.c sshd.c sshd_config.5 ssherr.c
ssherr.h sshkey.c sshkey.h
Log message:
Improve strictness and control over RSA-SHA2 signature types:
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-...@openssh.com" and
"rsa-sha2-512-cert-...@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.
feedback and ok markus@
