On Thu, 6 Feb 2020 at 12:46, Phil Pennock <phil.pennock@xxxxxxxxxxx> wrote:
[...]
> ssh_config(5) describes for `HostKeyAlgorithms` that:
> } The list of available key types may also be obtained using "ssh -Q key"
>
> Running `ssh -Q key`, the output does not include these proposed
> replacements.
>
> Only in sshd_config(5):
> rsa-sha2-512-cert-v01@xxxxxxxxxxx
> rsa-sha2-256-cert-v01@xxxxxxxxxxx
> rsa-sha2-512
> rsa-sha2-256
Those are "sign only" algorithms that use the same RSA keys but with a
stronger signature algorithms. It looks like the advice in
sshd_config(5) is not accurate (I think ssh -Q needs an option that
calls sshkey_alg_list with certs_only=0, plain_only=0 and
include_sigonly=1 for this case).
> Only in `ssh -Q key`:
> ssh-dss
> ssh-dss-cert-v01@xxxxxxxxxxx
The list in sshd_config(5) is the types allowed by default, and DSA
(aka ssh-dss) keys are no longer allowed by default.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
