On Thu, Feb 06, 2020 at 01:23:09PM +1100, Darren Tucker wrote:
[...]
> Those are "sign only" algorithms that use the same RSA keys but with a
> stronger signature algorithms. It looks like the advice in
> sshd_config(5) is not accurate (I think ssh -Q needs an option that
> calls sshkey_alg_list with certs_only=0, plain_only=0 and
> include_sigonly=1 for this case).
Like this.
diff --git a/ssh.c b/ssh.c
index 35972fe3..98099295 100644
--- a/ssh.c
+++ b/ssh.c
@@ -750,6 +750,8 @@ main(int ac, char **av)
cp = sshkey_alg_list(1, 0, 0, '\n');
else if (strcmp(optarg, "key-plain") == 0)
cp = sshkey_alg_list(0, 1, 0, '\n');
+ else if (strcmp(optarg, "key-sig") == 0)
+ cp = sshkey_alg_list(0, 0, 1, '\n');
else if (strcmp(optarg, "sig") == 0)
cp = sshkey_alg_list(0, 1, 1, '\n');
else if (strcmp(optarg, "protocol-version") == 0)
@@ -763,7 +765,7 @@ main(int ac, char **av)
} else if (strcmp(optarg, "help") == 0) {
cp = xstrdup(
"cipher\ncipher-auth\ncompression\nkex\n"
- "key\nkey-cert\nkey-plain\nmac\n"
+ "key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
"protocol-version\nsig");
}
if (cp == NULL)
diff --git a/sshd_config.5 b/sshd_config.5
index 0684300f..465ee53d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -776,7 +776,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
.Ed
.Pp
The list of available key types may also be obtained using
-.Qq ssh -Q key .
+.Qq ssh -Q key-sig .
.It Cm IgnoreRhosts
Specifies that
.Pa .rhosts
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
