On Thu, 6 Feb 2020, Darren Tucker wrote:
> On Thu, Feb 06, 2020 at 01:23:09PM +1100, Darren Tucker wrote:
> [...]
> > Those are "sign only" algorithms that use the same RSA keys but with a
> > stronger signature algorithms. It looks like the advice in
> > sshd_config(5) is not accurate (I think ssh -Q needs an option that
> > calls sshkey_alg_list with certs_only=0, plain_only=0 and
> > include_sigonly=1 for this case).
>
> Like this.
>
> diff --git a/ssh.c b/ssh.c
> index 35972fe3..98099295 100644
> --- a/ssh.c
> +++ b/ssh.c
> @@ -750,6 +750,8 @@ main(int ac, char **av)
> cp = sshkey_alg_list(1, 0, 0, '\n');
> else if (strcmp(optarg, "key-plain") == 0)
> cp = sshkey_alg_list(0, 1, 0, '\n');
> + else if (strcmp(optarg, "key-sig") == 0)
> + cp = sshkey_alg_list(0, 0, 1, '\n');
> else if (strcmp(optarg, "sig") == 0)
> cp = sshkey_alg_list(0, 1, 1, '\n');
> else if (strcmp(optarg, "protocol-version") == 0)
> @@ -763,7 +765,7 @@ main(int ac, char **av)
> } else if (strcmp(optarg, "help") == 0) {
> cp = xstrdup(
> "cipher\ncipher-auth\ncompression\nkex\n"
> - "key\nkey-cert\nkey-plain\nmac\n"
> + "key\nkey-cert\nkey-plain\nkey-sig\nmac\n"
> "protocol-version\nsig");
> }
> if (cp == NULL)
> diff --git a/sshd_config.5 b/sshd_config.5
> index 0684300f..465ee53d 100644
> --- a/sshd_config.5
> +++ b/sshd_config.5
> @@ -776,7 +776,7 @@ rsa-sha2-512,rsa-sha2-256,ssh-rsa
> .Ed
> .Pp
> The list of available key types may also be obtained using
> -.Qq ssh -Q key .
> +.Qq ssh -Q key-sig .
> .It Cm IgnoreRhosts
> Specifies that
> .Pa .rhosts
oops, yes - ok djm
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
