jonathancammack / rpms / openssh

Forked from rpms/openssh 8 months ago
Clone
Petr Šabata 81d24c
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
Petr Šabata 81d24c
--- openssh-8.2p1/ssh_config.5.crypto-policies	2020-03-26 14:40:44.546775605 +0100
Petr Šabata 81d24c
+++ openssh-8.2p1/ssh_config.5	2020-03-26 14:52:20.700649727 +0100
Petr Šabata 81d24c
@@ -359,17 +359,17 @@ or
Petr Šabata 81d24c
 .Qq *.c.example.com
Petr Šabata 81d24c
 domains.
Petr Šabata 81d24c
 .It Cm CASignatureAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies which algorithms are allowed for signing of certificates
Petr Šabata 81d24c
 by certificate authorities (CAs).
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
Petr Šabata 81d24c
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 .Xr ssh 1
Petr Šabata 81d24c
 will not accept host certificates signed using algorithms other than those
Petr Šabata 81d24c
 specified.
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 .It Cm CertificateFile
Petr Šabata 81d24c
 Specifies a file from which the user's certificate is read.
Petr Šabata 81d24c
 A corresponding private key must be provided separately in order
Petr Šabata 81d24c
@@ -424,20 +424,25 @@ If the option is set to
Petr Šabata 81d24c
 .Cm no ,
Petr Šabata 81d24c
 the check will not be executed.
Petr Šabata 81d24c
 .It Cm Ciphers
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the ciphers allowed and their order of preference.
Petr Šabata 81d24c
 Multiple ciphers must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified ciphers will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified ciphers will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified ciphers (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified ciphers will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The supported ciphers are:
Petr Šabata 81d24c
 .Bd -literal -offset indent
Petr Šabata 81d24c
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
Petr Šabata 81d24c
 chacha20-poly1305@openssh.com
Petr Šabata 81d24c
 .Ed
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-chacha20-poly1305@openssh.com,
Petr Šabata 81d24c
-aes128-ctr,aes192-ctr,aes256-ctr,
Petr Šabata 81d24c
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available ciphers may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q cipher .
Petr Šabata 81d24c
 .It Cm ClearAllForwardings
Petr Šabata 81d24c
@@ -812,6 +810,11 @@ command line will be passed untouched to
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Dq no .
Petr Šabata 81d24c
 .It Cm GSSAPIKexAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 The list of key exchange algorithms that are offered for GSSAPI
Petr Šabata 81d24c
 key exchange. Possible values are
Petr Šabata 81d24c
 .Bd -literal -offset 3n
Petr Šabata 81d24c
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
Petr Šabata 81d24c
 gss-curve25519-sha256-
Petr Šabata 81d24c
 .Ed
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is
Petr Šabata 81d24c
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
Petr Šabata 81d24c
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
Petr Šabata 81d24c
 This option only applies to connections using GSSAPI.
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 .It Cm HashKnownHosts
Petr Šabata 81d24c
 Indicates that
Petr Šabata 81d24c
 .Xr ssh 1
Petr Šabata 81d24c
@@ -1149,29 +1150,25 @@ it may be zero or more of:
Petr Šabata 81d24c
 and
Petr Šabata 81d24c
 .Cm pam .
Petr Šabata 81d24c
 .It Cm KexAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the available KEX (Key Exchange) algorithms.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified methods will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified methods will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified methods (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified methods will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-curve25519-sha256,curve25519-sha256@libssh.org,
Petr Šabata 81d24c
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
Petr Šabata 81d24c
-diffie-hellman-group-exchange-sha256,
Petr Šabata 81d24c
-diffie-hellman-group16-sha512,
Petr Šabata 81d24c
-diffie-hellman-group18-sha512,
Petr Šabata 81d24c
-diffie-hellman-group14-sha256
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The list of available key exchange algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q kex .
Petr Šabata 81d24c
@@ -1231,37 +1228,33 @@ The default is INFO.
Petr Šabata 81d24c
 DEBUG and DEBUG1 are equivalent.
Petr Šabata 81d24c
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
Petr Šabata 81d24c
 .It Cm MACs
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the MAC (message authentication code) algorithms
Petr Šabata 81d24c
 in order of preference.
Petr Šabata 81d24c
 The MAC algorithm is used for data integrity protection.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified algorithms will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified algorithms will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified algorithms (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified algorithms will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The algorithms that contain
Petr Šabata 81d24c
 .Qq -etm
Petr Šabata 81d24c
 calculate the MAC after encryption (encrypt-then-mac).
Petr Šabata 81d24c
 These are considered safer and their use recommended.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
Petr Šabata 81d24c
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
Petr Šabata 81d24c
-hmac-sha1-etm@openssh.com,
Petr Šabata 81d24c
-umac-64@openssh.com,umac-128@openssh.com,
Petr Šabata 81d24c
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available MAC algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q mac .
Petr Šabata 81d24c
 .It Cm NoHostAuthenticationForLocalhost
Petr Šabata 81d24c
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Cm no .
Petr Šabata 81d24c
 .It Cm PubkeyAcceptedKeyTypes
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the key types that will be used for public key authentication
Petr Šabata 81d24c
 as a comma-separated list of patterns.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the key types after it will be appended to the default
Petr Šabata 81d24c
-instead of replacing it.
Petr Šabata 81d24c
+character, then the key types after it will be appended to the built-in
Petr Šabata 81d24c
+openssh default instead of replacing it.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified key types (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified key types will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
-The default for this option is:
Petr Šabata 81d24c
-.Bd -literal -offset 3n
Petr Šabata 81d24c
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-rsa-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256@openssh.com,
Petr Šabata 81d24c
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The list of available key types may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q PubkeyAcceptedKeyTypes .
Petr Šabata 81d24c
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
Petr Šabata 81d24c
--- openssh-8.2p1/sshd_config.5.crypto-policies	2020-03-26 14:40:44.530775355 +0100
Petr Šabata 81d24c
+++ openssh-8.2p1/sshd_config.5	2020-03-26 14:48:56.732468099 +0100
Petr Šabata 81d24c
@@ -375,16 +375,16 @@ If the argument is
Petr Šabata 81d24c
 then no banner is displayed.
Petr Šabata 81d24c
 By default, no banner is displayed.
Petr Šabata 81d24c
 .It Cm CASignatureAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies which algorithms are allowed for signing of certificates
Petr Šabata 81d24c
 by certificate authorities (CAs).
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
Petr Šabata 81d24c
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 Certificates signed using other algorithms will not be accepted for
Petr Šabata 81d24c
 public key or host-based authentication.
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 .It Cm ChallengeResponseAuthentication
Petr Šabata 81d24c
 Specifies whether challenge-response authentication is allowed (e.g. via
Petr Šabata 81d24c
 PAM or through authentication styles supported in
Petr Šabata 81d24c
@@ -446,20 +446,25 @@ The default is
Petr Šabata 81d24c
 indicating not to
Petr Šabata 81d24c
 .Xr chroot 2 .
Petr Šabata 81d24c
 .It Cm Ciphers
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the ciphers allowed.
Petr Šabata 81d24c
 Multiple ciphers must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified ciphers will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified ciphers will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified ciphers (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified ciphers will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The supported ciphers are:
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
Petr Šabata 81d24c
 chacha20-poly1305@openssh.com
Petr Šabata 81d24c
 .El
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-chacha20-poly1305@openssh.com,
Petr Šabata 81d24c
-aes128-ctr,aes192-ctr,aes256-ctr,
Petr Šabata 81d24c
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available ciphers may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q cipher .
Petr Šabata 81d24c
 .It Cm ClientAliveCountMax
Petr Šabata 81d24c
@@ -681,22 +679,24 @@ For this to work
Petr Šabata 81d24c
 .Cm GSSAPIKeyExchange
Petr Šabata 81d24c
 needs to be enabled in the server and also used by the client.
Petr Šabata 81d24c
 .It Cm GSSAPIKexAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 The list of key exchange algorithms that are accepted by GSSAPI
Petr Šabata 81d24c
 key exchange. Possible values are
Petr Šabata 81d24c
 .Bd -literal -offset 3n
Petr Šabata 81d24c
-gss-gex-sha1-,
Petr Šabata 81d24c
-gss-group1-sha1-,
Petr Šabata 81d24c
-gss-group14-sha1-,
Petr Šabata 81d24c
-gss-group14-sha256-,
Petr Šabata 81d24c
-gss-group16-sha512-,
Petr Šabata 81d24c
-gss-nistp256-sha256-,
Petr Šabata 81d24c
+gss-gex-sha1-
Petr Šabata 81d24c
+gss-group1-sha1-
Petr Šabata 81d24c
+gss-group14-sha1-
Petr Šabata 81d24c
+gss-group14-sha256-
Petr Šabata 81d24c
+gss-group16-sha512-
Petr Šabata 81d24c
+gss-nistp256-sha256-
Petr Šabata 81d24c
 gss-curve25519-sha256-
Petr Šabata 81d24c
 .Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
-The default is
Petr Šabata 81d24c
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
Petr Šabata 81d24c
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
Petr Šabata 81d24c
 This option only applies to connections using GSSAPI.
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 .It Cm HostbasedAcceptedKeyTypes
Petr Šabata 81d24c
 Specifies the key types that will be accepted for hostbased authentication
Petr Šabata 81d24c
 as a list of comma-separated patterns.
Petr Šabata 81d24c
@@ -793,25 +793,13 @@ is specified, the location of the socket
Petr Šabata 81d24c
 .Ev SSH_AUTH_SOCK
Petr Šabata 81d24c
 environment variable.
Petr Šabata 81d24c
 .It Cm HostKeyAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the host key algorithms
Petr Šabata 81d24c
 that the server offers.
Petr Šabata 81d24c
-The default for this option is:
Petr Šabata 81d24c
-.Bd -literal -offset 3n
Petr Šabata 81d24c
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-rsa-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256@openssh.com,
Petr Šabata 81d24c
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available key types may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q HostKeyAlgorithms .
Petr Šabata 81d24c
 .It Cm IgnoreRhosts
Petr Šabata 81d24c
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Cm yes .
Petr Šabata 81d24c
 .It Cm KexAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the available KEX (Key Exchange) algorithms.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
 Alternately if the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified methods will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified methods will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified methods (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified methods will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 The supported algorithms are:
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 .Bl -item -compact -offset indent
Petr Šabata 81d24c
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
Petr Šabata 81d24c
 sntrup4591761x25519-sha512@tinyssh.org
Petr Šabata 81d24c
 .El
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-curve25519-sha256,curve25519-sha256@libssh.org,
Petr Šabata 81d24c
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
Petr Šabata 81d24c
-diffie-hellman-group-exchange-sha256,
Petr Šabata 81d24c
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
Petr Šabata 81d24c
-diffie-hellman-group14-sha256
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available key exchange algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q KexAlgorithms .
Petr Šabata 81d24c
 .It Cm ListenAddress
Petr Šabata 81d24c
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
Petr Šabata 81d24c
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.
Petr Šabata 81d24c
 Logging with a DEBUG level violates the privacy of users and is not recommended.
Petr Šabata 81d24c
 .It Cm MACs
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the available MAC (message authentication code) algorithms.
Petr Šabata 81d24c
 The MAC algorithm is used for data integrity protection.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified algorithms will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified algorithms will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified algorithms (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified algorithms will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The algorithms that contain
Petr Šabata 81d24c
 .Qq -etm
Petr Šabata 81d24c
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
Petr Šabata 81d24c
 umac-128-etm@openssh.com
Petr Šabata 81d24c
 .El
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
Petr Šabata 81d24c
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
Petr Šabata 81d24c
-hmac-sha1-etm@openssh.com,
Petr Šabata 81d24c
-umac-64@openssh.com,umac-128@openssh.com,
Petr Šabata 81d24c
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available MAC algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q mac .
Petr Šabata 81d24c
 .It Cm Match
Petr Šabata 81d24c
@@ -1480,36 +1460,25 @@ or equivalent.)
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Cm yes .
Petr Šabata 81d24c
 .It Cm PubkeyAcceptedKeyTypes
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the key types that will be accepted for public key authentication
Petr Šabata 81d24c
 as a list of comma-separated patterns.
Petr Šabata 81d24c
 Alternately if the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified key types will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified key types will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified key types (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified key types will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
-The default for this option is:
Petr Šabata 81d24c
-.Bd -literal -offset 3n
Petr Šabata 81d24c
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-rsa-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256@openssh.com,
Petr Šabata 81d24c
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The list of available key types may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q PubkeyAcceptedKeyTypes .