|
|
5dbb6f |
diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
|
|
|
5dbb6f |
--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200
|
|
|
5dbb6f |
+++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200
|
|
|
5dbb6f |
@@ -373,17 +373,13 @@ or
|
|
|
943807 |
.Qq *.c.example.com
|
|
|
943807 |
domains.
|
|
|
943807 |
.It Cm CASignatureAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies which algorithms are allowed for signing of certificates
|
|
|
943807 |
by certificate authorities (CAs).
|
|
|
943807 |
-The default is:
|
|
|
943807 |
-.Bd -literal -offset indent
|
|
|
5dbb6f |
-ssh-ed25519,ecdsa-sha2-nistp256,
|
|
|
5dbb6f |
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
|
5dbb6f |
-sk-ssh-ed25519@openssh.com,
|
|
|
5dbb6f |
-sk-ecdsa-sha2-nistp256@openssh.com,
|
|
|
943807 |
-rsa-sha2-512,rsa-sha2-256
|
|
|
943807 |
-.Ed
|
|
|
943807 |
-.Pp
|
|
|
5dbb6f |
If the specified list begins with a
|
|
|
5dbb6f |
.Sq +
|
|
|
5dbb6f |
character, then the specified algorithms will be appended to the default set
|
|
|
5dbb6f |
@@ -445,20 +441,25 @@ If the option is set to
|
|
|
943807 |
(the default),
|
|
|
943807 |
the check will not be executed.
|
|
|
943807 |
.It Cm Ciphers
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the ciphers allowed and their order of preference.
|
|
|
943807 |
Multiple ciphers must be comma-separated.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq +
|
|
|
943807 |
-character, then the specified ciphers will be appended to the default set
|
|
|
943807 |
-instead of replacing them.
|
|
|
943807 |
+character, then the specified ciphers will be appended to the built-in
|
|
|
943807 |
+openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq -
|
|
|
943807 |
character, then the specified ciphers (including wildcards) will be removed
|
|
|
943807 |
-from the default set instead of replacing them.
|
|
|
943807 |
+from the built-in openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq ^
|
|
|
943807 |
character, then the specified ciphers will be placed at the head of the
|
|
|
943807 |
-default set.
|
|
|
943807 |
+built-in openssh default set.
|
|
|
943807 |
.Pp
|
|
|
943807 |
The supported ciphers are:
|
|
|
943807 |
.Bd -literal -offset indent
|
|
|
5dbb6f |
@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
|
|
|
943807 |
chacha20-poly1305@openssh.com
|
|
|
943807 |
.Ed
|
|
|
943807 |
.Pp
|
|
|
943807 |
-The default is:
|
|
|
943807 |
-.Bd -literal -offset indent
|
|
|
943807 |
-chacha20-poly1305@openssh.com,
|
|
|
943807 |
-aes128-ctr,aes192-ctr,aes256-ctr,
|
|
|
943807 |
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
|
|
943807 |
-.Ed
|
|
|
943807 |
-.Pp
|
|
|
943807 |
The list of available ciphers may also be obtained using
|
|
|
943807 |
.Qq ssh -Q cipher .
|
|
|
943807 |
.It Cm ClearAllForwardings
|
|
|
5dbb6f |
@@ -874,6 +868,11 @@ command line will be passed untouched to
|
|
|
943807 |
The default is
|
|
|
943807 |
.Dq no .
|
|
|
943807 |
.It Cm GSSAPIKexAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
The list of key exchange algorithms that are offered for GSSAPI
|
|
|
943807 |
key exchange. Possible values are
|
|
|
943807 |
.Bd -literal -offset 3n
|
|
|
5dbb6f |
@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
|
|
|
943807 |
gss-curve25519-sha256-
|
|
|
943807 |
.Ed
|
|
|
943807 |
.Pp
|
|
|
943807 |
-The default is
|
|
|
943807 |
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
|
|
943807 |
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
|
|
943807 |
This option only applies to connections using GSSAPI.
|
|
|
943807 |
+.Pp
|
|
|
943807 |
.It Cm HashKnownHosts
|
|
|
943807 |
Indicates that
|
|
|
943807 |
.Xr ssh 1
|
|
|
5dbb6f |
@@ -1219,29 +1216,25 @@ it may be zero or more of:
|
|
|
943807 |
and
|
|
|
943807 |
.Cm pam .
|
|
|
943807 |
.It Cm KexAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the available KEX (Key Exchange) algorithms.
|
|
|
943807 |
Multiple algorithms must be comma-separated.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq +
|
|
|
943807 |
-character, then the specified methods will be appended to the default set
|
|
|
943807 |
-instead of replacing them.
|
|
|
943807 |
+character, then the specified methods will be appended to the built-in
|
|
|
943807 |
+openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq -
|
|
|
943807 |
character, then the specified methods (including wildcards) will be removed
|
|
|
943807 |
-from the default set instead of replacing them.
|
|
|
943807 |
+from the built-in openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq ^
|
|
|
943807 |
character, then the specified methods will be placed at the head of the
|
|
|
943807 |
-default set.
|
|
|
943807 |
-The default is:
|
|
|
943807 |
-.Bd -literal -offset indent
|
|
|
943807 |
-curve25519-sha256,curve25519-sha256@libssh.org,
|
|
|
943807 |
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
|
943807 |
-diffie-hellman-group-exchange-sha256,
|
|
|
943807 |
-diffie-hellman-group16-sha512,
|
|
|
943807 |
-diffie-hellman-group18-sha512,
|
|
|
943807 |
-diffie-hellman-group14-sha256
|
|
|
943807 |
-.Ed
|
|
|
943807 |
+built-in openssh default set.
|
|
|
943807 |
.Pp
|
|
|
943807 |
The list of available key exchange algorithms may also be obtained using
|
|
|
943807 |
.Qq ssh -Q kex .
|
|
|
5dbb6f |
@@ -1351,37 +1344,33 @@ function, and all code in the
|
|
|
943807 |
file.
|
|
|
943807 |
This option is intended for debugging and no overrides are enabled by default.
|
|
|
943807 |
.It Cm MACs
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the MAC (message authentication code) algorithms
|
|
|
943807 |
in order of preference.
|
|
|
943807 |
The MAC algorithm is used for data integrity protection.
|
|
|
943807 |
Multiple algorithms must be comma-separated.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq +
|
|
|
943807 |
-character, then the specified algorithms will be appended to the default set
|
|
|
943807 |
-instead of replacing them.
|
|
|
943807 |
+character, then the specified algorithms will be appended to the built-in
|
|
|
943807 |
+openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq -
|
|
|
943807 |
character, then the specified algorithms (including wildcards) will be removed
|
|
|
943807 |
-from the default set instead of replacing them.
|
|
|
943807 |
+from the built-in openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq ^
|
|
|
943807 |
character, then the specified algorithms will be placed at the head of the
|
|
|
943807 |
-default set.
|
|
|
943807 |
+built-in openssh default set.
|
|
|
943807 |
.Pp
|
|
|
943807 |
The algorithms that contain
|
|
|
943807 |
.Qq -etm
|
|
|
943807 |
calculate the MAC after encryption (encrypt-then-mac).
|
|
|
943807 |
These are considered safer and their use recommended.
|
|
|
943807 |
.Pp
|
|
|
943807 |
-The default is:
|
|
|
943807 |
-.Bd -literal -offset indent
|
|
|
943807 |
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
|
|
943807 |
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
|
|
943807 |
-hmac-sha1-etm@openssh.com,
|
|
|
943807 |
-umac-64@openssh.com,umac-128@openssh.com,
|
|
|
943807 |
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
|
|
943807 |
-.Ed
|
|
|
943807 |
-.Pp
|
|
|
943807 |
The list of available MAC algorithms may also be obtained using
|
|
|
943807 |
.Qq ssh -Q mac .
|
|
|
943807 |
.It Cm NoHostAuthenticationForLocalhost
|
|
|
5dbb6f |
@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
|
|
|
943807 |
The default is
|
|
|
943807 |
.Cm no .
|
|
|
943807 |
.It Cm PubkeyAcceptedAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the signature algorithms that will be used for public key
|
|
|
943807 |
authentication as a comma-separated list of patterns.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq +
|
|
|
943807 |
-character, then the algorithms after it will be appended to the default
|
|
|
943807 |
-instead of replacing it.
|
|
|
943807 |
+character, then the algorithms after it will be appended to the built-in
|
|
|
943807 |
+openssh default instead of replacing it.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq -
|
|
|
943807 |
character, then the specified algorithms (including wildcards) will be removed
|
|
|
943807 |
-from the default set instead of replacing them.
|
|
|
943807 |
+from the built-in openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq ^
|
|
|
943807 |
character, then the specified algorithms will be placed at the head of the
|
|
|
943807 |
-default set.
|
|
|
943807 |
-The default for this option is:
|
|
|
943807 |
-.Bd -literal -offset 3n
|
|
|
943807 |
-ssh-ed25519-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
|
943807 |
-sk-ssh-ed25519-cert-v01@openssh.com,
|
|
|
943807 |
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
|
943807 |
-rsa-sha2-512-cert-v01@openssh.com,
|
|
|
943807 |
-rsa-sha2-256-cert-v01@openssh.com,
|
|
|
943807 |
-ssh-rsa-cert-v01@openssh.com,
|
|
|
943807 |
-ssh-ed25519,
|
|
|
943807 |
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
|
943807 |
-sk-ssh-ed25519@openssh.com,
|
|
|
943807 |
-sk-ecdsa-sha2-nistp256@openssh.com,
|
|
|
943807 |
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|
|
943807 |
-.Ed
|
|
|
943807 |
+built-in openssh default set.
|
|
|
943807 |
.Pp
|
|
|
943807 |
The list of available signature algorithms may also be obtained using
|
|
|
943807 |
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
|
|
5dbb6f |
diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
|
|
|
5dbb6f |
--- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200
|
|
|
5dbb6f |
+++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200
|
|
|
5dbb6f |
@@ -373,17 +373,13 @@ If the argument is
|
|
|
943807 |
then no banner is displayed.
|
|
|
943807 |
By default, no banner is displayed.
|
|
|
943807 |
.It Cm CASignatureAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies which algorithms are allowed for signing of certificates
|
|
|
943807 |
by certificate authorities (CAs).
|
|
|
943807 |
-The default is:
|
|
|
943807 |
-.Bd -literal -offset indent
|
|
|
5dbb6f |
-ssh-ed25519,ecdsa-sha2-nistp256,
|
|
|
5dbb6f |
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
|
5dbb6f |
-sk-ssh-ed25519@openssh.com,
|
|
|
5dbb6f |
-sk-ecdsa-sha2-nistp256@openssh.com,
|
|
|
943807 |
-rsa-sha2-512,rsa-sha2-256
|
|
|
943807 |
-.Ed
|
|
|
943807 |
-.Pp
|
|
|
5dbb6f |
If the specified list begins with a
|
|
|
5dbb6f |
.Sq +
|
|
|
5dbb6f |
character, then the specified algorithms will be appended to the default set
|
|
|
5dbb6f |
@@ -450,20 +446,25 @@ The default is
|
|
|
943807 |
indicating not to
|
|
|
943807 |
.Xr chroot 2 .
|
|
|
943807 |
.It Cm Ciphers
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the ciphers allowed.
|
|
|
943807 |
Multiple ciphers must be comma-separated.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq +
|
|
|
943807 |
-character, then the specified ciphers will be appended to the default set
|
|
|
943807 |
-instead of replacing them.
|
|
|
943807 |
+character, then the specified ciphers will be appended to the built-in
|
|
|
943807 |
+openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq -
|
|
|
943807 |
character, then the specified ciphers (including wildcards) will be removed
|
|
|
943807 |
-from the default set instead of replacing them.
|
|
|
943807 |
+from the built-in openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq ^
|
|
|
943807 |
character, then the specified ciphers will be placed at the head of the
|
|
|
943807 |
-default set.
|
|
|
943807 |
+built-in openssh default set.
|
|
|
943807 |
.Pp
|
|
|
943807 |
The supported ciphers are:
|
|
|
943807 |
.Pp
|
|
|
5dbb6f |
@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
|
|
|
943807 |
chacha20-poly1305@openssh.com
|
|
|
943807 |
.El
|
|
|
943807 |
.Pp
|
|
|
943807 |
-The default is:
|
|
|
943807 |
-.Bd -literal -offset indent
|
|
|
943807 |
-chacha20-poly1305@openssh.com,
|
|
|
943807 |
-aes128-ctr,aes192-ctr,aes256-ctr,
|
|
|
943807 |
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
|
|
943807 |
-.Ed
|
|
|
943807 |
-.Pp
|
|
|
943807 |
The list of available ciphers may also be obtained using
|
|
|
943807 |
.Qq ssh -Q cipher .
|
|
|
943807 |
.It Cm ClientAliveCountMax
|
|
|
5dbb6f |
@@ -685,21 +679,22 @@ For this to work
|
|
|
943807 |
.Cm GSSAPIKeyExchange
|
|
|
943807 |
needs to be enabled in the server and also used by the client.
|
|
|
943807 |
.It Cm GSSAPIKexAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
The list of key exchange algorithms that are accepted by GSSAPI
|
|
|
943807 |
key exchange. Possible values are
|
|
|
943807 |
.Bd -literal -offset 3n
|
|
|
943807 |
-gss-gex-sha1-,
|
|
|
943807 |
-gss-group1-sha1-,
|
|
|
943807 |
-gss-group14-sha1-,
|
|
|
943807 |
-gss-group14-sha256-,
|
|
|
943807 |
-gss-group16-sha512-,
|
|
|
943807 |
-gss-nistp256-sha256-,
|
|
|
943807 |
+gss-gex-sha1-
|
|
|
943807 |
+gss-group1-sha1-
|
|
|
943807 |
+gss-group14-sha1-
|
|
|
943807 |
+gss-group14-sha256-
|
|
|
943807 |
+gss-group16-sha512-
|
|
|
943807 |
+gss-nistp256-sha256-
|
|
|
943807 |
gss-curve25519-sha256-
|
|
|
943807 |
.Ed
|
|
|
943807 |
-.Pp
|
|
|
943807 |
-The default is
|
|
|
943807 |
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
|
|
943807 |
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
|
|
943807 |
This option only applies to connections using GSSAPI.
|
|
|
943807 |
.It Cm HostbasedAcceptedAlgorithms
|
|
|
943807 |
Specifies the signature algorithms that will be accepted for hostbased
|
|
|
5dbb6f |
@@ -799,26 +794,13 @@ is specified, the location of the socket
|
|
|
943807 |
.Ev SSH_AUTH_SOCK
|
|
|
943807 |
environment variable.
|
|
|
943807 |
.It Cm HostKeyAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the host key signature algorithms
|
|
|
943807 |
that the server offers.
|
|
|
943807 |
-The default for this option is:
|
|
|
943807 |
-.Bd -literal -offset 3n
|
|
|
943807 |
-ssh-ed25519-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
|
943807 |
-sk-ssh-ed25519-cert-v01@openssh.com,
|
|
|
943807 |
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
|
943807 |
-rsa-sha2-512-cert-v01@openssh.com,
|
|
|
943807 |
-rsa-sha2-256-cert-v01@openssh.com,
|
|
|
943807 |
-ssh-rsa-cert-v01@openssh.com,
|
|
|
943807 |
-ssh-ed25519,
|
|
|
943807 |
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
|
943807 |
-sk-ssh-ed25519@openssh.com,
|
|
|
943807 |
-sk-ecdsa-sha2-nistp256@openssh.com,
|
|
|
943807 |
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|
|
943807 |
-.Ed
|
|
|
943807 |
-.Pp
|
|
|
943807 |
The list of available signature algorithms may also be obtained using
|
|
|
943807 |
.Qq ssh -Q HostKeyAlgorithms .
|
|
|
943807 |
.It Cm IgnoreRhosts
|
|
|
5dbb6f |
@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
|
|
|
943807 |
The default is
|
|
|
943807 |
.Cm yes .
|
|
|
943807 |
.It Cm KexAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the available KEX (Key Exchange) algorithms.
|
|
|
943807 |
Multiple algorithms must be comma-separated.
|
|
|
943807 |
Alternately if the specified list begins with a
|
|
|
943807 |
.Sq +
|
|
|
943807 |
-character, then the specified methods will be appended to the default set
|
|
|
943807 |
-instead of replacing them.
|
|
|
943807 |
+character, then the specified methods will be appended to the built-in
|
|
|
943807 |
+openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq -
|
|
|
943807 |
character, then the specified methods (including wildcards) will be removed
|
|
|
943807 |
-from the default set instead of replacing them.
|
|
|
943807 |
+from the built-in openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq ^
|
|
|
943807 |
character, then the specified methods will be placed at the head of the
|
|
|
943807 |
-default set.
|
|
|
943807 |
+built-in openssh default set.
|
|
|
943807 |
The supported algorithms are:
|
|
|
943807 |
.Pp
|
|
|
943807 |
.Bl -item -compact -offset indent
|
|
|
5dbb6f |
@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
|
|
|
943807 |
sntrup761x25519-sha512@openssh.com
|
|
|
943807 |
.El
|
|
|
943807 |
.Pp
|
|
|
943807 |
-The default is:
|
|
|
943807 |
-.Bd -literal -offset indent
|
|
|
943807 |
-curve25519-sha256,curve25519-sha256@libssh.org,
|
|
|
943807 |
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
|
|
943807 |
-diffie-hellman-group-exchange-sha256,
|
|
|
943807 |
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
|
|
943807 |
-diffie-hellman-group14-sha256
|
|
|
943807 |
-.Ed
|
|
|
943807 |
-.Pp
|
|
|
943807 |
The list of available key exchange algorithms may also be obtained using
|
|
|
943807 |
.Qq ssh -Q KexAlgorithms .
|
|
|
943807 |
.It Cm ListenAddress
|
|
|
5dbb6f |
@@ -1104,21 +1082,26 @@ function, and all code in the
|
|
|
943807 |
file.
|
|
|
943807 |
This option is intended for debugging and no overrides are enabled by default.
|
|
|
943807 |
.It Cm MACs
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the available MAC (message authentication code) algorithms.
|
|
|
943807 |
The MAC algorithm is used for data integrity protection.
|
|
|
943807 |
Multiple algorithms must be comma-separated.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq +
|
|
|
943807 |
-character, then the specified algorithms will be appended to the default set
|
|
|
943807 |
-instead of replacing them.
|
|
|
943807 |
+character, then the specified algorithms will be appended to the built-in
|
|
|
943807 |
+openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq -
|
|
|
943807 |
character, then the specified algorithms (including wildcards) will be removed
|
|
|
943807 |
-from the default set instead of replacing them.
|
|
|
943807 |
+from the built-in openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq ^
|
|
|
943807 |
character, then the specified algorithms will be placed at the head of the
|
|
|
943807 |
-default set.
|
|
|
943807 |
+built-in openssh default set.
|
|
|
943807 |
.Pp
|
|
|
943807 |
The algorithms that contain
|
|
|
943807 |
.Qq -etm
|
|
|
5dbb6f |
@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
|
|
|
943807 |
umac-128-etm@openssh.com
|
|
|
943807 |
.El
|
|
|
943807 |
.Pp
|
|
|
943807 |
-The default is:
|
|
|
943807 |
-.Bd -literal -offset indent
|
|
|
943807 |
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
|
|
943807 |
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
|
|
943807 |
-hmac-sha1-etm@openssh.com,
|
|
|
943807 |
-umac-64@openssh.com,umac-128@openssh.com,
|
|
|
943807 |
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
|
|
943807 |
-.Ed
|
|
|
943807 |
-.Pp
|
|
|
943807 |
The list of available MAC algorithms may also be obtained using
|
|
|
943807 |
.Qq ssh -Q mac .
|
|
|
943807 |
.It Cm Match
|
|
|
5dbb6f |
@@ -1548,37 +1522,25 @@ or equivalent.)
|
|
|
943807 |
The default is
|
|
|
943807 |
.Cm yes .
|
|
|
943807 |
.It Cm PubkeyAcceptedAlgorithms
|
|
|
943807 |
+The default is handled system-wide by
|
|
|
943807 |
+.Xr crypto-policies 7 .
|
|
|
943807 |
+To see the defaults and how to modify this default, see manual page
|
|
|
943807 |
+.Xr update-crypto-policies 8 .
|
|
|
943807 |
+.Pp
|
|
|
943807 |
Specifies the signature algorithms that will be accepted for public key
|
|
|
943807 |
authentication as a list of comma-separated patterns.
|
|
|
943807 |
Alternately if the specified list begins with a
|
|
|
943807 |
.Sq +
|
|
|
943807 |
-character, then the specified algorithms will be appended to the default set
|
|
|
943807 |
-instead of replacing them.
|
|
|
943807 |
+character, then the specified algorithms will be appended to the built-in
|
|
|
943807 |
+openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq -
|
|
|
943807 |
character, then the specified algorithms (including wildcards) will be removed
|
|
|
943807 |
-from the default set instead of replacing them.
|
|
|
943807 |
+from the built-in openssh default set instead of replacing them.
|
|
|
943807 |
If the specified list begins with a
|
|
|
943807 |
.Sq ^
|
|
|
943807 |
character, then the specified algorithms will be placed at the head of the
|
|
|
943807 |
-default set.
|
|
|
943807 |
-The default for this option is:
|
|
|
943807 |
-.Bd -literal -offset 3n
|
|
|
943807 |
-ssh-ed25519-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
|
|
943807 |
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
|
|
943807 |
-sk-ssh-ed25519-cert-v01@openssh.com,
|
|
|
943807 |
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
|
943807 |
-rsa-sha2-512-cert-v01@openssh.com,
|
|
|
943807 |
-rsa-sha2-256-cert-v01@openssh.com,
|
|
|
943807 |
-ssh-rsa-cert-v01@openssh.com,
|
|
|
943807 |
-ssh-ed25519,
|
|
|
943807 |
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
|
|
943807 |
-sk-ssh-ed25519@openssh.com,
|
|
|
943807 |
-sk-ecdsa-sha2-nistp256@openssh.com,
|
|
|
943807 |
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
|
|
943807 |
-.Ed
|
|
|
943807 |
+built-in openssh default set.
|
|
|
943807 |
.Pp
|
|
|
943807 |
The list of available signature algorithms may also be obtained using
|
|
|
943807 |
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|