Dmitry Belyavskiy f9e5de
diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
Dmitry Belyavskiy f9e5de
--- openssh-8.7p1/ssh_config.5.crypto-policies	2021-08-30 13:29:00.174292872 +0200
Dmitry Belyavskiy f9e5de
+++ openssh-8.7p1/ssh_config.5	2021-08-30 13:31:32.009548808 +0200
Dmitry Belyavskiy f9e5de
@@ -373,17 +373,13 @@ or
Petr Šabata 81d24c
 .Qq *.c.example.com
Petr Šabata 81d24c
 domains.
Petr Šabata 81d24c
 .It Cm CASignatureAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies which algorithms are allowed for signing of certificates
Petr Šabata 81d24c
 by certificate authorities (CAs).
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Dmitry Belyavskiy f9e5de
-ssh-ed25519,ecdsa-sha2-nistp256,
Dmitry Belyavskiy f9e5de
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
Dmitry Belyavskiy f9e5de
-sk-ssh-ed25519@openssh.com,
Dmitry Belyavskiy f9e5de
-sk-ecdsa-sha2-nistp256@openssh.com,
Dmitry Belyavskiy 9dff9c
-rsa-sha2-512,rsa-sha2-256
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Dmitry Belyavskiy f9e5de
 If the specified list begins with a
Dmitry Belyavskiy f9e5de
 .Sq +
Dmitry Belyavskiy f9e5de
 character, then the specified algorithms will be appended to the default set
Dmitry Belyavskiy f9e5de
@@ -445,20 +441,25 @@ If the option is set to
DistroBaker d029bb
 (the default),
Petr Šabata 81d24c
 the check will not be executed.
Petr Šabata 81d24c
 .It Cm Ciphers
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the ciphers allowed and their order of preference.
Petr Šabata 81d24c
 Multiple ciphers must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified ciphers will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified ciphers will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified ciphers (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified ciphers will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The supported ciphers are:
Petr Šabata 81d24c
 .Bd -literal -offset indent
Dmitry Belyavskiy f9e5de
@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
Petr Šabata 81d24c
 chacha20-poly1305@openssh.com
Petr Šabata 81d24c
 .Ed
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-chacha20-poly1305@openssh.com,
Petr Šabata 81d24c
-aes128-ctr,aes192-ctr,aes256-ctr,
Petr Šabata 81d24c
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available ciphers may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q cipher .
Petr Šabata 81d24c
 .It Cm ClearAllForwardings
Dmitry Belyavskiy f9e5de
@@ -874,6 +868,11 @@ command line will be passed untouched to
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Dq no .
Petr Šabata 81d24c
 .It Cm GSSAPIKexAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 The list of key exchange algorithms that are offered for GSSAPI
Petr Šabata 81d24c
 key exchange. Possible values are
Petr Šabata 81d24c
 .Bd -literal -offset 3n
Dmitry Belyavskiy f9e5de
@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
Petr Šabata 81d24c
 gss-curve25519-sha256-
Petr Šabata 81d24c
 .Ed
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is
Petr Šabata 81d24c
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
Petr Šabata 81d24c
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
Petr Šabata 81d24c
 This option only applies to connections using GSSAPI.
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 .It Cm HashKnownHosts
Petr Šabata 81d24c
 Indicates that
Petr Šabata 81d24c
 .Xr ssh 1
Dmitry Belyavskiy f9e5de
@@ -1219,29 +1216,25 @@ it may be zero or more of:
Petr Šabata 81d24c
 and
Petr Šabata 81d24c
 .Cm pam .
Petr Šabata 81d24c
 .It Cm KexAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the available KEX (Key Exchange) algorithms.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified methods will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified methods will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified methods (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified methods will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-curve25519-sha256,curve25519-sha256@libssh.org,
Petr Šabata 81d24c
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
Petr Šabata 81d24c
-diffie-hellman-group-exchange-sha256,
Petr Šabata 81d24c
-diffie-hellman-group16-sha512,
Petr Šabata 81d24c
-diffie-hellman-group18-sha512,
Petr Šabata 81d24c
-diffie-hellman-group14-sha256
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The list of available key exchange algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q kex .
Dmitry Belyavskiy f9e5de
@@ -1351,37 +1344,33 @@ function, and all code in the
DistroBaker d029bb
 file.
DistroBaker d029bb
 This option is intended for debugging and no overrides are enabled by default.
Petr Šabata 81d24c
 .It Cm MACs
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the MAC (message authentication code) algorithms
Petr Šabata 81d24c
 in order of preference.
Petr Šabata 81d24c
 The MAC algorithm is used for data integrity protection.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified algorithms will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified algorithms will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified algorithms (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified algorithms will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The algorithms that contain
Petr Šabata 81d24c
 .Qq -etm
Petr Šabata 81d24c
 calculate the MAC after encryption (encrypt-then-mac).
Petr Šabata 81d24c
 These are considered safer and their use recommended.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
Petr Šabata 81d24c
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
Petr Šabata 81d24c
-hmac-sha1-etm@openssh.com,
Petr Šabata 81d24c
-umac-64@openssh.com,umac-128@openssh.com,
Petr Šabata 81d24c
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available MAC algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q mac .
Petr Šabata 81d24c
 .It Cm NoHostAuthenticationForLocalhost
Dmitry Belyavskiy f9e5de
@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Cm no .
DistroBaker d029bb
 .It Cm PubkeyAcceptedAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
DistroBaker d029bb
 Specifies the signature algorithms that will be used for public key
DistroBaker d029bb
 authentication as a comma-separated list of patterns.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
DistroBaker d029bb
-character, then the algorithms after it will be appended to the default
Petr Šabata 81d24c
-instead of replacing it.
DistroBaker d029bb
+character, then the algorithms after it will be appended to the built-in
Petr Šabata 81d24c
+openssh default instead of replacing it.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
DistroBaker d029bb
 character, then the specified algorithms (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
DistroBaker d029bb
 character, then the specified algorithms will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
-The default for this option is:
Petr Šabata 81d24c
-.Bd -literal -offset 3n
DistroBaker d029bb
-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ssh-ed25519-cert-v01@openssh.com,
DistroBaker d029bb
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-rsa-cert-v01@openssh.com,
DistroBaker d029bb
-ssh-ed25519,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
DistroBaker d029bb
-sk-ssh-ed25519@openssh.com,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
DistroBaker d029bb
 The list of available signature algorithms may also be obtained using
DistroBaker d029bb
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
Dmitry Belyavskiy f9e5de
diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
Dmitry Belyavskiy f9e5de
--- openssh-8.7p1/sshd_config.5.crypto-policies	2021-08-30 13:29:00.157292731 +0200
Dmitry Belyavskiy f9e5de
+++ openssh-8.7p1/sshd_config.5	2021-08-30 13:32:16.263918533 +0200
Dmitry Belyavskiy f9e5de
@@ -373,17 +373,13 @@ If the argument is
Petr Šabata 81d24c
 then no banner is displayed.
Petr Šabata 81d24c
 By default, no banner is displayed.
Petr Šabata 81d24c
 .It Cm CASignatureAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies which algorithms are allowed for signing of certificates
Petr Šabata 81d24c
 by certificate authorities (CAs).
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Dmitry Belyavskiy f9e5de
-ssh-ed25519,ecdsa-sha2-nistp256,
Dmitry Belyavskiy f9e5de
-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
Dmitry Belyavskiy f9e5de
-sk-ssh-ed25519@openssh.com,
Dmitry Belyavskiy f9e5de
-sk-ecdsa-sha2-nistp256@openssh.com,
Dmitry Belyavskiy 9dff9c
-rsa-sha2-512,rsa-sha2-256
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Dmitry Belyavskiy f9e5de
 If the specified list begins with a
Dmitry Belyavskiy f9e5de
 .Sq +
Dmitry Belyavskiy f9e5de
 character, then the specified algorithms will be appended to the default set
Dmitry Belyavskiy f9e5de
@@ -450,20 +446,25 @@ The default is
Petr Šabata 81d24c
 indicating not to
Petr Šabata 81d24c
 .Xr chroot 2 .
Petr Šabata 81d24c
 .It Cm Ciphers
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the ciphers allowed.
Petr Šabata 81d24c
 Multiple ciphers must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified ciphers will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified ciphers will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified ciphers (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified ciphers will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The supported ciphers are:
Petr Šabata 81d24c
 .Pp
Dmitry Belyavskiy f9e5de
@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
Petr Šabata 81d24c
 chacha20-poly1305@openssh.com
Petr Šabata 81d24c
 .El
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-chacha20-poly1305@openssh.com,
Petr Šabata 81d24c
-aes128-ctr,aes192-ctr,aes256-ctr,
Petr Šabata 81d24c
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available ciphers may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q cipher .
Petr Šabata 81d24c
 .It Cm ClientAliveCountMax
Dmitry Belyavskiy f9e5de
@@ -685,21 +679,22 @@ For this to work
Petr Šabata 81d24c
 .Cm GSSAPIKeyExchange
Petr Šabata 81d24c
 needs to be enabled in the server and also used by the client.
Petr Šabata 81d24c
 .It Cm GSSAPIKexAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 The list of key exchange algorithms that are accepted by GSSAPI
Petr Šabata 81d24c
 key exchange. Possible values are
Petr Šabata 81d24c
 .Bd -literal -offset 3n
Petr Šabata 81d24c
-gss-gex-sha1-,
Petr Šabata 81d24c
-gss-group1-sha1-,
Petr Šabata 81d24c
-gss-group14-sha1-,
Petr Šabata 81d24c
-gss-group14-sha256-,
Petr Šabata 81d24c
-gss-group16-sha512-,
Petr Šabata 81d24c
-gss-nistp256-sha256-,
Petr Šabata 81d24c
+gss-gex-sha1-
Petr Šabata 81d24c
+gss-group1-sha1-
Petr Šabata 81d24c
+gss-group14-sha1-
Petr Šabata 81d24c
+gss-group14-sha256-
Petr Šabata 81d24c
+gss-group16-sha512-
Petr Šabata 81d24c
+gss-nistp256-sha256-
Petr Šabata 81d24c
 gss-curve25519-sha256-
Petr Šabata 81d24c
 .Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
-The default is
Petr Šabata 81d24c
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
Petr Šabata 81d24c
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
Petr Šabata 81d24c
 This option only applies to connections using GSSAPI.
DistroBaker d029bb
 .It Cm HostbasedAcceptedAlgorithms
DistroBaker d029bb
 Specifies the signature algorithms that will be accepted for hostbased
Dmitry Belyavskiy f9e5de
@@ -799,26 +794,13 @@ is specified, the location of the socket
Petr Šabata 81d24c
 .Ev SSH_AUTH_SOCK
Petr Šabata 81d24c
 environment variable.
Petr Šabata 81d24c
 .It Cm HostKeyAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
DistroBaker d029bb
 Specifies the host key signature algorithms
Petr Šabata 81d24c
 that the server offers.
Petr Šabata 81d24c
-The default for this option is:
Petr Šabata 81d24c
-.Bd -literal -offset 3n
DistroBaker d029bb
-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ssh-ed25519-cert-v01@openssh.com,
DistroBaker d029bb
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-rsa-cert-v01@openssh.com,
DistroBaker d029bb
-ssh-ed25519,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
DistroBaker d029bb
-sk-ssh-ed25519@openssh.com,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
DistroBaker d029bb
 The list of available signature algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q HostKeyAlgorithms .
Petr Šabata 81d24c
 .It Cm IgnoreRhosts
Dmitry Belyavskiy f9e5de
@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Cm yes .
Petr Šabata 81d24c
 .It Cm KexAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the available KEX (Key Exchange) algorithms.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
 Alternately if the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified methods will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified methods will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified methods (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified methods will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 The supported algorithms are:
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 .Bl -item -compact -offset indent
Dmitry Belyavskiy f9e5de
@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
DistroBaker d029bb
 sntrup761x25519-sha512@openssh.com
Petr Šabata 81d24c
 .El
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-curve25519-sha256,curve25519-sha256@libssh.org,
Petr Šabata 81d24c
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
Petr Šabata 81d24c
-diffie-hellman-group-exchange-sha256,
Petr Šabata 81d24c
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
Petr Šabata 81d24c
-diffie-hellman-group14-sha256
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available key exchange algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q KexAlgorithms .
Petr Šabata 81d24c
 .It Cm ListenAddress
Dmitry Belyavskiy f9e5de
@@ -1104,21 +1082,26 @@ function, and all code in the
DistroBaker d029bb
 file.
DistroBaker d029bb
 This option is intended for debugging and no overrides are enabled by default.
Petr Šabata 81d24c
 .It Cm MACs
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
Petr Šabata 81d24c
 Specifies the available MAC (message authentication code) algorithms.
Petr Šabata 81d24c
 The MAC algorithm is used for data integrity protection.
Petr Šabata 81d24c
 Multiple algorithms must be comma-separated.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq +
Petr Šabata 81d24c
-character, then the specified algorithms will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
Petr Šabata 81d24c
+character, then the specified algorithms will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
Petr Šabata 81d24c
 character, then the specified algorithms (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
Petr Šabata 81d24c
 character, then the specified algorithms will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
 The algorithms that contain
Petr Šabata 81d24c
 .Qq -etm
Dmitry Belyavskiy f9e5de
@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
Petr Šabata 81d24c
 umac-128-etm@openssh.com
Petr Šabata 81d24c
 .El
Petr Šabata 81d24c
 .Pp
Petr Šabata 81d24c
-The default is:
Petr Šabata 81d24c
-.Bd -literal -offset indent
Petr Šabata 81d24c
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
Petr Šabata 81d24c
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
Petr Šabata 81d24c
-hmac-sha1-etm@openssh.com,
Petr Šabata 81d24c
-umac-64@openssh.com,umac-128@openssh.com,
Petr Šabata 81d24c
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
-.Pp
Petr Šabata 81d24c
 The list of available MAC algorithms may also be obtained using
Petr Šabata 81d24c
 .Qq ssh -Q mac .
Petr Šabata 81d24c
 .It Cm Match
Dmitry Belyavskiy f9e5de
@@ -1548,37 +1522,25 @@ or equivalent.)
Petr Šabata 81d24c
 The default is
Petr Šabata 81d24c
 .Cm yes .
DistroBaker d029bb
 .It Cm PubkeyAcceptedAlgorithms
Petr Šabata 81d24c
+The default is handled system-wide by
Petr Šabata 81d24c
+.Xr crypto-policies 7 .
Petr Šabata 81d24c
+To see the defaults and how to modify this default, see manual page
Petr Šabata 81d24c
+.Xr update-crypto-policies 8 .
Petr Šabata 81d24c
+.Pp
DistroBaker d029bb
 Specifies the signature algorithms that will be accepted for public key
DistroBaker d029bb
 authentication as a list of comma-separated patterns.
Petr Šabata 81d24c
 Alternately if the specified list begins with a
Petr Šabata 81d24c
 .Sq +
DistroBaker d029bb
-character, then the specified algorithms will be appended to the default set
Petr Šabata 81d24c
-instead of replacing them.
DistroBaker d029bb
+character, then the specified algorithms will be appended to the built-in
Petr Šabata 81d24c
+openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq -
DistroBaker d029bb
 character, then the specified algorithms (including wildcards) will be removed
Petr Šabata 81d24c
-from the default set instead of replacing them.
Petr Šabata 81d24c
+from the built-in openssh default set instead of replacing them.
Petr Šabata 81d24c
 If the specified list begins with a
Petr Šabata 81d24c
 .Sq ^
DistroBaker d029bb
 character, then the specified algorithms will be placed at the head of the
Petr Šabata 81d24c
-default set.
Petr Šabata 81d24c
-The default for this option is:
Petr Šabata 81d24c
-.Bd -literal -offset 3n
DistroBaker d029bb
-ssh-ed25519-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
Petr Šabata 81d24c
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
Petr Šabata 81d24c
-sk-ssh-ed25519-cert-v01@openssh.com,
DistroBaker d029bb
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512-cert-v01@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-256-cert-v01@openssh.com,
Petr Šabata 81d24c
-ssh-rsa-cert-v01@openssh.com,
DistroBaker d029bb
-ssh-ed25519,
Petr Šabata 81d24c
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
DistroBaker d029bb
-sk-ssh-ed25519@openssh.com,
Petr Šabata 81d24c
-sk-ecdsa-sha2-nistp256@openssh.com,
Petr Šabata 81d24c
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
Petr Šabata 81d24c
-.Ed
Petr Šabata 81d24c
+built-in openssh default set.
Petr Šabata 81d24c
 .Pp
DistroBaker d029bb
 The list of available signature algorithms may also be obtained using
DistroBaker d029bb
 .Qq ssh -Q PubkeyAcceptedAlgorithms .