forked from rpms/openssh
Clarify crypto policies documentation in manual pages
* All the options that are affected by crypto policies will mention that + and - work with built-in defaults and not the crypto-policies ones. * The line mentioning crypto policies will be the first one in the option description.
This commit is contained in:
parent
eb546ec1a7
commit
a848054c8a
@ -1,8 +1,15 @@
|
|||||||
diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
||||||
--- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100
|
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
||||||
+++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100
|
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
||||||
@@ -361,15 +361,15 @@ domains.
|
@@ -359,17 +359,17 @@ or
|
||||||
|
.Qq *.c.example.com
|
||||||
|
domains.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
Specifies which algorithms are allowed for signing of certificates
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
@ -15,15 +22,39 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
will not accept host certificates signed using algorithms other than those
|
will not accept host certificates signed using algorithms other than those
|
||||||
specified.
|
specified.
|
||||||
+.Pp
|
+.Pp
|
||||||
|
.It Cm CertificateFile
|
||||||
|
Specifies a file from which the user's certificate is read.
|
||||||
|
A corresponding private key must be provided separately in order
|
||||||
|
@@ -424,20 +424,25 @@ If the option is set to
|
||||||
|
.Cm no ,
|
||||||
|
the check will not be executed.
|
||||||
|
.It Cm Ciphers
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
.It Cm CertificateFile
|
Specifies the ciphers allowed and their order of preference.
|
||||||
Specifies a file from which the user's certificate is read.
|
Multiple ciphers must be comma-separated.
|
||||||
A corresponding private key must be provided separately in order
|
If the specified list begins with a
|
||||||
@@ -453,12 +453,10 @@ aes256-gcm@openssh.com
|
.Sq +
|
||||||
|
-character, then the specified ciphers will be appended to the default set
|
||||||
|
+character, then the specified ciphers will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified ciphers (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified ciphers will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
|
.Pp
|
||||||
|
The supported ciphers are:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -33,31 +64,59 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available ciphers may also be obtained using
|
||||||
|
.Qq ssh -Q cipher .
|
||||||
|
.It Cm ClearAllForwardings
|
||||||
|
@@ -812,6 +810,11 @@ command line will be passed untouched to
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
.It Cm GSSAPIKexAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available ciphers may also be obtained using
|
The list of key exchange algorithms that are offered for GSSAPI
|
||||||
.Qq ssh -Q cipher .
|
key exchange. Possible values are
|
||||||
@@ -824,9 +822,10 @@ gss-nistp256-sha256-,
|
.Bd -literal -offset 3n
|
||||||
|
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
-The default is
|
-The default is
|
||||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
This option only applies to connections using GSSAPI.
|
||||||
|
+.Pp
|
||||||
|
.It Cm HashKnownHosts
|
||||||
|
Indicates that
|
||||||
|
.Xr ssh 1
|
||||||
|
@@ -1149,29 +1150,25 @@ it may be zero or more of:
|
||||||
|
and
|
||||||
|
.Cm pam .
|
||||||
|
.It Cm KexAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
This option only applies to connections using GSSAPI.
|
+.Pp
|
||||||
.It Cm HashKnownHosts
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
Indicates that
|
Multiple algorithms must be comma-separated.
|
||||||
@@ -1162,15 +1162,10 @@ If the specified list begins with a
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified methods will be appended to the default set
|
||||||
|
+character, then the specified methods will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified methods (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified methods will be placed at the head of the
|
character, then the specified methods will be placed at the head of the
|
||||||
default set.
|
-default set.
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
@ -67,14 +126,41 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
-diffie-hellman-group18-sha512,
|
-diffie-hellman-group18-sha512,
|
||||||
-diffie-hellman-group14-sha256
|
-diffie-hellman-group14-sha256
|
||||||
-.Ed
|
-.Ed
|
||||||
|
+built-in default set.
|
||||||
|
.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q kex .
|
||||||
|
@@ -1231,37 +1228,33 @@ The default is INFO.
|
||||||
|
DEBUG and DEBUG1 are equivalent.
|
||||||
|
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
||||||
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the MAC (message authentication code) algorithms
|
||||||
|
in order of preference.
|
||||||
|
The MAC algorithm is used for data integrity protection.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
+character, then the specified algorithms will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The algorithms that contain
|
||||||
.Qq ssh -Q kex .
|
.Qq -etm
|
||||||
@@ -1252,14 +1247,10 @@ The algorithms that contain
|
|
||||||
calculate the MAC after encryption (encrypt-then-mac).
|
calculate the MAC after encryption (encrypt-then-mac).
|
||||||
These are considered safer and their use recommended.
|
These are considered safer and their use recommended.
|
||||||
.Pp
|
.Pp
|
||||||
@ -86,17 +172,35 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
-umac-64@openssh.com,umac-128@openssh.com,
|
-umac-64@openssh.com,umac-128@openssh.com,
|
||||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available MAC algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q mac .
|
||||||
|
.It Cm NoHostAuthenticationForLocalhost
|
||||||
|
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
|
||||||
|
The default is
|
||||||
|
.Cm no .
|
||||||
|
.It Cm PubkeyAcceptedKeyTypes
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available MAC algorithms may also be obtained using
|
Specifies the key types that will be used for public key authentication
|
||||||
.Qq ssh -Q mac .
|
as a comma-separated list of patterns.
|
||||||
@@ -1407,22 +1398,10 @@ If the specified list begins with a
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the key types after it will be appended to the default
|
||||||
|
+character, then the key types after it will be appended to the built-in default
|
||||||
|
instead of replacing it.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified key types (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified key types will be placed at the head of the
|
||||||
default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
@ -113,18 +217,22 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
|
+built-in default set.
|
||||||
|
.Pp
|
||||||
|
The list of available key types may also be obtained using
|
||||||
|
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||||
|
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
||||||
|
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
||||||
|
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
||||||
|
@@ -375,16 +375,16 @@ If the argument is
|
||||||
|
then no banner is displayed.
|
||||||
|
By default, no banner is displayed.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available key types may also be obtained using
|
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
|
||||||
diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|
||||||
--- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100
|
|
||||||
+++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100
|
|
||||||
@@ -377,14 +377,14 @@ By default, no banner is displayed.
|
|
||||||
.It Cm CASignatureAlgorithms
|
|
||||||
Specifies which algorithms are allowed for signing of certificates
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
@ -136,15 +244,39 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
Certificates signed using other algorithms will not be accepted for
|
Certificates signed using other algorithms will not be accepted for
|
||||||
public key or host-based authentication.
|
public key or host-based authentication.
|
||||||
+.Pp
|
+.Pp
|
||||||
|
.It Cm ChallengeResponseAuthentication
|
||||||
|
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||||
|
PAM or through authentication styles supported in
|
||||||
|
@@ -446,20 +446,25 @@ The default is
|
||||||
|
indicating not to
|
||||||
|
.Xr chroot 2 .
|
||||||
|
.It Cm Ciphers
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
.It Cm ChallengeResponseAuthentication
|
Specifies the ciphers allowed.
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
Multiple ciphers must be comma-separated.
|
||||||
PAM or through authentication styles supported in
|
If the specified list begins with a
|
||||||
@@ -486,12 +486,10 @@ aes256-gcm@openssh.com
|
.Sq +
|
||||||
|
-character, then the specified ciphers will be appended to the default set
|
||||||
|
+character, then the specified ciphers will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified ciphers (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified ciphers will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
|
.Pp
|
||||||
|
The supported ciphers are:
|
||||||
|
.Pp
|
||||||
|
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -154,29 +286,54 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available ciphers may also be obtained using
|
||||||
|
.Qq ssh -Q cipher .
|
||||||
|
.It Cm ClientAliveCountMax
|
||||||
|
@@ -681,22 +679,24 @@ For this to work
|
||||||
|
.Cm GSSAPIKeyExchange
|
||||||
|
needs to be enabled in the server and also used by the client.
|
||||||
|
.It Cm GSSAPIKexAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available ciphers may also be obtained using
|
The list of key exchange algorithms that are accepted by GSSAPI
|
||||||
.Qq ssh -Q cipher .
|
key exchange. Possible values are
|
||||||
@@ -693,9 +691,10 @@ gss-nistp256-sha256-,
|
.Bd -literal -offset 3n
|
||||||
|
-gss-gex-sha1-,
|
||||||
|
-gss-group1-sha1-,
|
||||||
|
-gss-group14-sha1-,
|
||||||
|
-gss-group14-sha256-,
|
||||||
|
-gss-group16-sha512-,
|
||||||
|
-gss-nistp256-sha256-,
|
||||||
|
+gss-gex-sha1-
|
||||||
|
+gss-group1-sha1-
|
||||||
|
+gss-group14-sha1-
|
||||||
|
+gss-group14-sha256-
|
||||||
|
+gss-group16-sha512-
|
||||||
|
+gss-nistp256-sha256-
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
-.Pp
|
||||||
-The default is
|
-The default is
|
||||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
This option only applies to connections using GSSAPI.
|
||||||
|
+.Pp
|
||||||
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
|
as a list of comma-separated patterns.
|
||||||
|
@@ -793,25 +793,13 @@ is specified, the location of the socket
|
||||||
|
.Ev SSH_AUTH_SOCK
|
||||||
|
environment variable.
|
||||||
|
.It Cm HostKeyAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
This option only applies to connections using GSSAPI.
|
+.Pp
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
|
||||||
@@ -794,22 +794,10 @@ environment variable.
|
|
||||||
.It Cm HostKeyAlgorithms
|
|
||||||
Specifies the host key algorithms
|
Specifies the host key algorithms
|
||||||
that the server offers.
|
that the server offers.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
@ -195,14 +352,40 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available key types may also be obtained using
|
||||||
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
|
.It Cm IgnoreRhosts
|
||||||
|
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
.It Cm KexAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified methods will be appended to the default set
|
||||||
|
+character, then the specified methods will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified methods (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified methods will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
|
The supported algorithms are:
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
.Bl -item -compact -offset indent
|
||||||
.Qq ssh -Q HostKeyAlgorithms .
|
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
||||||
@@ -987,14 +975,10 @@ ecdh-sha2-nistp521
|
|
||||||
sntrup4591761x25519-sha512@tinyssh.org
|
sntrup4591761x25519-sha512@tinyssh.org
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -214,14 +397,41 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||||
-diffie-hellman-group14-sha256
|
-diffie-hellman-group14-sha256
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q KexAlgorithms .
|
||||||
|
.It Cm ListenAddress
|
||||||
|
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
||||||
|
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
||||||
|
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
||||||
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the available MAC (message authentication code) algorithms.
|
||||||
|
The MAC algorithm is used for data integrity protection.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
+character, then the specified algorithms will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The algorithms that contain
|
||||||
.Qq ssh -Q KexAlgorithms .
|
.Qq -etm
|
||||||
@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com
|
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
|
||||||
umac-128-etm@openssh.com
|
umac-128-etm@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -233,17 +443,35 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-umac-64@openssh.com,umac-128@openssh.com,
|
-umac-64@openssh.com,umac-128@openssh.com,
|
||||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available MAC algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q mac .
|
||||||
|
.It Cm Match
|
||||||
|
@@ -1480,36 +1460,25 @@ or equivalent.)
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
.It Cm PubkeyAcceptedKeyTypes
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available MAC algorithms may also be obtained using
|
Specifies the key types that will be accepted for public key authentication
|
||||||
.Qq ssh -Q mac .
|
as a list of comma-separated patterns.
|
||||||
@@ -1492,22 +1472,10 @@ If the specified list begins with a
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified key types will be appended to the default set
|
||||||
|
+character, then the specified key types will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified key types (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified key types will be placed at the head of the
|
||||||
default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
@ -260,10 +488,7 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+The default is handled system-wide by
|
+built-in default set.
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the defaults and how to modify this default, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available key types may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||||
|
Loading…
Reference in New Issue
Block a user