upstream: make ssh -Q CASignatureAlgorithms only list signature

algorithms that are valid for CA signing. Previous behaviour was to list all
signing algorithms, including certificate algorithms (OpenSSH certificates do
not support CA chains). part of bz3577; ok dtucker@

OpenBSD-Commit-ID: 99c2b072dbac0f44fd1f2269e3ff6c1b5d7d3e59
This commit is contained in:
djm@openbsd.org 2023-06-21 05:08:32 +00:00 committed by Damien Miller
parent a69062f169
commit 4e73cd0f4a
No known key found for this signature in database
2 changed files with 8 additions and 4 deletions

6
ssh.1
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh.1,v 1.433 2022/11/28 01:37:36 djm Exp $
.Dd $Mdocdate: November 28 2022 $
.\" $OpenBSD: ssh.1,v 1.434 2023/06/21 05:08:32 djm Exp $
.Dd $Mdocdate: June 21 2023 $
.Dt SSH 1
.Os
.Sh NAME
@ -614,6 +614,8 @@ flag),
(key exchange algorithms),
.Ar key
(key types),
.Ar key-ca-sign
(valid CA signature algorithms for certificates),
.Ar key-cert
(certificate key types),
.Ar key-plain

6
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.588 2023/04/26 01:36:03 djm Exp $ */
/* $OpenBSD: ssh.c,v 1.589 2023/06/21 05:08:32 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -793,8 +793,10 @@ main(int ac, char **av)
cp = sshkey_alg_list(1, 0, 0, '\n');
else if (strcmp(optarg, "key-plain") == 0)
cp = sshkey_alg_list(0, 1, 0, '\n');
else if (strcmp(optarg, "key-ca-sign") == 0 ||
strcasecmp(optarg, "CASignatureAlgorithms") == 0)
cp = sshkey_alg_list(0, 1, 1, '\n');
else if (strcmp(optarg, "key-sig") == 0 ||
strcasecmp(optarg, "CASignatureAlgorithms") == 0 ||
strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || /* deprecated name */
strcasecmp(optarg, "PubkeyAcceptedAlgorithms") == 0 ||
strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||