summaryrefslogtreecommitdiffstats
path: root/myproposal.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: promote mlkem768x25519-sha256 to be the default key exchange;djm@openbsd.org2024-10-251-2/+2
| | | | | | ok markus@ OpenBSD-Commit-ID: fc673065e6505bb06b2e2b9362f78ccb4200a828
* upstream: Turn off finite field (a.k.a modp) Diffie-Hellman keydjm@openbsd.org2024-10-141-4/+4
| | | | | | | | | | | | | | | | | | exchange in sshd by default. Specifically, this removes the diffie-hellman-group* and diffie-hellman-group-exchange-* methods. The client is unchanged and continues to support these methods by default. Finite field Diffie Hellman is slow and computationally expensive for the same security level as Elliptic Curve DH or PQ key agreement while offering no redeeming advantages. ECDH has been specified for the SSH protocol for 15 years and some form of ECDH has been the default key exchange in OpenSSH for the last 14 years. ok markus@ OpenBSD-Commit-ID: 4e238ad480a33312667cc10ae0eb6393abaec8da
* upstream: pull post-quantum ML-KEM/x25519 key exchange out fromdjm@openbsd.org2024-09-091-1/+2
| | | | | | | | | | | compile-time flag now than an IANA codepoint has been assigned for the algorithm. Add mlkem768x25519-sha256 in 2nd KexAlgorithms preference slot. ok markus@ OpenBSD-Commit-ID: 9f50a0fae7d7ae8b27fcca11f8dc6f979207451a
* upstream: sntrup761x25519-sha512 now has an IANA codepoint assigned, sodjm@openbsd.org2024-08-231-1/+2
| | | | | | | we can make the algorithm available without the @openssh.com suffix too. ok markus@ deraadt@ OpenBSD-Commit-ID: eeed8fcde688143a737729d3d56d20ab4353770f
* upstream: select post-quantum KEXdjm@openbsd.org2022-03-301-2/+2
| | | | | | sntrup761x25519-sha512@openssh.com as the default; ok markus@ OpenBSD-Commit-ID: f02d99cbfce22dffec2e2ab1b60905fbddf48fb9
* upstream: add the sntrup761x25519-sha512@openssh.com hybriddjm@openbsd.org2021-11-101-1/+2
| | | | | | | | | | ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). ok markus@ OpenBSD-Commit-ID: 22b77e27a04e497a10e22f138107579652854210
* upstream: After years of forewarning, disable the RSA/SHA-1djm@openbsd.org2021-08-301-4/+2
| | | | | | | | | | | | | | | | signature algorithm by default. It is feasible to create colliding SHA1 hashes, so we need to deprecate its use. RSA/SHA-256/512 remains available and will be transparently selected instead of RSA/SHA1 for most SSH servers released in the last five+ years. There is no need to regenerate RSA keys. The use of RSA/SHA1 can be re-enabled by adding "ssh-rsa" to the PubkeyAcceptedAlgorithms directives on the client and server. ok dtucker deraadt OpenBSD-Commit-ID: 189bcc4789c7254e09e23734bdd5def8354ff1d5
* upstream: prefer ed25519 signature algorithm variants to ECDSA; okdjm@openbsd.org2020-10-031-7/+7
| | | | | | markus@ OpenBSD-Commit-ID: 82187926fca96d35a5b5afbc091afa84e0966e5b
* upstream: remove ssh-rsa (SHA1) from the list of allowed CAdjm@openbsd.org2020-01-251-3/+2
| | | | | | signature algorithms ok markus OpenBSD-Commit-ID: da3481fca8c81e6951f319a86b7be67502237f57
* upstream: Remove unsupported algorithms from list of defaults at rundtucker@openbsd.org2020-01-231-115/+23
| | | | | | | | | | time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
* upstream: remove diffie-hellman-group14-sha1 from default kex totedu@openbsd.org2020-01-221-3/+2
| | | | | | see what happens. general mostly ok OpenBSD-Commit-ID: 216b7b8462d2ef5f4531f26cb2cb839b2153dad9
* upstream: sort sk-* methods behind their plain key methods cousinsdjm@openbsd.org2019-12-201-1/+1
| | | | | | for now OpenBSD-Commit-ID: c97e22c2b28c0d12ee389b8b4ef5f2ada7908828
* upstream: allow security keys to act as host keys as well as userdjm@openbsd.org2019-12-161-29/+11
| | | | | | | | | | | | | keys. Previously we didn't do this because we didn't want to expose the attack surface presented by USB and FIDO protocol handling, but now that this is insulated behind ssh-sk-helper there is less risk. ok markus@ OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
* upstream: add security key types to list of keys allowed to act asdjm@openbsd.org2019-12-111-2/+4
| | | | | | CAs; spotted by Ron Frederick OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3
* remove all EC algs from proposals, no just sk onesDamien Miller2019-11-181-6/+2
| | | | ok dtucker@
* filter PUBKEY_DEFAULT_PK_ALG for ECC algorithmsDamien Miller2019-11-181-13/+19
| | | | | Remove ECC algorithms from the PUBKEY_DEFAULT_PK_ALG list when compiling without ECC support in libcrypto.
* upstream: enable ed25519 support; ok djmmarkus@openbsd.org2019-11-121-1/+3
| | | | OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
* upstream: remove duplicate PUBKEY_DEFAULT_PK_ALG on !WITH_OPENSSL pathdjm@openbsd.org2019-11-011-5/+1
| | | | OpenBSD-Commit-ID: 95a7cafad2a4665d57cabacc28031fabc0bea9fc
* upstream: Separate myproposal.h userauth pubkey typesdjm@openbsd.org2019-10-311-1/+24
| | | | | | | | | U2F/FIDO keys are not supported for host authentication, so we need a separate list for user keys. feedback & ok markus@ OpenBSD-Commit-ID: 7fe2e6ab85f9f2338866e5af8ca2d312abbf0429
* Wrap OpenSSL bits in WITH_OPENSSL.Darren Tucker2019-10-281-0/+2
|
* Use the correct macro for SSH_ALLOWED_CA_SIGALGS.Darren Tucker2019-05-171-1/+1
|
* Conditionalize ECDH methods in CA algos.Darren Tucker2019-05-171-3/+1
| | | | | When building against an OpenSSL configured without ECC, don't include those algos in CASignatureAlgorithms. ok djm@
* upstream: openssh-7.9 accidentally reused the server's algorithm listsdjm@openbsd.org2019-02-241-10/+5
| | | | | | | | | | | | | | in the client for KEX, ciphers and MACs. The ciphers and MACs were identical between the client and server, but the error accidentially disabled the diffie-hellman-group-exchange-sha1 KEX method. This fixes the client code to use the correct method list, but because nobody complained, it also disables the diffie-hellman-group-exchange-sha1 KEX method. Reported by nuxi AT vault24.org via bz#2697; ok dtucker OpenBSD-Commit-ID: e30c33a23c10fd536fefa120e86af1842e33fd57
* upstream: add SSH_ALLOWED_CA_SIGALGS - the default list ofdjm@openbsd.org2018-09-121-1/+13
| | | | | | | | | signature algorithms that are allowed for CA signatures. Notably excludes ssh-dsa. ok markus@ OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4
* upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org2018-07-031-1/+3
| | | | | | | | | | | | | | | | | | | | | | | In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
* upstream commitdjm@openbsd.org2017-05-081-3/+2
| | | | | | | Don't offer CBC ciphers by default in the client. ok markus@ Upstream-ID: 94c9ce8d0d1a085052e11c7f3307950fdc0901ef
* upstream commitdjm@openbsd.org2016-09-281-2/+2
| | | | | | | | | | | | | | | | | | | | Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Moreover, to support it across privilege-separation zlib needed the assistance of a complex shared-memory manager that made the required attack surface considerably larger. Prompted by Guido Vranken pointing out a compiler-elided security check in the shared memory manager found by Stack (http://css.csail.mit.edu/stack/); ok deraadt@ markus@ NB. pre-auth authentication has been disabled by default in sshd for >10 years. Upstream-ID: 32af9771788d45a0779693b41d06ec199d849caf
* upstream commitdjm@openbsd.org2016-09-231-2/+5
| | | | | | | | support plain curve25519-sha256 KEX algorithm now that it is approaching standardisation (same algorithm is currently supported as curve25519-sha256@libssh.org) Upstream-ID: 5e2b6db2e72667048cf426da43c0ee3fc777baa2
* upstream commitdjm@openbsd.org2016-09-121-2/+2
| | | | | | | | | | | | | | | remove 3des-cbc from the client's default proposal; 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like sweet32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the defaults, but it's highly likely that such devices already need explicit configuration for KEX and hostkeys anyway. ok deraadt, markus, dtucker Upstream-ID: a505dfe65c6733af0f751b64cbc4bb7e0761bc2f
* upstream commitdjm@openbsd.org2016-05-021-4/+11
| | | | | | | | | | | | | | add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@ Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
* upstream commitdjm@openbsd.org2016-02-091-15/+4
| | | | | | | turn off more old crypto in the client: hmac-md5, ripemd, truncated HMACs, RC4, blowfish. ok markus@ dtucker@ Upstream-ID: 96aa11c2c082be45267a690c12f1d2aae6acd46e
* upstream commitmarkus@openbsd.org2015-12-071-2/+2
| | | | | | | prefer rsa-sha2-512 over -256 for hostkeys, too; noticed by naddy@ Upstream-ID: 685f55f7ec566a8caca587750672723a0faf3ffe
* upstream commitmarkus@openbsd.org2015-12-071-2/+4
| | | | | | | | implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@ Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
* upstream commitmarkus@openbsd.org2015-07-151-4/+2
| | | | | | | | Turn off DSA by default; add HostKeyAlgorithms to the server and PubkeyAcceptedKeyTypes to the client side, so it still can be tested or turned back on; feedback and ok djm@ Upstream-ID: 8450a9e6d83f80c9bfed864ff061dfc9323cec21
* upstream commitdjm@openbsd.org2015-07-151-3/+2
| | | | | | | | turn off 1024 bit diffie-hellman-group1-sha1 key exchange method (already off in server, this turns it off in the client by default too) ok dtucker@ Upstream-ID: f59b88f449210ab7acf7d9d88f20f1daee97a4fa
* upstream commitdjm@openbsd.org2015-07-151-3/+1
| | | | | | | delete support for legacy v00 certificates; "sure" markus@ dtucker@ Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
* fix merge botch that left ",," in KEX algsDamien Miller2015-05-291-2/+2
|
* upstream commitdtucker@openbsd.org2015-05-281-5/+8
| | | | | | | Reorder client proposal to prefer diffie-hellman-group-exchange-sha1 over diffie-hellman-group14-sha1. ok djm@ Upstream-ID: 552c08d47347c3ee1a9a57d88441ab50abe17058
* upstream commitjsg@openbsd.org2015-04-291-2/+2
| | | | | | | Add back a backslash removed in rev 1.42 so KEX_SERVER_ENCRYPT will include aes again. ok deraadt@
* upstream commitdjm@openbsd.org2015-03-271-7/+7
| | | | | promote chacha20-poly1305@openssh.com to be the default cipher; ok markus
* - (djm) [myproposal.h] Make curve25519 KEX dependent onDamien Miller2014-08-191-1/+1
| | | | HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
* - tedu@cvs.openbsd.org 2014/07/11 13:54:34Damien Miller2014-07-171-8/+8
| | | | | | [myproposal.h] by popular demand, add back hamc-sha1 to server proposal for better compat with many clients still in use. ok deraadt
* - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org inDarren Tucker2014-06-101-2/+7
| | | | the proposal if the version of OpenSSL we're using doesn't support ECC.
* - naddy@cvs.openbsd.org 2014/04/30 19:07:48Damien Miller2014-05-151-1/+5
| | | | | | | [mac.c myproposal.h umac.c] UMAC can use our local fallback implementation of AES when OpenSSL isn't available. Glue code straight from Ted Krovetz's original umac.c. ok markus@
* - markus@cvs.openbsd.org 2014/04/29 18:01:49Damien Miller2014-05-151-1/+26
| | | | | | | | | | [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
* Three commits in one (since they touch the same heavily-diverged fileDamien Miller2014-04-201-27/+42
| | | | | | | | | | | | | | | | | | | | | | | | repeatedly): - markus@cvs.openbsd.org 2014/03/25 09:40:03 [myproposal.h] trimm default proposals. This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files). ok djm@, reminded by tedu@ & naddy@ and discussed with many - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 [myproposal.h] The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy. - markus@cvs.openbsd.org 2014/03/27 23:01:27 [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] disable weak proposals in sshd, but keep them in ssh; ok djm@
* - markus@cvs.openbsd.org 2013/12/06 13:39:49Damien Miller2013-12-071-1/+3
| | | | | | | | | | | | [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
* - djm@cvs.openbsd.org 2013/11/21 00:45:44Damien Miller2013-11-211-1/+2
| | | | | | | | | | | | | | | | | | | [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c] [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h] [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1] [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Inspired by and similar to Adam Langley's proposal for TLS: http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03 but differs in layout used for the MAC calculation and the use of a second ChaCha20 instance to separately encrypt packet lengths. Details are in the PROTOCOL.chacha20poly1305 file. Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@
* - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence ofDarren Tucker2013-11-091-0/+12
| | | | | | NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the latter actually works before using it. Fedora (at least) has NID_secp521r1 that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
* - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.Darren Tucker2013-11-081-1/+4
|