Bug#991130: Manpage: CASignatureAlgorithms mentions a wrong default

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#991130: Manpage: CASignatureAlgorithms mentions a wrong default
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Thu, 15 Jul 2021 08:35:29 +0200
Message-id: <[🔎] 162633092969.30102.16425826185126039114.reportbug@x1.schlittermann.de>
Reply-to: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>, 991130@bugs.debian.org

Package: openssh-server
Version: 1:7.9p1-10+deb10u2
Severity: normal

Dear Maintainer,

on a current unreleased Debian bullseye (openssh-server 1:8.4p1-5)
the sshd_config(5) mentions the CASignatureAlgorithms 
with a wrong default: 

|    CASignatureAlgorithms
|            Specifies which algorithms are allowed for signing of certifi-
|            cates by certificate authorities (CAs).  The default is:
|
|                  ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|                  ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
| 
|            Certificates signed using other algorithms will not be accepted
|            for public key or host-based authentication.


The ssh-rsa algorithm is not in the default set of algorithms, as it
seems (tested with the above server version, after setting the
CASignatureAlgorithms options to the (mistakenly documented default),
SSH certificates with RSA signatures worked again.

This should be clearly stated in this section.

Reply to:

Prev by Date: Re: Bug#990882: openssh-server: With ipv6 ssh-client fail as well as scp getting expecting SSH2_MSG_KEX_ECDH_REPLY
Next by Date: Bug#990882: openssh-server: With ipv6 ssh-client fail as well as scp getting expecting SSH2_MSG_KEX_ECDH_REPLY
Previous by thread: Bug#990882: openssh-server: With ipv6 ssh-client fail as well as scp getting expecting SSH2_MSG_KEX_ECDH_REPLY
Next by thread: Processed: bullseye-ignore
Index(es):
- Date
- Thread