upstream: add CASignatureAlgorithms option for the client, allowing

it to specify which signature algorithms may be used by CAs when signing
certificates. Useful if you want to ban RSA/SHA1; ok markus@

OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f

1 files changed, 14 insertions, 2 deletions

diff --git a/ssh_config.5 b/ssh_config.5
index f499396a3..a9b44cc44 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.281 2018/07/23 19:02:49 kn Exp $
-.Dd $Mdocdate: July 23 2018 $
+.\" $OpenBSD: ssh_config.5,v 1.282 2018/09/20 03:30:44 djm Exp $
+.Dd $Mdocdate: September 20 2018 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -261,6 +261,18 @@ Only useful on systems with more than one address.
 .It Cm BindInterface
 Use the address of the specified interface on the local machine as the
 source address of the connection.
+.It Cm CASignatureAlgorithms
+Specifies which algorithms are allowed for signing of certificates
+by certificate authorities (CAs).
+The default is:
+.Bd -literal -offset indent
+ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+.Ed
+.Pp
+.Xr ssh 1
+will not accept host certificates signed using algorithms other than those
+specified.
 .It Cm CanonicalDomains
 When
 .Cm CanonicalizeHostname