[Bug 1871465] [NEW] ssh_config(5) contains outdated information

iBug 1871465 at bugs.launchpad.net
Tue Apr 7 18:08:57 UTC 2020 

Public bug reported:

The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list
of CACertificateAlgorithms. However the latest `openssh-client` still
ships the man page for ssh_config(5) that contains the following
description:

     CASignatureAlgorithms
             Specifies which algorithms are allowed for signing of certificates 
             by certificate authorities (CAs).  The default is:

                   ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
                   ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

             ssh(1) will not accept host certificates signed using algorithms 
             other than those specified.

As far as I am concerned, `ssh-rsa` should be dropped from the list so
as to match the behavior of ssh(1).

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: manpage

** Description changed:

  The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list
  of CACertificateAlgorithms. However the latest `openssh-client` still
  ships the man page for ssh_config(5) that contains the following
  description:
  
-      CASignatureAlgorithms
-              Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs).  The default is:
+      CASignatureAlgorithms
+              Specifies which algorithms are allowed for signing of certificates 
+              by certificate authorities (CAs).  The default is:
  
-                    ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-                    ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+                    ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+                    ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
  
-              ssh(1) will not accept host certificates signed using
- algorithms other than those specified.
+              ssh(1) will not accept host certificates signed using algorithms 
+              other than those specified.
  
  As far as I am concerned, `ssh-rsa` should be dropped from the list so
  as to match the behavior of ssh(1).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1871465

Title:
  ssh_config(5) contains outdated information

Status in openssh package in Ubuntu:
  New

Bug description:
  The release of OpenSSH 8.2 has removed `ssh-rsa` from the default list
  of CACertificateAlgorithms. However the latest `openssh-client` still
  ships the man page for ssh_config(5) that contains the following
  description:

       CASignatureAlgorithms
               Specifies which algorithms are allowed for signing of certificates 
               by certificate authorities (CAs).  The default is:

                     ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
                     ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

               ssh(1) will not accept host certificates signed using algorithms 
               other than those specified.

  As far as I am concerned, `ssh-rsa` should be dropped from the list so
  as to match the behavior of ssh(1).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1871465/+subscriptions

More information about the foundations-bugs mailing list