hostkey: prefer ED25519 over ECDSA in hostkey algorithm negotiation (#1783)

Reorders the hostkey_methods array to prioritize ED25519 host keys over ECDSA curves, aligning libssh2 with OpenSSH's default behavior. As noted in issue #1782, industry usage has shifted to prefer ED25519 Previous order: ECDSA (nistp256/384/521 + certificates) **ED25519 (ssh-ed25519 + certificates)** RSA (SHA2-512, SHA2-256, SHA1) DSA New order: **ED25519 (ssh-ed25519 + certificates)** ECDSA (nistp256/384/521 + certificates) RSA (SHA2-512, SHA2-256, SHA1) DSA Testing: Existing test suites should pass without modification References: OpenSSH HostKeyAlgorithms default order: - https://man.openbsd.org/sshd_config#HostKeyAlgorithms - https://man.openbsd.org/ssh_config#HostKeyAlgorithms Fixes #1782 Signed-off-by: Hemant Jadhav <hemant.jadhav@emerson.com>
2026-01-27 00:18:12 +03:00 · 2026-01-14 14:10:46 -06:00
parent 882bd26488
commit 0cb8351494
1 changed files with 4 additions and 4 deletions
--- a/src/hostkey.c
+++ b/src/hostkey.c
@@ -1337,6 +1337,10 @@ static const LIBSSH2_HOSTKEY_METHOD hostkey_method_ssh_ed25519_cert = {
 #endif /* LIBSSH2_ED25519 */

 static const LIBSSH2_HOSTKEY_METHOD *hostkey_methods[] = {
+#if LIBSSH2_ED25519
+    &hostkey_method_ssh_ed25519,
+    &hostkey_method_ssh_ed25519_cert,
+#endif
 #if LIBSSH2_ECDSA
    &hostkey_method_ecdsa_ssh_nistp256,
    &hostkey_method_ecdsa_ssh_nistp384,
@@ -1345,10 +1349,6 @@ static const LIBSSH2_HOSTKEY_METHOD *hostkey_methods[] = {
    &hostkey_method_ecdsa_ssh_nistp384_cert,
    &hostkey_method_ecdsa_ssh_nistp521_cert,
 #endif
-#if LIBSSH2_ED25519
-    &hostkey_method_ssh_ed25519,
-    &hostkey_method_ssh_ed25519_cert,
-#endif
 #if LIBSSH2_RSA
 #if LIBSSH2_RSA_SHA2
    &hostkey_method_ssh_rsa_sha2_512,