From 8a2e92fa055a3463aa7fefd11c3fa03672ef17ed Mon Sep 17 00:00:00 2001
From: Thomas Maurice <thomas@maurice.fr>
Date: Wed, 12 Aug 2020 13:26:43 +0100
Subject: [PATCH] ssh backend: Change the default signature algorithm to
 rsa-sha2-256

---
 builtin/logical/ssh/path_sign.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
index 0fd1373a82b3..f4caf4bb14c8 100644
--- a/builtin/logical/ssh/path_sign.go
+++ b/builtin/logical/ssh/path_sign.go
@@ -531,7 +531,7 @@ func (b *creationBundle) sign() (retCert *ssh.Certificate, retErr error) {
 
 	algo := b.Role.AlgorithmSigner
 	if algo == "" {
-		algo = ssh.SigAlgoRSA
+		algo = ssh.SigAlgoRSASHA2256
 	}
 	sig, err := sshAlgorithmSigner.SignWithAlgorithm(rand.Reader, certificateBytes, algo)
 	if err != nil {