upstream: Replace the term "security key" with "(FIDO)

authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@ OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
author: naddy@openbsd.org <naddy@openbsd.org> 2019-12-21 20:22:34 +0000
committer: Damien Miller <djm@mindrot.org> 2019-12-30 14:31:40 +1100
commit: 141df487ba699cfd1ec3dcd98186e7c956e99024 (patch)
tree: d759e3195bf74db1bf1673c563dd24450fcc4c50
parent: fbd9729d4eadf2f7097b6017156387ac64302453 (diff)
8 files changed, 52 insertions, 58 deletions
diff --git a/ssh-add.1 b/ssh-add.1
index 1832ae66d..45af7357a 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-add.1,v 1.76 2019/11/30 07:07:59 jmc Exp $
+.\"     $OpenBSD: ssh-add.1,v 1.77 2019/12/21 20:22:34 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2019 $
+.Dd $Mdocdate: December 21 2019 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@@ -135,8 +135,8 @@ Lists fingerprints of all identities currently represented by the agent.
 .It Fl q
 Be quiet after a successful operation.
 .It Fl S Ar provider
-Specifies a path to a security key provider library that will be used when
+Specifies a path to a library that will be used when adding
-adding any security key-hosted keys, overriding the default of using the
+FIDO authenticator-hosted keys, overriding the default of using the
 internal USB HID support.
 .It Fl s Ar pkcs11
 Add keys provided by the PKCS#11 shared library
@@ -197,23 +197,18 @@ Identifies the path of a
 .Ux Ns -domain
 socket used to communicate with the agent.
 .It Ev SSH_SK_PROVIDER
-Specifies the path to a security key provider library used to interact with
+Specifies the path to a library used to interact with FIDO authenticators.
-hardware security keys.
 .El
 .Sh FILES
-.Bl -tag -width Ds
+.Bl -tag -width Ds -compact
 .It Pa ~/.ssh/id_dsa
-Contains the DSA authentication identity of the user.
 .It Pa ~/.ssh/id_ecdsa
-Contains the ECDSA authentication identity of the user.
 .It Pa ~/.ssh/id_ecdsa_sk
-Contains the security key-hosted ECDSA authentication identity of the user.
 .It Pa ~/.ssh/id_ed25519
-Contains the Ed25519 authentication identity of the user.
 .It Pa ~/.ssh/id_ed25519_sk
-Contains the security key-hosted Ed25519 authentication identity of the user.
 .It Pa ~/.ssh/id_rsa
-Contains the RSA authentication identity of the user.
+Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
+authenticator-hosted Ed25519 or RSA authentication identity of the user.
 .El
 .Pp
 Identity files should not be readable by anyone but the user.
diff --git a/ssh-agent.1 b/ssh-agent.1
index a3f63467c..fff0db6bc 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.69 2019/11/30 07:07:59 jmc Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.70 2019/12/21 20:22:34 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2019 $
+.Dd $Mdocdate: December 21 2019 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@@ -98,8 +98,8 @@ Kill the current agent (given by the
 .Ev SSH_AGENT_PID
 environment variable).
 .It Fl P Ar provider_whitelist
-Specify a pattern-list of acceptable paths for PKCS#11 and security key shared
+Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
-libraries that may be used with the
+shared libraries that may be used with the
 .Fl S
 or
 .Fl s
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 1b77bdf6d..e48597388 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.179 2019/11/30 07:07:59 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.180 2019/12/21 20:22:34 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2019 $
+.Dd $Mdocdate: December 21 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -537,7 +537,7 @@ Allows X11 forwarding.
 .It Ic no-touch-required
 Do not require signatures made using this key require demonstration
 of user presence (e.g. by having the user touch the key).
-This option only makes sense for the Security Key algorithms
+This option only makes sense for the FIDO authenticator algorithms
 .Cm ecdsa-sk
 and
 .Cm ed25519-sk .
@@ -673,11 +673,11 @@ The maximum is 3.
 .It Fl W Ar generator
 Specify desired generator when testing candidate moduli for DH-GEX.
 .It Fl w Ar provider
-Specifies a path to a security key provider library that will be used when
+Specifies a path to a library that will be used when creating
-creating any security key-hosted keys, overriding the default of the
+FIDO authenticator-hosted keys, overriding the default of using
-internal support for USB HID keys.
+the internal USB HID support.
 .It Fl x Ar flags
-Specifies the security key flags to use when enrolling a security key-hosted
+Specifies the authenticator flags to use when enrolling an authenticator-hosted
 key.
 Flags may be specified by name or directly as a hexadecimal value.
 Only one named flag is supported at present:
@@ -1053,8 +1053,7 @@ user2@example.com namespaces="file" ssh-ed25519 AAA41...
 .Sh ENVIRONMENT
 .Bl -tag -width Ds
 .It Ev SSH_SK_PROVIDER
-Specifies the path to a security key provider library used to interact with
+Specifies the path to a library used to interact with FIDO authenticators.
-hardware security keys.
 .El
 .Sh FILES
 .Bl -tag -width Ds -compact
@@ -1064,8 +1063,8 @@ hardware security keys.
 .It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_ed25519_sk
 .It Pa ~/.ssh/id_rsa
-Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519,
+Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
-security key-hosted Ed25519 or RSA authentication identity of the user.
+authenticator-hosted Ed25519 or RSA authentication identity of the user.
 This file should not be readable by anyone but the user.
 It is possible to
 specify a passphrase when generating the key; that passphrase will be
@@ -1082,8 +1081,8 @@ will read this file when a login attempt is made.
 .It Pa ~/.ssh/id_ed25519.pub
 .It Pa ~/.ssh/id_ed25519_sk.pub
 .It Pa ~/.ssh/id_rsa.pub
-Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519,
+Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
-security key-hosted Ed25519 or RSA public key for authentication.
+authenticator-hosted Ed25519 or RSA public key for authentication.
 The contents of this file should be added to
 .Pa ~/.ssh/authorized_keys
 on all machines
diff --git a/ssh-sk-helper.8 b/ssh-sk-helper.8
index 9a518fba9..3c53da1ec 100644
--- a/ssh-sk-helper.8
+++ b/ssh-sk-helper.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-sk-helper.8,v 1.2 2019/11/30 07:07:59 jmc Exp $
+.\" $OpenBSD: ssh-sk-helper.8,v 1.3 2019/12/21 20:22:34 naddy Exp $
 .\"
 .\" Copyright (c) 2010 Markus Friedl.  All rights reserved.
 .\"
@@ -14,12 +14,12 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 30 2019 $
+.Dd $Mdocdate: December 21 2019 $
 .Dt SSH-SK-HELPER 8
 .Os
 .Sh NAME
 .Nm ssh-sk-helper
-.Nd OpenSSH helper for security key support
+.Nd OpenSSH helper for FIDO authenticator support
 .Sh SYNOPSIS
 .Nm
 .Op Fl v
@@ -27,7 +27,7 @@
 .Nm
 is used by
 .Xr ssh-agent 1
-to access keys provided by a security key.
+to access keys provided by a FIDO authenticator.
 .Pp
 .Nm
 is not intended to be invoked by the user, but from
diff --git a/ssh.1 b/ssh.1
index 8b4b79e19..971337520 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.408 2019/11/30 07:07:59 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.409 2019/12/21 20:22:34 naddy Exp $
-.Dd $Mdocdate: November 30 2019 $
+.Dd $Mdocdate: December 21 2019 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -903,11 +903,11 @@ This stores the private key in
 .Pa ~/.ssh/id_ecdsa
 (ECDSA),
 .Pa ~/.ssh/id_ecdsa_sk
-(security key-hosted ECDSA),
+(authenticator-hosted ECDSA),
 .Pa ~/.ssh/id_ed25519
 (Ed25519),
 .Pa ~/.ssh/id_ed25519_sk
-(security key-hosted Ed25519),
+(authenticator-hosted Ed25519),
 or
 .Pa ~/.ssh/id_rsa
 (RSA)
@@ -917,11 +917,11 @@ and stores the public key in
 .Pa ~/.ssh/id_ecdsa.pub
 (ECDSA),
 .Pa ~/.ssh/id_ecdsa_sk.pub
-(security key-hosted ECDSA),
+(authenticator-hosted ECDSA),
 .Pa ~/.ssh/id_ed25519.pub
 (Ed25519),
 .Pa ~/.ssh/id_ed25519_sk.pub
-(security key-hosted Ed25519),
+(authenticator-hosted Ed25519),
 or
 .Pa ~/.ssh/id_rsa.pub
 (RSA)
diff --git a/ssh_config.5 b/ssh_config.5
index 186e07617..d3d45b53a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.312 2019/12/21 02:19:13 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.313 2019/12/21 20:22:34 naddy Exp $
 .Dd $Mdocdate: December 21 2019 $
 .Dt SSH_CONFIG 5
 .Os
@@ -936,8 +936,8 @@ or the tokens described in the
 .Sx TOKENS
 section.
 .It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA,
+Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
-Ed25519 or RSA authentication identity is read.
+Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
 The default is
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
@@ -1462,9 +1462,9 @@ an OpenSSH Key Revocation List (KRL) as generated by
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
 .It Cm SecurityKeyProvider
-Specifies a path to a security key provider library that will be used when
+Specifies a path to a library that will be used when loading any
-loading any security key-hosted keys, overriding the default of using
+FIDO authenticator-hosted keys, overriding the default of using
-the built-in support for USB HID keys.
+the built-in USB HID support.
 .Pp
 If the specified value begins with a
 .Sq $
diff --git a/sshd.8 b/sshd.8
index dc11a0d00..b7042cb5e 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.310 2019/12/19 03:50:01 dtucker Exp $
+.\" $OpenBSD: sshd.8,v 1.311 2019/12/21 20:22:34 naddy Exp $
-.Dd $Mdocdate: December 19 2019 $
+.Dd $Mdocdate: December 21 2019 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -627,7 +627,7 @@ option.
 .It Cm no-touch-required
 Do not require demonstration of user presence
 for signatures made using this key.
-This option only makes sense for the Security Key algorithms
+This option only makes sense for the FIDO authenticator algorithms
 .Cm ecdsa-sk
 and
 .Cm ed25519-sk .
diff --git a/sshd_config.5 b/sshd_config.5
index 222193170..76ec69baf 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $
+.\" $OpenBSD: sshd_config.5,v 1.297 2019/12/21 20:22:34 naddy Exp $
-.Dd $Mdocdate: December 19 2019 $
+.Dd $Mdocdate: December 21 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1462,20 +1462,20 @@ and
 .Pp
 The
 .Cm touch-required
-option causes public key authentication using a security key algorithm
+option causes public key authentication using a FIDO authenticator algorithm
 (i.e.\&
 .Cm ecdsa-sk
 or
 .Cm ed25519-sk )
 to always require the signature to attest that a physically present user
-explicitly confirmed the authentication (usually by touching the security key).
+explicitly confirmed the authentication (usually by touching the authenticator).
 By default,
 .Xr sshd 8
-requires key touch unless overridden with an authorized_keys option.
+requires user presence unless overridden with an authorized_keys option.
 The
 .Cm touch-required
 flag disables this override.
-This option has no effect for other, non-security key, public key types.
+This option has no effect for other, non-authenticator public key types.
 .It Cm PubkeyAuthentication
 Specifies whether public key authentication is allowed.
 The default is
@@ -1527,9 +1527,9 @@ If the routing domain is set to
 .Cm \&%D ,
 then the domain in which the incoming connection was received will be applied.
 .It Cm SecurityKeyProvider
-Specifies a path to a security key provider library that will be used when
+Specifies a path to a library that will be used when loading
-loading any security key-hosted keys, overriding the default of using
+FIDO authenticator-hosted keys, overriding the default of using
-the built-in support for USB HID keys.
+the built-in USB HID support.
 .It Cm SetEnv
 Specifies one or more environment variables to set in child sessions started
 by
author	naddy@openbsd.org <naddy@openbsd.org>	2019-12-21 20:22:34 +0000
committer	Damien Miller <djm@mindrot.org>	2019-12-30 14:31:40 +1100
commit	141df487ba699cfd1ec3dcd98186e7c956e99024 (patch)
tree	d759e3195bf74db1bf1673c563dd24450fcc4c50
parent	fbd9729d4eadf2f7097b6017156387ac64302453 (diff)

diff --git a/ssh-add.1 b/ssh-add.1 index 1832ae66d..45af7357a 100644 --- a/ssh-add.1 +++ b/ssh-add.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-add.1,v 1.76 2019/11/30 07:07:59 jmc Exp $	1	.\" $OpenBSD: ssh-add.1,v 1.77 2019/12/21 20:22:34 naddy Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: November 30 2019 $	38	.Dd $Mdocdate: December 21 2019 $
39	.Dt SSH-ADD 1	39	.Dt SSH-ADD 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -135,8 +135,8 @@ Lists fingerprints of all identities currently represented by the agent.
135	.It Fl q	135	.It Fl q
136	Be quiet after a successful operation.	136	Be quiet after a successful operation.
137	.It Fl S Ar provider	137	.It Fl S Ar provider
138	Specifies a path to a security key provider library that will be used when	138	Specifies a path to a library that will be used when adding
139	adding any security key-hosted keys, overriding the default of using the	139	FIDO authenticator-hosted keys, overriding the default of using the
140	internal USB HID support.	140	internal USB HID support.
141	.It Fl s Ar pkcs11	141	.It Fl s Ar pkcs11
142	Add keys provided by the PKCS#11 shared library	142	Add keys provided by the PKCS#11 shared library
@@ -197,23 +197,18 @@ Identifies the path of a
197	.Ux Ns -domain	197	.Ux Ns -domain
198	socket used to communicate with the agent.	198	socket used to communicate with the agent.
199	.It Ev SSH_SK_PROVIDER	199	.It Ev SSH_SK_PROVIDER
200	Specifies the path to a security key provider library used to interact with	200	Specifies the path to a library used to interact with FIDO authenticators.
201	hardware security keys.
202	.El	201	.El
203	.Sh FILES	202	.Sh FILES
204	.Bl -tag -width Ds	203	.Bl -tag -width Ds -compact
205	.It Pa ~/.ssh/id_dsa	204	.It Pa ~/.ssh/id_dsa
206	Contains the DSA authentication identity of the user.
207	.It Pa ~/.ssh/id_ecdsa	205	.It Pa ~/.ssh/id_ecdsa
208	Contains the ECDSA authentication identity of the user.
209	.It Pa ~/.ssh/id_ecdsa_sk	206	.It Pa ~/.ssh/id_ecdsa_sk
210	Contains the security key-hosted ECDSA authentication identity of the user.
211	.It Pa ~/.ssh/id_ed25519	207	.It Pa ~/.ssh/id_ed25519
212	Contains the Ed25519 authentication identity of the user.
213	.It Pa ~/.ssh/id_ed25519_sk	208	.It Pa ~/.ssh/id_ed25519_sk
214	Contains the security key-hosted Ed25519 authentication identity of the user.
215	.It Pa ~/.ssh/id_rsa	209	.It Pa ~/.ssh/id_rsa
216	Contains the RSA authentication identity of the user.	210	Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
		211	authenticator-hosted Ed25519 or RSA authentication identity of the user.
217	.El	212	.El
218	.Pp	213	.Pp
219	Identity files should not be readable by anyone but the user.	214	Identity files should not be readable by anyone but the user.


diff --git a/ssh-agent.1 b/ssh-agent.1 index a3f63467c..fff0db6bc 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-agent.1,v 1.69 2019/11/30 07:07:59 jmc Exp $	1	.\" $OpenBSD: ssh-agent.1,v 1.70 2019/12/21 20:22:34 naddy Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.Dd $Mdocdate: November 30 2019 $	37	.Dd $Mdocdate: December 21 2019 $
38	.Dt SSH-AGENT 1	38	.Dt SSH-AGENT 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -98,8 +98,8 @@ Kill the current agent (given by the
98	.Ev SSH_AGENT_PID	98	.Ev SSH_AGENT_PID
99	environment variable).	99	environment variable).
100	.It Fl P Ar provider_whitelist	100	.It Fl P Ar provider_whitelist
101	Specify a pattern-list of acceptable paths for PKCS#11 and security key shared	101	Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
102	libraries that may be used with the	102	shared libraries that may be used with the
103	.Fl S	103	.Fl S
104	or	104	or
105	.Fl s	105	.Fl s


diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 1b77bdf6d..e48597388 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.179 2019/11/30 07:07:59 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.180 2019/12/21 20:22:34 naddy Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: November 30 2019 $	38	.Dd $Mdocdate: December 21 2019 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -537,7 +537,7 @@ Allows X11 forwarding.
537	.It Ic no-touch-required	537	.It Ic no-touch-required
538	Do not require signatures made using this key require demonstration	538	Do not require signatures made using this key require demonstration
539	of user presence (e.g. by having the user touch the key).	539	of user presence (e.g. by having the user touch the key).
540	This option only makes sense for the Security Key algorithms	540	This option only makes sense for the FIDO authenticator algorithms
541	.Cm ecdsa-sk	541	.Cm ecdsa-sk
542	and	542	and
543	.Cm ed25519-sk .	543	.Cm ed25519-sk .
@@ -673,11 +673,11 @@ The maximum is 3.
673	.It Fl W Ar generator	673	.It Fl W Ar generator
674	Specify desired generator when testing candidate moduli for DH-GEX.	674	Specify desired generator when testing candidate moduli for DH-GEX.
675	.It Fl w Ar provider	675	.It Fl w Ar provider
676	Specifies a path to a security key provider library that will be used when	676	Specifies a path to a library that will be used when creating
677	creating any security key-hosted keys, overriding the default of the	677	FIDO authenticator-hosted keys, overriding the default of using
678	internal support for USB HID keys.	678	the internal USB HID support.
679	.It Fl x Ar flags	679	.It Fl x Ar flags
680	Specifies the security key flags to use when enrolling a security key-hosted	680	Specifies the authenticator flags to use when enrolling an authenticator-hosted
681	key.	681	key.
682	Flags may be specified by name or directly as a hexadecimal value.	682	Flags may be specified by name or directly as a hexadecimal value.
683	Only one named flag is supported at present:	683	Only one named flag is supported at present:
@@ -1053,8 +1053,7 @@ user2@example.com namespaces="file" ssh-ed25519 AAA41...
1053	.Sh ENVIRONMENT	1053	.Sh ENVIRONMENT
1054	.Bl -tag -width Ds	1054	.Bl -tag -width Ds
1055	.It Ev SSH_SK_PROVIDER	1055	.It Ev SSH_SK_PROVIDER
1056	Specifies the path to a security key provider library used to interact with	1056	Specifies the path to a library used to interact with FIDO authenticators.
1057	hardware security keys.
1058	.El	1057	.El
1059	.Sh FILES	1058	.Sh FILES
1060	.Bl -tag -width Ds -compact	1059	.Bl -tag -width Ds -compact
@@ -1064,8 +1063,8 @@ hardware security keys.
1064	.It Pa ~/.ssh/id_ed25519	1063	.It Pa ~/.ssh/id_ed25519
1065	.It Pa ~/.ssh/id_ed25519_sk	1064	.It Pa ~/.ssh/id_ed25519_sk
1066	.It Pa ~/.ssh/id_rsa	1065	.It Pa ~/.ssh/id_rsa
1067	Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519,	1066	Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1068	security key-hosted Ed25519 or RSA authentication identity of the user.	1067	authenticator-hosted Ed25519 or RSA authentication identity of the user.
1069	This file should not be readable by anyone but the user.	1068	This file should not be readable by anyone but the user.
1070	It is possible to	1069	It is possible to
1071	specify a passphrase when generating the key; that passphrase will be	1070	specify a passphrase when generating the key; that passphrase will be
@@ -1082,8 +1081,8 @@ will read this file when a login attempt is made.
1082	.It Pa ~/.ssh/id_ed25519.pub	1081	.It Pa ~/.ssh/id_ed25519.pub
1083	.It Pa ~/.ssh/id_ed25519_sk.pub	1082	.It Pa ~/.ssh/id_ed25519_sk.pub
1084	.It Pa ~/.ssh/id_rsa.pub	1083	.It Pa ~/.ssh/id_rsa.pub
1085	Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519,	1084	Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1086	security key-hosted Ed25519 or RSA public key for authentication.	1085	authenticator-hosted Ed25519 or RSA public key for authentication.
1087	The contents of this file should be added to	1086	The contents of this file should be added to
1088	.Pa ~/.ssh/authorized_keys	1087	.Pa ~/.ssh/authorized_keys
1089	on all machines	1088	on all machines


diff --git a/ssh-sk-helper.8 b/ssh-sk-helper.8 index 9a518fba9..3c53da1ec 100644 --- a/ssh-sk-helper.8 +++ b/ssh-sk-helper.8
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-sk-helper.8,v 1.2 2019/11/30 07:07:59 jmc Exp $	1	.\" $OpenBSD: ssh-sk-helper.8,v 1.3 2019/12/21 20:22:34 naddy Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2010 Markus Friedl. All rights reserved.	3	.\" Copyright (c) 2010 Markus Friedl. All rights reserved.
4	.\"	4	.\"
@@ -14,12 +14,12 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: November 30 2019 $	17	.Dd $Mdocdate: December 21 2019 $
18	.Dt SSH-SK-HELPER 8	18	.Dt SSH-SK-HELPER 8
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
21	.Nm ssh-sk-helper	21	.Nm ssh-sk-helper
22	.Nd OpenSSH helper for security key support	22	.Nd OpenSSH helper for FIDO authenticator support
23	.Sh SYNOPSIS	23	.Sh SYNOPSIS
24	.Nm	24	.Nm
25	.Op Fl v	25	.Op Fl v
@@ -27,7 +27,7 @@
27	.Nm	27	.Nm
28	is used by	28	is used by
29	.Xr ssh-agent 1	29	.Xr ssh-agent 1
30	to access keys provided by a security key.	30	to access keys provided by a FIDO authenticator.
31	.Pp	31	.Pp
32	.Nm	32	.Nm
33	is not intended to be invoked by the user, but from	33	is not intended to be invoked by the user, but from


diff --git a/ssh.1 b/ssh.1 index 8b4b79e19..971337520 100644 --- a/ssh.1 +++ b/ssh.1
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh.1,v 1.408 2019/11/30 07:07:59 jmc Exp $	36	.\" $OpenBSD: ssh.1,v 1.409 2019/12/21 20:22:34 naddy Exp $
37	.Dd $Mdocdate: November 30 2019 $	37	.Dd $Mdocdate: December 21 2019 $
38	.Dt SSH 1	38	.Dt SSH 1
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -903,11 +903,11 @@ This stores the private key in
903	.Pa ~/.ssh/id_ecdsa	903	.Pa ~/.ssh/id_ecdsa
904	(ECDSA),	904	(ECDSA),
905	.Pa ~/.ssh/id_ecdsa_sk	905	.Pa ~/.ssh/id_ecdsa_sk
906	(security key-hosted ECDSA),	906	(authenticator-hosted ECDSA),
907	.Pa ~/.ssh/id_ed25519	907	.Pa ~/.ssh/id_ed25519
908	(Ed25519),	908	(Ed25519),
909	.Pa ~/.ssh/id_ed25519_sk	909	.Pa ~/.ssh/id_ed25519_sk
910	(security key-hosted Ed25519),	910	(authenticator-hosted Ed25519),
911	or	911	or
912	.Pa ~/.ssh/id_rsa	912	.Pa ~/.ssh/id_rsa
913	(RSA)	913	(RSA)
@@ -917,11 +917,11 @@ and stores the public key in
917	.Pa ~/.ssh/id_ecdsa.pub	917	.Pa ~/.ssh/id_ecdsa.pub
918	(ECDSA),	918	(ECDSA),
919	.Pa ~/.ssh/id_ecdsa_sk.pub	919	.Pa ~/.ssh/id_ecdsa_sk.pub
920	(security key-hosted ECDSA),	920	(authenticator-hosted ECDSA),
921	.Pa ~/.ssh/id_ed25519.pub	921	.Pa ~/.ssh/id_ed25519.pub
922	(Ed25519),	922	(Ed25519),
923	.Pa ~/.ssh/id_ed25519_sk.pub	923	.Pa ~/.ssh/id_ed25519_sk.pub
924	(security key-hosted Ed25519),	924	(authenticator-hosted Ed25519),
925	or	925	or
926	.Pa ~/.ssh/id_rsa.pub	926	.Pa ~/.ssh/id_rsa.pub
927	(RSA)	927	(RSA)


diff --git a/ssh_config.5 b/ssh_config.5 index 186e07617..d3d45b53a 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,7 +33,7 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.312 2019/12/21 02:19:13 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.313 2019/12/21 20:22:34 naddy Exp $
37	.Dd $Mdocdate: December 21 2019 $	37	.Dd $Mdocdate: December 21 2019 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
@@ -936,8 +936,8 @@ or the tokens described in the
936	.Sx TOKENS	936	.Sx TOKENS
937	section.	937	section.
938	.It Cm IdentityFile	938	.It Cm IdentityFile
939	Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA,	939	Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
940	Ed25519 or RSA authentication identity is read.	940	Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
941	The default is	941	The default is
942	.Pa ~/.ssh/id_dsa ,	942	.Pa ~/.ssh/id_dsa ,
943	.Pa ~/.ssh/id_ecdsa ,	943	.Pa ~/.ssh/id_ecdsa ,
@@ -1462,9 +1462,9 @@ an OpenSSH Key Revocation List (KRL) as generated by
1462	For more information on KRLs, see the KEY REVOCATION LISTS section in	1462	For more information on KRLs, see the KEY REVOCATION LISTS section in
1463	.Xr ssh-keygen 1 .	1463	.Xr ssh-keygen 1 .
1464	.It Cm SecurityKeyProvider	1464	.It Cm SecurityKeyProvider
1465	Specifies a path to a security key provider library that will be used when	1465	Specifies a path to a library that will be used when loading any
1466	loading any security key-hosted keys, overriding the default of using	1466	FIDO authenticator-hosted keys, overriding the default of using
1467	the built-in support for USB HID keys.	1467	the built-in USB HID support.
1468	.Pp	1468	.Pp
1469	If the specified value begins with a	1469	If the specified value begins with a
1470	.Sq $	1470	.Sq $


diff --git a/sshd.8 b/sshd.8 index dc11a0d00..b7042cb5e 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.310 2019/12/19 03:50:01 dtucker Exp $	36	.\" $OpenBSD: sshd.8,v 1.311 2019/12/21 20:22:34 naddy Exp $
37	.Dd $Mdocdate: December 19 2019 $	37	.Dd $Mdocdate: December 21 2019 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -627,7 +627,7 @@ option.
627	.It Cm no-touch-required	627	.It Cm no-touch-required
628	Do not require demonstration of user presence	628	Do not require demonstration of user presence
629	for signatures made using this key.	629	for signatures made using this key.
630	This option only makes sense for the Security Key algorithms	630	This option only makes sense for the FIDO authenticator algorithms
631	.Cm ecdsa-sk	631	.Cm ecdsa-sk
632	and	632	and
633	.Cm ed25519-sk .	633	.Cm ed25519-sk .


diff --git a/sshd_config.5 b/sshd_config.5 index 222193170..76ec69baf 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.297 2019/12/21 20:22:34 naddy Exp $
37	.Dd $Mdocdate: December 19 2019 $	37	.Dd $Mdocdate: December 21 2019 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -1462,20 +1462,20 @@ and
1462	.Pp	1462	.Pp
1463	The	1463	The
1464	.Cm touch-required	1464	.Cm touch-required
1465	option causes public key authentication using a security key algorithm	1465	option causes public key authentication using a FIDO authenticator algorithm
1466	(i.e.\&	1466	(i.e.\&
1467	.Cm ecdsa-sk	1467	.Cm ecdsa-sk
1468	or	1468	or
1469	.Cm ed25519-sk )	1469	.Cm ed25519-sk )
1470	to always require the signature to attest that a physically present user	1470	to always require the signature to attest that a physically present user
1471	explicitly confirmed the authentication (usually by touching the security key).	1471	explicitly confirmed the authentication (usually by touching the authenticator).
1472	By default,	1472	By default,
1473	.Xr sshd 8	1473	.Xr sshd 8
1474	requires key touch unless overridden with an authorized_keys option.	1474	requires user presence unless overridden with an authorized_keys option.
1475	The	1475	The
1476	.Cm touch-required	1476	.Cm touch-required
1477	flag disables this override.	1477	flag disables this override.
1478	This option has no effect for other, non-security key, public key types.	1478	This option has no effect for other, non-authenticator public key types.
1479	.It Cm PubkeyAuthentication	1479	.It Cm PubkeyAuthentication
1480	Specifies whether public key authentication is allowed.	1480	Specifies whether public key authentication is allowed.
1481	The default is	1481	The default is
@@ -1527,9 +1527,9 @@ If the routing domain is set to
1527	.Cm \&%D ,	1527	.Cm \&%D ,
1528	then the domain in which the incoming connection was received will be applied.	1528	then the domain in which the incoming connection was received will be applied.
1529	.It Cm SecurityKeyProvider	1529	.It Cm SecurityKeyProvider
1530	Specifies a path to a security key provider library that will be used when	1530	Specifies a path to a library that will be used when loading
1531	loading any security key-hosted keys, overriding the default of using	1531	FIDO authenticator-hosted keys, overriding the default of using
1532	the built-in support for USB HID keys.	1532	the built-in USB HID support.
1533	.It Cm SetEnv	1533	.It Cm SetEnv
1534	Specifies one or more environment variables to set in child sessions started	1534	Specifies one or more environment variables to set in child sessions started
1535	by	1535	by