diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-08-08 01:16:01 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-08-08 11:18:05 +1000 |
| commit | ed7bd5d93fe14c7bd90febd29b858ea985d14d45 (patch) | |
| tree | d33efae6fa03d1242f851b3d2f21b808809cde37 | |
| parent | 967226a1bdde59ea137e8f0df871854ff7b91366 (diff) | |
upstream: Use new private key format by default. This format is
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
by most OpenSSH versions in active use.
It is possible to convert new-format private keys to the older
format using "ssh-keygen -f /path/key -pm PEM".
ok deraadt dtucker
OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
| -rw-r--r-- | ssh-keygen.1 | 24 | ||||
| -rw-r--r-- | ssh-keygen.c | 7 |
2 files changed, 12 insertions, 19 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3525d7d17..dd6e7e5a8 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -35,7 +35,7 @@ | |||
| 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 37 | .\" | 37 | .\" |
| 38 | .Dd $Mdocdate: March 12 2018 $ | 38 | .Dd $Mdocdate: August 8 2018 $ |
| 39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
| 40 | .Os | 40 | .Os |
| 41 | .Sh NAME | 41 | .Sh NAME |
| @@ -233,10 +233,8 @@ This is used by | |||
| 233 | .Pa /etc/rc | 233 | .Pa /etc/rc |
| 234 | to generate new host keys. | 234 | to generate new host keys. |
| 235 | .It Fl a Ar rounds | 235 | .It Fl a Ar rounds |
| 236 | When saving a new-format private key (i.e. an ed25519 key or when the | 236 | When saving a private key this option specifies the number of KDF |
| 237 | .Fl o | 237 | (key derivation function) rounds used. |
| 238 | flag is set), this option specifies the number of KDF (key derivation function) | ||
| 239 | rounds used. | ||
| 240 | Higher numbers result in slower passphrase verification and increased | 238 | Higher numbers result in slower passphrase verification and increased |
| 241 | resistance to brute-force password cracking (should the keys be stolen). | 239 | resistance to brute-force password cracking (should the keys be stolen). |
| 242 | .Pp | 240 | .Pp |
| @@ -264,8 +262,6 @@ flag will be ignored. | |||
| 264 | Provides a new comment. | 262 | Provides a new comment. |
| 265 | .It Fl c | 263 | .It Fl c |
| 266 | Requests changing the comment in the private and public key files. | 264 | Requests changing the comment in the private and public key files. |
| 267 | This operation is only supported for keys stored in the | ||
| 268 | newer OpenSSH format. | ||
| 269 | The program will prompt for the file containing the private keys, for | 265 | The program will prompt for the file containing the private keys, for |
| 270 | the passphrase if the key has one, and for the new comment. | 266 | the passphrase if the key has one, and for the new comment. |
| 271 | .It Fl D Ar pkcs11 | 267 | .It Fl D Ar pkcs11 |
| @@ -410,6 +406,10 @@ or | |||
| 410 | (PEM public key). | 406 | (PEM public key). |
| 411 | The default conversion format is | 407 | The default conversion format is |
| 412 | .Dq RFC4716 . | 408 | .Dq RFC4716 . |
| 409 | Setting a format of | ||
| 410 | .Dq PEM | ||
| 411 | when generating or updating a supported private key type will cause the | ||
| 412 | key to be stored in the legacy PEM private key format. | ||
| 413 | .It Fl N Ar new_passphrase | 413 | .It Fl N Ar new_passphrase |
| 414 | Provides the new passphrase. | 414 | Provides the new passphrase. |
| 415 | .It Fl n Ar principals | 415 | .It Fl n Ar principals |
| @@ -504,14 +504,6 @@ The | |||
| 504 | is a comma-separated list of one or more address/netmask pairs in CIDR | 504 | is a comma-separated list of one or more address/netmask pairs in CIDR |
| 505 | format. | 505 | format. |
| 506 | .El | 506 | .El |
| 507 | .It Fl o | ||
| 508 | Causes | ||
| 509 | .Nm | ||
| 510 | to save private keys using the new OpenSSH format rather than | ||
| 511 | the more compatible PEM format. | ||
| 512 | The new format has increased resistance to brute-force password cracking | ||
| 513 | but is not supported by versions of OpenSSH prior to 6.5. | ||
| 514 | Ed25519 keys always use the new private key format. | ||
| 515 | .It Fl P Ar passphrase | 507 | .It Fl P Ar passphrase |
| 516 | Provides the (old) passphrase. | 508 | Provides the (old) passphrase. |
| 517 | .It Fl p | 509 | .It Fl p |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 3c9677057..22860ad90 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.318 2018/07/09 21:59:10 markus Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.319 2018/08/08 01:16:01 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -179,7 +179,7 @@ char *key_type_name = NULL; | |||
| 179 | char *pkcs11provider = NULL; | 179 | char *pkcs11provider = NULL; |
| 180 | 180 | ||
| 181 | /* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */ | 181 | /* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */ |
| 182 | int use_new_format = 0; | 182 | int use_new_format = 1; |
| 183 | 183 | ||
| 184 | /* Cipher for new-format private keys */ | 184 | /* Cipher for new-format private keys */ |
| 185 | char *new_format_cipher = NULL; | 185 | char *new_format_cipher = NULL; |
| @@ -2434,6 +2434,7 @@ main(int argc, char **argv) | |||
| 2434 | } | 2434 | } |
| 2435 | if (strcasecmp(optarg, "PEM") == 0) { | 2435 | if (strcasecmp(optarg, "PEM") == 0) { |
| 2436 | convert_format = FMT_PEM; | 2436 | convert_format = FMT_PEM; |
| 2437 | use_new_format = 0; | ||
| 2437 | break; | 2438 | break; |
| 2438 | } | 2439 | } |
| 2439 | fatal("Unsupported conversion format \"%s\"", optarg); | 2440 | fatal("Unsupported conversion format \"%s\"", optarg); |
| @@ -2441,7 +2442,7 @@ main(int argc, char **argv) | |||
| 2441 | cert_principals = optarg; | 2442 | cert_principals = optarg; |
| 2442 | break; | 2443 | break; |
| 2443 | case 'o': | 2444 | case 'o': |
| 2444 | use_new_format = 1; | 2445 | /* no-op; new format is already the default */ |
| 2445 | break; | 2446 | break; |
| 2446 | case 'p': | 2447 | case 'p': |
| 2447 | change_passphrase = 1; | 2448 | change_passphrase = 1; |