- OpenBSD CVS Sync

- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
author: Damien Miller <djm@mindrot.org> 2010-02-27 07:55:05 +1100
committer: Damien Miller <djm@mindrot.org> 2010-02-27 07:55:05 +1100
commit: 0a80ca190a39943029719facf7edb990def7ae62 (patch)
tree: e423e30d8412de67170b8240ba919df10ed8e391 /ChangeLog
parent: d27d85d5320bb946d4bb734dcf45a8d20bad6020 (diff)
1 files changed, 33 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 10c074c26..fec38e028 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,36 @@
+20100226
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/02/26 20:29:54
+     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
+     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
+     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
+     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
+     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
+     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
+     Add support for certificate key types for users and hosts.
+     
+     OpenSSH certificate key types are not X.509 certificates, but a much
+     simpler format that encodes a public key, identity information and
+     some validity constraints and signs it with a CA key. CA keys are
+     regular SSH keys. This certificate style avoids the attack surface
+     of X.509 certificates and is very easy to deploy.
+     
+     Certified host keys allow automatic acceptance of new host keys
+     when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
+     see VERIFYING HOST KEYS in ssh(1) for details.
+     
+     Certified user keys allow authentication of users when the signing
+     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
+     FILE FORMAT" in sshd(8) for details.
+     
+     Certificates are minted using ssh-keygen(1), documentation is in
+     the "CERTIFICATES" section of that manpage.
+     
+     Documentation on the format of certificates is in the file
+     PROTOCOL.certkeys
+     
+     feedback and ok markus@
 20100224
 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
   [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
author	Damien Miller <djm@mindrot.org>	2010-02-27 07:55:05 +1100
committer	Damien Miller <djm@mindrot.org>	2010-02-27 07:55:05 +1100
commit	0a80ca190a39943029719facf7edb990def7ae62 (patch)
tree	e423e30d8412de67170b8240ba919df10ed8e391 /ChangeLog
parent	d27d85d5320bb946d4bb734dcf45a8d20bad6020 (diff)

diff --git a/ChangeLog b/ChangeLog index 10c074c26..fec38e028 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,3 +1,36 @@
		1	20100226
		2	- OpenBSD CVS Sync
		3	- djm@cvs.openbsd.org 2010/02/26 20:29:54
		4	[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
		5	[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
		6	[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
		7	[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
		8	[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
		9	[sshconnect2.c sshd.8 sshd.c sshd_config.5]
		10	Add support for certificate key types for users and hosts.
		11
		12	OpenSSH certificate key types are not X.509 certificates, but a much
		13	simpler format that encodes a public key, identity information and
		14	some validity constraints and signs it with a CA key. CA keys are
		15	regular SSH keys. This certificate style avoids the attack surface
		16	of X.509 certificates and is very easy to deploy.
		17
		18	Certified host keys allow automatic acceptance of new host keys
		19	when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
		20	see VERIFYING HOST KEYS in ssh(1) for details.
		21
		22	Certified user keys allow authentication of users when the signing
		23	CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
		24	FILE FORMAT" in sshd(8) for details.
		25
		26	Certificates are minted using ssh-keygen(1), documentation is in
		27	the "CERTIFICATES" section of that manpage.
		28
		29	Documentation on the format of certificates is in the file
		30	PROTOCOL.certkeys
		31
		32	feedback and ok markus@
		33
1	20100224	34	20100224
2	- (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]	35	- (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
3	[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable	36	[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable