diff options
| author | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2010-03-31 10:46:28 +0100 |
| commit | efd3d4522636ae029488c2e9730b60c88e257d2e (patch) | |
| tree | 31e02ac3f16090ce8c53448677356b2b7f423683 /key.h | |
| parent | bbec4db36d464ea1d464a707625125f9fd5c7b5e (diff) | |
| parent | d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff) | |
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH
protocol 1 by default. Clients and servers that need to use the
legacy protocol must explicitly enable it in ssh_config / sshd_config
or on the command-line.
- Remove the libsectok/OpenSC-based smartcard code and add support for
PKCS#11 tokens. This support is enabled by default in the Debian
packaging, since it now doesn't involve additional library
dependencies (closes: #231472, LP: #16918).
- Add support for certificate authentication of users and hosts using a
new, minimal OpenSSH certificate format (closes: #482806).
- Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
- Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
package, this overlaps with the key blacklisting facility added in
openssh 1:4.7p1-9, but with different file formats and slightly
different scopes; for the moment, I've roughly merged the two.)
- Various multiplexing improvements, including support for requesting
port-forwardings via the multiplex protocol (closes: #360151).
- Allow setting an explicit umask on the sftp-server(8) commandline to
override whatever default the user has (closes: #496843).
- Many sftp client improvements, including tab-completion, more options,
and recursive transfer support for get/put (LP: #33378). The old
mget/mput commands never worked properly and have been removed
(closes: #270399, #428082).
- Do not prompt for a passphrase if we fail to open a keyfile, and log
the reason why the open failed to debug (closes: #431538).
- Prevent sftp from crashing when given a "-" without a command. Also,
allow whitespace to follow a "-" (closes: #531561).
Diffstat (limited to 'key.h')
| -rw-r--r-- | key.h | 32 |
1 files changed, 29 insertions, 3 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: key.h,v 1.27 2008/06/11 21:01:35 grunk Exp $ */ | 1 | /* $OpenBSD: key.h,v 1.28 2010/02/26 20:29:54 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| @@ -26,6 +26,7 @@ | |||
| 26 | #ifndef KEY_H | 26 | #ifndef KEY_H |
| 27 | #define KEY_H | 27 | #define KEY_H |
| 28 | 28 | ||
| 29 | #include "buffer.h" | ||
| 29 | #include <openssl/rsa.h> | 30 | #include <openssl/rsa.h> |
| 30 | #include <openssl/dsa.h> | 31 | #include <openssl/dsa.h> |
| 31 | 32 | ||
| @@ -34,6 +35,8 @@ enum types { | |||
| 34 | KEY_RSA1, | 35 | KEY_RSA1, |
| 35 | KEY_RSA, | 36 | KEY_RSA, |
| 36 | KEY_DSA, | 37 | KEY_DSA, |
| 38 | KEY_RSA_CERT, | ||
| 39 | KEY_DSA_CERT, | ||
| 37 | KEY_NULL, | 40 | KEY_NULL, |
| 38 | KEY_UNSPEC | 41 | KEY_UNSPEC |
| 39 | }; | 42 | }; |
| @@ -50,20 +53,35 @@ enum fp_rep { | |||
| 50 | /* key is stored in external hardware */ | 53 | /* key is stored in external hardware */ |
| 51 | #define KEY_FLAG_EXT 0x0001 | 54 | #define KEY_FLAG_EXT 0x0001 |
| 52 | 55 | ||
| 56 | #define CERT_MAX_PRINCIPALS 256 | ||
| 57 | struct KeyCert { | ||
| 58 | Buffer certblob; /* Kept around for use on wire */ | ||
| 59 | u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */ | ||
| 60 | char *key_id; | ||
| 61 | u_int nprincipals; | ||
| 62 | char **principals; | ||
| 63 | u_int64_t valid_after, valid_before; | ||
| 64 | Buffer constraints; | ||
| 65 | Key *signature_key; | ||
| 66 | }; | ||
| 67 | |||
| 53 | struct Key { | 68 | struct Key { |
| 54 | int type; | 69 | int type; |
| 55 | int flags; | 70 | int flags; |
| 56 | RSA *rsa; | 71 | RSA *rsa; |
| 57 | DSA *dsa; | 72 | DSA *dsa; |
| 73 | struct KeyCert *cert; | ||
| 58 | }; | 74 | }; |
| 59 | 75 | ||
| 60 | Key *key_new(int); | 76 | Key *key_new(int); |
| 77 | void key_add_private(Key *); | ||
| 61 | Key *key_new_private(int); | 78 | Key *key_new_private(int); |
| 62 | void key_free(Key *); | 79 | void key_free(Key *); |
| 63 | Key *key_demote(const Key *); | 80 | Key *key_demote(const Key *); |
| 81 | int key_equal_public(const Key *, const Key *); | ||
| 64 | int key_equal(const Key *, const Key *); | 82 | int key_equal(const Key *, const Key *); |
| 65 | char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); | 83 | char *key_fingerprint(Key *, enum fp_type, enum fp_rep); |
| 66 | u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); | 84 | u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); |
| 67 | const char *key_type(const Key *); | 85 | const char *key_type(const Key *); |
| 68 | int key_write(const Key *, FILE *); | 86 | int key_write(const Key *, FILE *); |
| 69 | int key_read(Key *, char **); | 87 | int key_read(Key *, char **); |
| @@ -72,6 +90,14 @@ u_int key_size(const Key *); | |||
| 72 | Key *key_generate(int, u_int); | 90 | Key *key_generate(int, u_int); |
| 73 | Key *key_from_private(const Key *); | 91 | Key *key_from_private(const Key *); |
| 74 | int key_type_from_name(char *); | 92 | int key_type_from_name(char *); |
| 93 | int key_is_cert(const Key *); | ||
| 94 | int key_type_plain(int); | ||
| 95 | int key_to_certified(Key *); | ||
| 96 | int key_drop_cert(Key *); | ||
| 97 | int key_certify(Key *, Key *); | ||
| 98 | void key_cert_copy(const Key *, struct Key *); | ||
| 99 | int key_cert_check_authority(const Key *, int, int, const char *, | ||
| 100 | const char **); | ||
| 75 | 101 | ||
| 76 | Key *key_from_blob(const u_char *, u_int); | 102 | Key *key_from_blob(const u_char *, u_int); |
| 77 | int key_to_blob(const Key *, u_char **, u_int *); | 103 | int key_to_blob(const Key *, u_char **, u_int *); |