* New upstream release (http://www.openssh.org/txt/release-5.9).

- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
author: Colin Watson <cjwatson@debian.org> 2011-09-06 14:56:29 +0100
committer: Colin Watson <cjwatson@debian.org> 2011-09-06 14:56:29 +0100
commit: 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree: 89400a44e42d84937deba7864e4964d6c7734da5 /ssh-keygen.1
parent: 87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent: 3a7e89697ca363de0f64e0d5704c57219294e41c (diff)
1 files changed, 19 insertions, 8 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index d0c00ebb0..7c8b1f202 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.101 2010/10/28 18:33:28 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.106 2011/04/13 04:09:37 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 28 2010 $
+.Dd $Mdocdate: April 13 2011 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -117,6 +117,8 @@
 .Nm ssh-keygen
 .Fl L
 .Op Fl f Ar input_keyfile
+.Nm ssh-keygen
+.Fl A
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -171,9 +173,8 @@ The passphrase can be changed later by using the
 option.
 .Pp
 There is no way to recover a lost passphrase.
-If the passphrase is
+If the passphrase is lost or forgotten, a new key must be generated
-lost or forgotten, a new key must be generated and copied to the
+and the corresponding public key copied to other machines.
-corresponding public key to other machines.
 .Pp
 For RSA1 keys,
 there is also a comment field in the key file that is only for
@@ -190,6 +191,11 @@ should be placed to be activated.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
+.It Fl A
+For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
+do not exist, generate the host keys with the default key file path,
+an empty passphrase, default bits for the key type, and default comment.
+This is used by system administration scripts to generate new host keys.
 .It Fl a Ar trials
 Specifies the number of primality tests to perform when screening DH-GEX
 candidates using the
@@ -202,6 +208,12 @@ Specifies the number of bits in the key to create.
 For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
 Generally, 2048 bits is considered sufficient.
 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
+For ECDSA keys, the
+.Fl b
+flag determines they key length by selecting from one of three elliptic
+curve sizes: 256, 384 or 521 bits.
+Attempting to use bit lengths other than these three values for ECDSA keys
+will fail.
 .It Fl C Ar comment
 Provides a new comment.
 .It Fl c
@@ -391,7 +403,6 @@ new passphrase.
 .It Fl q
 Silence
 .Nm ssh-keygen .
-Used by system administration scripts when creating a new key.
 .It Fl R Ar hostname
 Removes all keys belonging to
 .Ar hostname
@@ -520,7 +531,7 @@ option.
 Valid generator values are 2, 3, and 5.
 .Pp
 Screened DH groups may be installed in
-.Pa /etc/moduli .
+.Pa /etc/ssh/moduli .
 It is important that this file contains moduli of a range of bit lengths and
 that both ends of a connection share common moduli.
 .Sh CERTIFICATES
@@ -646,7 +657,7 @@ on all machines
 where the user wishes to log in using public key authentication.
 There is no need to keep the contents of this file secret.
 .Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
 Contains Diffie-Hellman groups used for DH-GEX.
 The file format is described in
 .Xr moduli 5 .
author	Colin Watson <cjwatson@debian.org>	2011-09-06 14:56:29 +0100
committer	Colin Watson <cjwatson@debian.org>	2011-09-06 14:56:29 +0100
commit	978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree	89400a44e42d84937deba7864e4964d6c7734da5 /ssh-keygen.1
parent	87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent	3a7e89697ca363de0f64e0d5704c57219294e41c (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index d0c00ebb0..7c8b1f202 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.101 2010/10/28 18:33:28 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.106 2011/04/13 04:09:37 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: October 28 2010 $	38	.Dd $Mdocdate: April 13 2011 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -117,6 +117,8 @@
117	.Nm ssh-keygen	117	.Nm ssh-keygen
118	.Fl L	118	.Fl L
119	.Op Fl f Ar input_keyfile	119	.Op Fl f Ar input_keyfile
		120	.Nm ssh-keygen
		121	.Fl A
120	.Ek	122	.Ek
121	.Sh DESCRIPTION	123	.Sh DESCRIPTION
122	.Nm	124	.Nm
@@ -171,9 +173,8 @@ The passphrase can be changed later by using the
171	option.	173	option.
172	.Pp	174	.Pp
173	There is no way to recover a lost passphrase.	175	There is no way to recover a lost passphrase.
174	If the passphrase is	176	If the passphrase is lost or forgotten, a new key must be generated
175	lost or forgotten, a new key must be generated and copied to the	177	and the corresponding public key copied to other machines.
176	corresponding public key to other machines.
177	.Pp	178	.Pp
178	For RSA1 keys,	179	For RSA1 keys,
179	there is also a comment field in the key file that is only for	180	there is also a comment field in the key file that is only for
@@ -190,6 +191,11 @@ should be placed to be activated.
190	.Pp	191	.Pp
191	The options are as follows:	192	The options are as follows:
192	.Bl -tag -width Ds	193	.Bl -tag -width Ds
		194	.It Fl A
		195	For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
		196	do not exist, generate the host keys with the default key file path,
		197	an empty passphrase, default bits for the key type, and default comment.
		198	This is used by system administration scripts to generate new host keys.
193	.It Fl a Ar trials	199	.It Fl a Ar trials
194	Specifies the number of primality tests to perform when screening DH-GEX	200	Specifies the number of primality tests to perform when screening DH-GEX
195	candidates using the	201	candidates using the
@@ -202,6 +208,12 @@ Specifies the number of bits in the key to create.
202	For RSA keys, the minimum size is 768 bits and the default is 2048 bits.	208	For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
203	Generally, 2048 bits is considered sufficient.	209	Generally, 2048 bits is considered sufficient.
204	DSA keys must be exactly 1024 bits as specified by FIPS 186-2.	210	DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
		211	For ECDSA keys, the
		212	.Fl b
		213	flag determines they key length by selecting from one of three elliptic
		214	curve sizes: 256, 384 or 521 bits.
		215	Attempting to use bit lengths other than these three values for ECDSA keys
		216	will fail.
205	.It Fl C Ar comment	217	.It Fl C Ar comment
206	Provides a new comment.	218	Provides a new comment.
207	.It Fl c	219	.It Fl c
@@ -391,7 +403,6 @@ new passphrase.
391	.It Fl q	403	.It Fl q
392	Silence	404	Silence
393	.Nm ssh-keygen .	405	.Nm ssh-keygen .
394	Used by system administration scripts when creating a new key.
395	.It Fl R Ar hostname	406	.It Fl R Ar hostname
396	Removes all keys belonging to	407	Removes all keys belonging to
397	.Ar hostname	408	.Ar hostname
@@ -520,7 +531,7 @@ option.
520	Valid generator values are 2, 3, and 5.	531	Valid generator values are 2, 3, and 5.
521	.Pp	532	.Pp
522	Screened DH groups may be installed in	533	Screened DH groups may be installed in
523	.Pa /etc/moduli .	534	.Pa /etc/ssh/moduli .
524	It is important that this file contains moduli of a range of bit lengths and	535	It is important that this file contains moduli of a range of bit lengths and
525	that both ends of a connection share common moduli.	536	that both ends of a connection share common moduli.
526	.Sh CERTIFICATES	537	.Sh CERTIFICATES
@@ -646,7 +657,7 @@ on all machines
646	where the user wishes to log in using public key authentication.	657	where the user wishes to log in using public key authentication.
647	There is no need to keep the contents of this file secret.	658	There is no need to keep the contents of this file secret.
648	.Pp	659	.Pp
649	.It Pa /etc/moduli	660	.It Pa /etc/ssh/moduli
650	Contains Diffie-Hellman groups used for DH-GEX.	661	Contains Diffie-Hellman groups used for DH-GEX.
651	The file format is described in	662	The file format is described in
652	.Xr moduli 5 .	663	.Xr moduli 5 .