- djm@cvs.openbsd.org 2010/04/16 01:47:26

[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
author: Damien Miller <djm@mindrot.org> 2010-04-16 15:56:21 +1000
committer: Damien Miller <djm@mindrot.org> 2010-04-16 15:56:21 +1000
commit: 4e270b05dd9d850fb9e2e0ac43f33cb4090d3ebc (patch)
tree: 4fc84942b5966e9f38f18a1257ac43ddbed336be /ssh-keygen.1
parent: 031c9100dfe3ee65a29084ebbd61965a76b3ad26 (diff)
1 files changed, 16 insertions, 11 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 3e03a9bd0..aacd4d3dc 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.93 2010/04/16 01:47:26 djm Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -37,7 +37,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 13 2010 $
+.Dd $Mdocdate: April 16 2010 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -110,8 +110,9 @@
 .Fl I Ar certificate_identity
 .Op Fl h
 .Op Fl n Ar principals
-.Op Fl O Ar constraint
+.Op Fl O Ar option
 .Op Fl V Ar validity_interval
+.Op Fl z Ar serial_number
 .Ar
 .Nm ssh-keygen
 .Fl L
@@ -299,13 +300,13 @@ Multiple principals may be specified, separated by commas.
 Please see the
 .Sx CERTIFICATES
 section for details.
-.It Fl O Ar constraint
+.It Fl O Ar option
-Specify a certificate constraint when signing a key.
+Specify a certificate option when signing a key.
 This option may be specified multiple times.
 Please see the
 .Sx CERTIFICATES
 section for details.
-The constraints that are valid for user certificates are:
+The options that are valid for user certificates are:
 .Bl -tag -width Ds
 .It Ic clear
 Clear all enabled permissions.
@@ -355,7 +356,7 @@ is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
 .El
 .Pp
-At present, no constraints are valid for host keys.
+At present, no options are valid for host keys.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
@@ -441,6 +442,10 @@ Specify desired generator when testing candidate moduli for DH-GEX.
 .It Fl y
 This option will read a private
 OpenSSH format file and print an OpenSSH public key to stdout.
+.It Fl z Ar serial_number
+Specifies a serial number to be embedded in the certificate to distinguish
+this certificate from others from the same CA.
+The default serial number is zero.
 .El
 .Sh MODULI GENERATION
 .Nm
@@ -501,7 +506,7 @@ that both ends of a connection share common moduli.
 supports signing of keys to produce certificates that may be used for
 user or host authentication.
 Certificates consist of a public key, some identity information, zero or
-more principal (user or host) names and an optional set of constraints that
+more principal (user or host) names and an optional set of options that
 are signed by a Certification Authority (CA) key.
 Clients or servers may then trust only the CA key and verify its signature
 on a certificate rather than trusting many user/host keys.
@@ -541,11 +546,11 @@ To generate a certificate for a specified set of principals:
 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
 .Pp
 Additional limitations on the validity and use of user certificates may
-be specified through certificate constraints.
+be specified through certificate options..
-A constrained certificate may disable features of the SSH session, may be
+A certificate option may disable features of the SSH session, may be
 valid only when presented from particular source addresses or may
 force the use of a specific command.
-For a list of valid certificate constraints, see the documentation for the
+For a list of valid certificate options, see the documentation for the
 .Fl O
 option above.
 .Pp
author	Damien Miller <djm@mindrot.org>	2010-04-16 15:56:21 +1000
committer	Damien Miller <djm@mindrot.org>	2010-04-16 15:56:21 +1000
commit	4e270b05dd9d850fb9e2e0ac43f33cb4090d3ebc (patch)
tree	4fc84942b5966e9f38f18a1257ac43ddbed336be /ssh-keygen.1
parent	031c9100dfe3ee65a29084ebbd61965a76b3ad26 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3e03a9bd0..aacd4d3dc 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.93 2010/04/16 01:47:26 djm Exp $
2	.\"	2	.\"
3	.\" -- nroff --	3	.\" -- nroff --
4	.\"	4	.\"
@@ -37,7 +37,7 @@
37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39	.\"	39	.\"
40	.Dd $Mdocdate: March 13 2010 $	40	.Dd $Mdocdate: April 16 2010 $
41	.Dt SSH-KEYGEN 1	41	.Dt SSH-KEYGEN 1
42	.Os	42	.Os
43	.Sh NAME	43	.Sh NAME
@@ -110,8 +110,9 @@
110	.Fl I Ar certificate_identity	110	.Fl I Ar certificate_identity
111	.Op Fl h	111	.Op Fl h
112	.Op Fl n Ar principals	112	.Op Fl n Ar principals
113	.Op Fl O Ar constraint	113	.Op Fl O Ar option
114	.Op Fl V Ar validity_interval	114	.Op Fl V Ar validity_interval
		115	.Op Fl z Ar serial_number
115	.Ar	116	.Ar
116	.Nm ssh-keygen	117	.Nm ssh-keygen
117	.Fl L	118	.Fl L
@@ -299,13 +300,13 @@ Multiple principals may be specified, separated by commas.
299	Please see the	300	Please see the
300	.Sx CERTIFICATES	301	.Sx CERTIFICATES
301	section for details.	302	section for details.
302	.It Fl O Ar constraint	303	.It Fl O Ar option
303	Specify a certificate constraint when signing a key.	304	Specify a certificate option when signing a key.
304	This option may be specified multiple times.	305	This option may be specified multiple times.
305	Please see the	306	Please see the
306	.Sx CERTIFICATES	307	.Sx CERTIFICATES
307	section for details.	308	section for details.
308	The constraints that are valid for user certificates are:	309	The options that are valid for user certificates are:
309	.Bl -tag -width Ds	310	.Bl -tag -width Ds
310	.It Ic clear	311	.It Ic clear
311	Clear all enabled permissions.	312	Clear all enabled permissions.
@@ -355,7 +356,7 @@ is a comma-separated list of one or more address/netmask pairs in CIDR
355	format.	356	format.
356	.El	357	.El
357	.Pp	358	.Pp
358	At present, no constraints are valid for host keys.	359	At present, no options are valid for host keys.
359	.It Fl P Ar passphrase	360	.It Fl P Ar passphrase
360	Provides the (old) passphrase.	361	Provides the (old) passphrase.
361	.It Fl p	362	.It Fl p
@@ -441,6 +442,10 @@ Specify desired generator when testing candidate moduli for DH-GEX.
441	.It Fl y	442	.It Fl y
442	This option will read a private	443	This option will read a private
443	OpenSSH format file and print an OpenSSH public key to stdout.	444	OpenSSH format file and print an OpenSSH public key to stdout.
		445	.It Fl z Ar serial_number
		446	Specifies a serial number to be embedded in the certificate to distinguish
		447	this certificate from others from the same CA.
		448	The default serial number is zero.
444	.El	449	.El
445	.Sh MODULI GENERATION	450	.Sh MODULI GENERATION
446	.Nm	451	.Nm
@@ -501,7 +506,7 @@ that both ends of a connection share common moduli.
501	supports signing of keys to produce certificates that may be used for	506	supports signing of keys to produce certificates that may be used for
502	user or host authentication.	507	user or host authentication.
503	Certificates consist of a public key, some identity information, zero or	508	Certificates consist of a public key, some identity information, zero or
504	more principal (user or host) names and an optional set of constraints that	509	more principal (user or host) names and an optional set of options that
505	are signed by a Certification Authority (CA) key.	510	are signed by a Certification Authority (CA) key.
506	Clients or servers may then trust only the CA key and verify its signature	511	Clients or servers may then trust only the CA key and verify its signature
507	on a certificate rather than trusting many user/host keys.	512	on a certificate rather than trusting many user/host keys.
@@ -541,11 +546,11 @@ To generate a certificate for a specified set of principals:
541	.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"	546	.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
542	.Pp	547	.Pp
543	Additional limitations on the validity and use of user certificates may	548	Additional limitations on the validity and use of user certificates may
544	be specified through certificate constraints.	549	be specified through certificate options..
545	A constrained certificate may disable features of the SSH session, may be	550	A certificate option may disable features of the SSH session, may be
546	valid only when presented from particular source addresses or may	551	valid only when presented from particular source addresses or may
547	force the use of a specific command.	552	force the use of a specific command.
548	For a list of valid certificate constraints, see the documentation for the	553	For a list of valid certificate options, see the documentation for the
549	.Fl O	554	.Fl O
550	option above.	555	option above.
551	.Pp	556	.Pp