upstream: Use new private key format by default. This format is

suported by OpenSSH >= 6.5 (released January 2014), so it should be supported by most OpenSSH versions in active use. It is possible to convert new-format private keys to the older format using "ssh-keygen -f /path/key -pm PEM". ok deraadt dtucker OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
author: djm@openbsd.org <djm@openbsd.org> 2018-08-08 01:16:01 +0000
committer: Damien Miller <djm@mindrot.org> 2018-08-08 11:18:05 +1000
commit: ed7bd5d93fe14c7bd90febd29b858ea985d14d45 (patch)
tree: d33efae6fa03d1242f851b3d2f21b808809cde37 /ssh-keygen.1
parent: 967226a1bdde59ea137e8f0df871854ff7b91366 (diff)
1 files changed, 8 insertions, 16 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 3525d7d17..dd6e7e5a8 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 12 2018 $
+.Dd $Mdocdate: August 8 2018 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -233,10 +233,8 @@ This is used by
 .Pa /etc/rc
 to generate new host keys.
 .It Fl a Ar rounds
-When saving a new-format private key (i.e. an ed25519 key or when the
+When saving a private key this option specifies the number of KDF
-.Fl o
+(key derivation function) rounds used.
-flag is set), this option specifies the number of KDF (key derivation function)
-rounds used.
 Higher numbers result in slower passphrase verification and increased
 resistance to brute-force password cracking (should the keys be stolen).
 .Pp
@@ -264,8 +262,6 @@ flag will be ignored.
 Provides a new comment.
 .It Fl c
 Requests changing the comment in the private and public key files.
-This operation is only supported for keys stored in the
-newer OpenSSH format.
 The program will prompt for the file containing the private keys, for
 the passphrase if the key has one, and for the new comment.
 .It Fl D Ar pkcs11
@@ -410,6 +406,10 @@ or
 (PEM public key).
 The default conversion format is
 .Dq RFC4716 .
+Setting a format of
+.Dq PEM
+when generating or updating a supported private key type will cause the
+key to be stored in the legacy PEM private key format.
 .It Fl N Ar new_passphrase
 Provides the new passphrase.
 .It Fl n Ar principals
@@ -504,14 +504,6 @@ The
 is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
 .El
-.It Fl o
-Causes
-.Nm
-to save private keys using the new OpenSSH format rather than
-the more compatible PEM format.
-The new format has increased resistance to brute-force password cracking
-but is not supported by versions of OpenSSH prior to 6.5.
-Ed25519 keys always use the new private key format.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
author	djm@openbsd.org <djm@openbsd.org>	2018-08-08 01:16:01 +0000
committer	Damien Miller <djm@mindrot.org>	2018-08-08 11:18:05 +1000
commit	ed7bd5d93fe14c7bd90febd29b858ea985d14d45 (patch)
tree	d33efae6fa03d1242f851b3d2f21b808809cde37 /ssh-keygen.1
parent	967226a1bdde59ea137e8f0df871854ff7b91366 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3525d7d17..dd6e7e5a8 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: March 12 2018 $	38	.Dd $Mdocdate: August 8 2018 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -233,10 +233,8 @@ This is used by
233	.Pa /etc/rc	233	.Pa /etc/rc
234	to generate new host keys.	234	to generate new host keys.
235	.It Fl a Ar rounds	235	.It Fl a Ar rounds
236	When saving a new-format private key (i.e. an ed25519 key or when the	236	When saving a private key this option specifies the number of KDF
237	.Fl o	237	(key derivation function) rounds used.
238	flag is set), this option specifies the number of KDF (key derivation function)
239	rounds used.
240	Higher numbers result in slower passphrase verification and increased	238	Higher numbers result in slower passphrase verification and increased
241	resistance to brute-force password cracking (should the keys be stolen).	239	resistance to brute-force password cracking (should the keys be stolen).
242	.Pp	240	.Pp
@@ -264,8 +262,6 @@ flag will be ignored.
264	Provides a new comment.	262	Provides a new comment.
265	.It Fl c	263	.It Fl c
266	Requests changing the comment in the private and public key files.	264	Requests changing the comment in the private and public key files.
267	This operation is only supported for keys stored in the
268	newer OpenSSH format.
269	The program will prompt for the file containing the private keys, for	265	The program will prompt for the file containing the private keys, for
270	the passphrase if the key has one, and for the new comment.	266	the passphrase if the key has one, and for the new comment.
271	.It Fl D Ar pkcs11	267	.It Fl D Ar pkcs11
@@ -410,6 +406,10 @@ or
410	(PEM public key).	406	(PEM public key).
411	The default conversion format is	407	The default conversion format is
412	.Dq RFC4716 .	408	.Dq RFC4716 .
		409	Setting a format of
		410	.Dq PEM
		411	when generating or updating a supported private key type will cause the
		412	key to be stored in the legacy PEM private key format.
413	.It Fl N Ar new_passphrase	413	.It Fl N Ar new_passphrase
414	Provides the new passphrase.	414	Provides the new passphrase.
415	.It Fl n Ar principals	415	.It Fl n Ar principals
@@ -504,14 +504,6 @@ The
504	is a comma-separated list of one or more address/netmask pairs in CIDR	504	is a comma-separated list of one or more address/netmask pairs in CIDR
505	format.	505	format.
506	.El	506	.El
507	.It Fl o
508	Causes
509	.Nm
510	to save private keys using the new OpenSSH format rather than
511	the more compatible PEM format.
512	The new format has increased resistance to brute-force password cracking
513	but is not supported by versions of OpenSSH prior to 6.5.
514	Ed25519 keys always use the new private key format.
515	.It Fl P Ar passphrase	507	.It Fl P Ar passphrase
516	Provides the (old) passphrase.	508	Provides the (old) passphrase.
517	.It Fl p	509	.It Fl p