upstream: Use new private key format by default. This format is

suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
by most OpenSSH versions in active use.

It is possible to convert new-format private keys to the older
format using "ssh-keygen -f /path/key -pm PEM".

ok deraadt dtucker

OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8

1 files changed, 4 insertions, 3 deletions

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 3c9677057..22860ad90 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.318 2018/07/09 21:59:10 markus Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.319 2018/08/08 01:16:01 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -179,7 +179,7 @@ char *key_type_name = NULL;
 char *pkcs11provider = NULL;
 
 /* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
-int use_new_format = 0;
+int use_new_format = 1;
 
 /* Cipher for new-format private keys */
 char *new_format_cipher = NULL;
@@ -2434,6 +2434,7 @@ main(int argc, char **argv)
                         }
                         if (strcasecmp(optarg, "PEM") == 0) {
                                 convert_format = FMT_PEM;
+                                use_new_format = 0;
                                 break;
                         }
                         fatal("Unsupported conversion format \"%s\"", optarg);
@@ -2441,7 +2442,7 @@ main(int argc, char **argv)
                         cert_principals = optarg;
                         break;
                 case 'o':
-                        use_new_format = 1;
+                        /* no-op; new format is already the default */
                         break;
                 case 'p':
                         change_passphrase = 1;