summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.in6
-rw-r--r--ssh-add.19
-rw-r--r--ssh-keygen.136
-rw-r--r--ssh-keygen.c5
-rw-r--r--ssh-sk-helper.866
-rw-r--r--ssh.117
-rw-r--r--ssh_config.531
-rw-r--r--sshd.837
-rw-r--r--sshd_config.515
9 files changed, 179 insertions, 43 deletions
diff --git a/Makefile.in b/Makefile.in
index a569bb95a..fddc82576 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -124,8 +124,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
124 sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ 124 sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
125 sandbox-solaris.o uidswap.o 125 sandbox-solaris.o uidswap.o
126 126
127MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out 127MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
128MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 128MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
129MANTYPE = @MANTYPE@ 129MANTYPE = @MANTYPE@
130 130
131CONFIGFILES=sshd_config.out ssh_config.out moduli.out 131CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -372,6 +372,7 @@ install-files:
372 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 372 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
373 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 373 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
374 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 374 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
375 $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
375 376
376install-sysconf: 377install-sysconf:
377 $(MKDIR_P) $(DESTDIR)$(sysconfdir) 378 $(MKDIR_P) $(DESTDIR)$(sysconfdir)
@@ -444,6 +445,7 @@ uninstall:
444 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 445 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
445 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 446 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
446 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 447 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
448 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
447 449
448regress-prep: 450regress-prep:
449 $(MKDIR_P) `pwd`/regress/unittests/test_helper 451 $(MKDIR_P) `pwd`/regress/unittests/test_helper
diff --git a/ssh-add.1 b/ssh-add.1
index 9b90257b4..73b91d945 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-add.1,v 1.71 2019/11/01 00:52:35 jmc Exp $ 1.\" $OpenBSD: ssh-add.1,v 1.72 2019/11/07 08:38:38 naddy Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: November 1 2019 $ 38.Dd $Mdocdate: November 7 2019 $
39.Dt SSH-ADD 1 39.Dt SSH-ADD 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -63,6 +63,7 @@ When run without arguments, it adds the files
63.Pa ~/.ssh/id_rsa , 63.Pa ~/.ssh/id_rsa ,
64.Pa ~/.ssh/id_dsa , 64.Pa ~/.ssh/id_dsa ,
65.Pa ~/.ssh/id_ecdsa , 65.Pa ~/.ssh/id_ecdsa ,
66.Pa ~/.ssh/id_ecdsa_sk ,
66and 67and
67.Pa ~/.ssh/id_ed25519 . 68.Pa ~/.ssh/id_ed25519 .
68After loading a private key, 69After loading a private key,
@@ -135,7 +136,7 @@ Be quiet after a successful operation.
135.It Fl S Ar provider 136.It Fl S Ar provider
136Specifies a path to a security key provider library that will be used when 137Specifies a path to a security key provider library that will be used when
137adding any security key-hosted keys, overriding the default of using the 138adding any security key-hosted keys, overriding the default of using the
138.Ev "SSH_SK_PROVIDER" 139.Ev SSH_SK_PROVIDER
139environment variable to specify a provider. 140environment variable to specify a provider.
140.It Fl s Ar pkcs11 141.It Fl s Ar pkcs11
141Add keys provided by the PKCS#11 shared library 142Add keys provided by the PKCS#11 shared library
@@ -205,6 +206,8 @@ hardware security keys.
205Contains the DSA authentication identity of the user. 206Contains the DSA authentication identity of the user.
206.It Pa ~/.ssh/id_ecdsa 207.It Pa ~/.ssh/id_ecdsa
207Contains the ECDSA authentication identity of the user. 208Contains the ECDSA authentication identity of the user.
209.It Pa ~/.ssh/id_ecdsa_sk
210Contains the security key-hosted ECDSA authentication identity of the user.
208.It Pa ~/.ssh/id_ed25519 211.It Pa ~/.ssh/id_ed25519
209Contains the Ed25519 authentication identity of the user. 212Contains the Ed25519 authentication identity of the user.
210.It Pa ~/.ssh/id_rsa 213.It Pa ~/.ssh/id_rsa
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index dca566ca2..bdb5015d1 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.172 2019/10/22 08:50:35 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.173 2019/11/07 08:38:38 naddy Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: October 22 2019 $ 38.Dd $Mdocdate: November 7 2019 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -48,8 +48,10 @@
48.Op Fl C Ar comment 48.Op Fl C Ar comment
49.Op Fl f Ar output_keyfile 49.Op Fl f Ar output_keyfile
50.Op Fl m Ar format 50.Op Fl m Ar format
51.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa
51.Op Fl N Ar new_passphrase 52.Op Fl N Ar new_passphrase
52.Op Fl t Cm dsa | ecdsa | ed25519 | rsa 53.Op Fl w Ar provider
54.Op Fl x Ar flags
53.Nm ssh-keygen 55.Nm ssh-keygen
54.Fl p 56.Fl p
55.Op Fl f Ar keyfile 57.Op Fl f Ar keyfile
@@ -188,6 +190,7 @@ with public key authentication runs this once to create the authentication
188key in 190key in
189.Pa ~/.ssh/id_dsa , 191.Pa ~/.ssh/id_dsa ,
190.Pa ~/.ssh/id_ecdsa , 192.Pa ~/.ssh/id_ecdsa ,
193.Pa ~/.ssh/id_ecdsa_sk ,
191.Pa ~/.ssh/id_ed25519 194.Pa ~/.ssh/id_ed25519
192or 195or
193.Pa ~/.ssh/id_rsa . 196.Pa ~/.ssh/id_rsa .
@@ -248,7 +251,7 @@ should be placed to be activated.
248The options are as follows: 251The options are as follows:
249.Bl -tag -width Ds 252.Bl -tag -width Ds
250.It Fl A 253.It Fl A
251For each of the key types (rsa, dsa, ecdsa and ed25519) 254For each of the key types (rsa, dsa, ecdsa, ecdsa-sk and ed25519)
252for which host keys 255for which host keys
253do not exist, generate the host keys with the default key file path, 256do not exist, generate the host keys with the default key file path,
254an empty passphrase, default bits for the key type, and default comment. 257an empty passphrase, default bits for the key type, and default comment.
@@ -282,7 +285,7 @@ flag determines the key length by selecting from one of three elliptic
282curve sizes: 256, 384 or 521 bits. 285curve sizes: 256, 384 or 521 bits.
283Attempting to use bit lengths other than these three values for ECDSA keys 286Attempting to use bit lengths other than these three values for ECDSA keys
284will fail. 287will fail.
285Ed25519 keys have a fixed length and the 288ECDSA-SK and Ed25519 keys have a fixed length and the
286.Fl b 289.Fl b
287flag will be ignored. 290flag will be ignored.
288.It Fl C Ar comment 291.It Fl C Ar comment
@@ -583,11 +586,12 @@ section for details.
583Test DH group exchange candidate primes (generated using the 586Test DH group exchange candidate primes (generated using the
584.Fl G 587.Fl G
585option) for safety. 588option) for safety.
586.It Fl t Cm dsa | ecdsa | ed25519 | rsa 589.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa
587Specifies the type of key to create. 590Specifies the type of key to create.
588The possible values are 591The possible values are
589.Dq dsa , 592.Dq dsa ,
590.Dq ecdsa , 593.Dq ecdsa ,
594.Dq ecdsa-sk ,
591.Dq ed25519 , 595.Dq ed25519 ,
592or 596or
593.Dq rsa . 597.Dq rsa .
@@ -658,6 +662,14 @@ options increase the verbosity.
658The maximum is 3. 662The maximum is 3.
659.It Fl W Ar generator 663.It Fl W Ar generator
660Specify desired generator when testing candidate moduli for DH-GEX. 664Specify desired generator when testing candidate moduli for DH-GEX.
665.It Fl w Ar provider
666Specifies a path to a security key provider library that will be used when
667creating any security key-hosted keys, overriding the default of using the
668.Ev SSH_SK_PROVIDER
669environment variable to specify a provider.
670.It Fl x Ar flags
671Specifies the security key flags to use when enrolling a security key-hosted
672key.
661.It Fl y 673.It Fl y
662This option will read a private 674This option will read a private
663OpenSSH format file and print an OpenSSH public key to stdout. 675OpenSSH format file and print an OpenSSH public key to stdout.
@@ -1020,13 +1032,20 @@ user1@example.com,user2@example.com ssh-rsa AAAAX1...
1020# A key that is accepted only for file signing. 1032# A key that is accepted only for file signing.
1021user2@example.com namespaces="file" ssh-ed25519 AAA41... 1033user2@example.com namespaces="file" ssh-ed25519 AAA41...
1022.Ed 1034.Ed
1035.Sh ENVIRONMENT
1036.Bl -tag -width Ds
1037.It Ev SSH_SK_PROVIDER
1038Specifies the path to a security key provider library used to interact with
1039hardware security keys.
1040.El
1023.Sh FILES 1041.Sh FILES
1024.Bl -tag -width Ds -compact 1042.Bl -tag -width Ds -compact
1025.It Pa ~/.ssh/id_dsa 1043.It Pa ~/.ssh/id_dsa
1026.It Pa ~/.ssh/id_ecdsa 1044.It Pa ~/.ssh/id_ecdsa
1045.It Pa ~/.ssh/id_ecdsa_sk
1027.It Pa ~/.ssh/id_ed25519 1046.It Pa ~/.ssh/id_ed25519
1028.It Pa ~/.ssh/id_rsa 1047.It Pa ~/.ssh/id_rsa
1029Contains the DSA, ECDSA, Ed25519 or RSA 1048Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA
1030authentication identity of the user. 1049authentication identity of the user.
1031This file should not be readable by anyone but the user. 1050This file should not be readable by anyone but the user.
1032It is possible to 1051It is possible to
@@ -1040,9 +1059,10 @@ will read this file when a login attempt is made.
1040.Pp 1059.Pp
1041.It Pa ~/.ssh/id_dsa.pub 1060.It Pa ~/.ssh/id_dsa.pub
1042.It Pa ~/.ssh/id_ecdsa.pub 1061.It Pa ~/.ssh/id_ecdsa.pub
1062.It Pa ~/.ssh/id_ecdsa_sk.pub
1043.It Pa ~/.ssh/id_ed25519.pub 1063.It Pa ~/.ssh/id_ed25519.pub
1044.It Pa ~/.ssh/id_rsa.pub 1064.It Pa ~/.ssh/id_rsa.pub
1045Contains the DSA, ECDSA, Ed25519 or RSA 1065Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA
1046public key for authentication. 1066public key for authentication.
1047The contents of this file should be added to 1067The contents of this file should be added to
1048.Pa ~/.ssh/authorized_keys 1068.Pa ~/.ssh/authorized_keys
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 1d2a93f66..b51173aa3 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.359 2019/10/31 21:28:27 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.360 2019/11/07 08:38:38 naddy Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2725,7 +2725,8 @@ usage(void)
2725{ 2725{
2726 fprintf(stderr, 2726 fprintf(stderr,
2727 "usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n" 2727 "usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n"
2728 " [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa]\n" 2728 " [-t dsa | ecdsa | ecdsa-sk | ed25519 | rsa]\n"
2729 " [-N new_passphrase] [-w provider] [-x flags]\n"
2729 " ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n" 2730 " ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n"
2730 " [-P old_passphrase]\n" 2731 " [-P old_passphrase]\n"
2731 " ssh-keygen -i [-f input_keyfile] [-m key_format]\n" 2732 " ssh-keygen -i [-f input_keyfile] [-m key_format]\n"
diff --git a/ssh-sk-helper.8 b/ssh-sk-helper.8
new file mode 100644
index 000000000..9248badc9
--- /dev/null
+++ b/ssh-sk-helper.8
@@ -0,0 +1,66 @@
1.\" $OpenBSD: ssh-sk-helper.8,v 1.1 2019/11/07 08:38:38 naddy Exp $
2.\"
3.\" Copyright (c) 2010 Markus Friedl. All rights reserved.
4.\"
5.\" Permission to use, copy, modify, and distribute this software for any
6.\" purpose with or without fee is hereby granted, provided that the above
7.\" copyright notice and this permission notice appear in all copies.
8.\"
9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\"
17.Dd $Mdocdate: November 7 2019 $
18.Dt SSH-SK-HELPER 8
19.Os
20.Sh NAME
21.Nm ssh-sk-helper
22.Nd ssh-agent helper program for security key support
23.Sh SYNOPSIS
24.Nm
25.Op Fl v
26.Sh DESCRIPTION
27.Nm
28is used by
29.Xr ssh-agent 1
30to access keys provided by a security key.
31.Pp
32.Nm
33is not intended to be invoked by the user, but from
34.Xr ssh-agent 1 .
35.Pp
36A single option is supported:
37.Bl -tag -width Ds
38.It Fl v
39Verbose mode.
40Causes
41.Nm
42to print debugging messages about its progress.
43This is helpful in debugging problems.
44Multiple
45.Fl v
46options increase the verbosity.
47The maximum is 3.
48.Pp
49Note that
50.Xr ssh-agent 1
51will automatically pass the
52.Fl v
53flag to
54.Nm
55when it has itself been placed in debug mode.
56.El
57.Sh SEE ALSO
58.Xr ssh 1 ,
59.Xr ssh-add 1 ,
60.Xr ssh-agent 1
61.Sh HISTORY
62.Nm
63first appeared in
64.Ox 6.7 .
65.Sh AUTHORS
66.An Damien Miller Aq Mt djm@openbsd.org
diff --git a/ssh.1 b/ssh.1
index 424d6c3e8..e2666fa56 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh.1,v 1.403 2019/06/12 11:31:50 jmc Exp $ 36.\" $OpenBSD: ssh.1,v 1.404 2019/11/07 08:38:38 naddy Exp $
37.Dd $Mdocdate: June 12 2019 $ 37.Dd $Mdocdate: November 7 2019 $
38.Dt SSH 1 38.Dt SSH 1
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -279,6 +279,7 @@ public key authentication is read.
279The default is 279The default is
280.Pa ~/.ssh/id_dsa , 280.Pa ~/.ssh/id_dsa ,
281.Pa ~/.ssh/id_ecdsa , 281.Pa ~/.ssh/id_ecdsa ,
282.Pa ~/.ssh/id_ecdsa_sk ,
282.Pa ~/.ssh/id_ed25519 283.Pa ~/.ssh/id_ed25519
283and 284and
284.Pa ~/.ssh/id_rsa . 285.Pa ~/.ssh/id_rsa .
@@ -896,6 +897,8 @@ This stores the private key in
896(DSA), 897(DSA),
897.Pa ~/.ssh/id_ecdsa 898.Pa ~/.ssh/id_ecdsa
898(ECDSA), 899(ECDSA),
900.Pa ~/.ssh/id_ecdsa_sk
901(security key-hosted ECDSA),
899.Pa ~/.ssh/id_ed25519 902.Pa ~/.ssh/id_ed25519
900(Ed25519), 903(Ed25519),
901or 904or
@@ -906,6 +909,8 @@ and stores the public key in
906(DSA), 909(DSA),
907.Pa ~/.ssh/id_ecdsa.pub 910.Pa ~/.ssh/id_ecdsa.pub
908(ECDSA), 911(ECDSA),
912.Pa ~/.ssh/id_ecdsa_sk.pub
913(security key-hosted ECDSA),
909.Pa ~/.ssh/id_ed25519.pub 914.Pa ~/.ssh/id_ed25519.pub
910(Ed25519), 915(Ed25519),
911or 916or
@@ -1324,6 +1329,12 @@ More permanent VPNs are better provided by tools such as
1324and 1329and
1325.Xr isakmpd 8 . 1330.Xr isakmpd 8 .
1326.Sh ENVIRONMENT 1331.Sh ENVIRONMENT
1332.Bl -tag -width "SSH_ORIGINAL_COMMAND"
1333.It Ev SSH_SK_PROVIDER
1334Specifies the path to a security key provider library used to interact with
1335hardware security keys.
1336.Pp
1337.El
1327.Nm 1338.Nm
1328will normally set the following environment variables: 1339will normally set the following environment variables:
1329.Bl -tag -width "SSH_ORIGINAL_COMMAND" 1340.Bl -tag -width "SSH_ORIGINAL_COMMAND"
@@ -1484,6 +1495,7 @@ above.
1484.Pp 1495.Pp
1485.It Pa ~/.ssh/id_dsa 1496.It Pa ~/.ssh/id_dsa
1486.It Pa ~/.ssh/id_ecdsa 1497.It Pa ~/.ssh/id_ecdsa
1498.It Pa ~/.ssh/id_ecdsa_sk
1487.It Pa ~/.ssh/id_ed25519 1499.It Pa ~/.ssh/id_ed25519
1488.It Pa ~/.ssh/id_rsa 1500.It Pa ~/.ssh/id_rsa
1489Contains the private key for authentication. 1501Contains the private key for authentication.
@@ -1498,6 +1510,7 @@ sensitive part of this file using AES-128.
1498.Pp 1510.Pp
1499.It Pa ~/.ssh/id_dsa.pub 1511.It Pa ~/.ssh/id_dsa.pub
1500.It Pa ~/.ssh/id_ecdsa.pub 1512.It Pa ~/.ssh/id_ecdsa.pub
1513.It Pa ~/.ssh/id_ecdsa_sk.pub
1501.It Pa ~/.ssh/id_ed25519.pub 1514.It Pa ~/.ssh/id_ed25519.pub
1502.It Pa ~/.ssh/id_rsa.pub 1515.It Pa ~/.ssh/id_rsa.pub
1503Contains the public key for authentication. 1516Contains the public key for authentication.
diff --git a/ssh_config.5 b/ssh_config.5
index 02a87892d..ad016470c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $ 36.\" $OpenBSD: ssh_config.5,v 1.305 2019/11/07 08:38:38 naddy Exp $
37.Dd $Mdocdate: September 13 2019 $ 37.Dd $Mdocdate: November 7 2019 $
38.Dt SSH_CONFIG 5 38.Dt SSH_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -381,7 +381,9 @@ flag to
381via 381via
382.Xr ssh-agent 1 , 382.Xr ssh-agent 1 ,
383or via a 383or via a
384.Cm PKCS11Provider . 384.Cm PKCS11Provider
385or
386.Cm SecurityKeyProvider .
385.Pp 387.Pp
386Arguments to 388Arguments to
387.Cm CertificateFile 389.Cm CertificateFile
@@ -808,7 +810,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
808ecdsa-sha2-nistp384-cert-v01@openssh.com, 810ecdsa-sha2-nistp384-cert-v01@openssh.com,
809ecdsa-sha2-nistp521-cert-v01@openssh.com, 811ecdsa-sha2-nistp521-cert-v01@openssh.com,
810ssh-ed25519-cert-v01@openssh.com, 812ssh-ed25519-cert-v01@openssh.com,
811rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, 813rsa-sha2-512-cert-v01@openssh.com,
814rsa-sha2-256-cert-v01@openssh.com,
812ssh-rsa-cert-v01@openssh.com, 815ssh-rsa-cert-v01@openssh.com,
813ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 816ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
814ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 817ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -840,7 +843,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
840ecdsa-sha2-nistp384-cert-v01@openssh.com, 843ecdsa-sha2-nistp384-cert-v01@openssh.com,
841ecdsa-sha2-nistp521-cert-v01@openssh.com, 844ecdsa-sha2-nistp521-cert-v01@openssh.com,
842ssh-ed25519-cert-v01@openssh.com, 845ssh-ed25519-cert-v01@openssh.com,
843rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, 846rsa-sha2-512-cert-v01@openssh.com,
847rsa-sha2-256-cert-v01@openssh.com,
844ssh-rsa-cert-v01@openssh.com, 848ssh-rsa-cert-v01@openssh.com,
845ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 849ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
846ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 850ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -883,6 +887,8 @@ even if
883.Xr ssh-agent 1 887.Xr ssh-agent 1
884or a 888or a
885.Cm PKCS11Provider 889.Cm PKCS11Provider
890or
891.Cm SecurityKeyProvider
886offers more identities. 892offers more identities.
887The argument to this keyword must be 893The argument to this keyword must be
888.Cm yes 894.Cm yes
@@ -919,11 +925,12 @@ or the tokens described in the
919.Sx TOKENS 925.Sx TOKENS
920section. 926section.
921.It Cm IdentityFile 927.It Cm IdentityFile
922Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication 928Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA,
923identity is read. 929Ed25519 or RSA authentication identity is read.
924The default is 930The default is
925.Pa ~/.ssh/id_dsa , 931.Pa ~/.ssh/id_dsa ,
926.Pa ~/.ssh/id_ecdsa , 932.Pa ~/.ssh/id_ecdsa ,
933.Pa ~/.ssh/id_ecdsa_sk ,
927.Pa ~/.ssh/id_ed25519 934.Pa ~/.ssh/id_ed25519
928and 935and
929.Pa ~/.ssh/id_rsa . 936.Pa ~/.ssh/id_rsa .
@@ -1315,12 +1322,15 @@ character, then the specified key types will be placed at the head of the
1315default set. 1322default set.
1316The default for this option is: 1323The default for this option is:
1317.Bd -literal -offset 3n 1324.Bd -literal -offset 3n
1325sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1318ecdsa-sha2-nistp256-cert-v01@openssh.com, 1326ecdsa-sha2-nistp256-cert-v01@openssh.com,
1319ecdsa-sha2-nistp384-cert-v01@openssh.com, 1327ecdsa-sha2-nistp384-cert-v01@openssh.com,
1320ecdsa-sha2-nistp521-cert-v01@openssh.com, 1328ecdsa-sha2-nistp521-cert-v01@openssh.com,
1321ssh-ed25519-cert-v01@openssh.com, 1329ssh-ed25519-cert-v01@openssh.com,
1322rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, 1330rsa-sha2-512-cert-v01@openssh.com,
1331rsa-sha2-256-cert-v01@openssh.com,
1323ssh-rsa-cert-v01@openssh.com, 1332ssh-rsa-cert-v01@openssh.com,
1333sk-ecdsa-sha2-nistp256@openssh.com,
1324ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 1334ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1325ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 1335ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1326.Ed 1336.Ed
@@ -1437,6 +1447,11 @@ an OpenSSH Key Revocation List (KRL) as generated by
1437.Xr ssh-keygen 1 . 1447.Xr ssh-keygen 1 .
1438For more information on KRLs, see the KEY REVOCATION LISTS section in 1448For more information on KRLs, see the KEY REVOCATION LISTS section in
1439.Xr ssh-keygen 1 . 1449.Xr ssh-keygen 1 .
1450.It Cm SecurityKeyProvider
1451Specifies a path to a security key provider library that will be used when
1452loading any security key-hosted keys, overriding the default of using the
1453.Ev SSH_SK_PROVIDER
1454environment variable to specify a provider.
1440.It Cm SendEnv 1455.It Cm SendEnv
1441Specifies what variables from the local 1456Specifies what variables from the local
1442.Xr environ 7 1457.Xr environ 7
diff --git a/sshd.8 b/sshd.8
index fb133c14b..14d5a2dac 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd.8,v 1.304 2018/07/22 12:16:59 dtucker Exp $ 36.\" $OpenBSD: sshd.8,v 1.305 2019/11/07 08:38:38 naddy Exp $
37.Dd $Mdocdate: July 22 2018 $ 37.Dd $Mdocdate: November 7 2019 $
38.Dt SSHD 8 38.Dt SSHD 8
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -429,24 +429,35 @@ comments).
429Public keys consist of the following space-separated fields: 429Public keys consist of the following space-separated fields:
430options, keytype, base64-encoded key, comment. 430options, keytype, base64-encoded key, comment.
431The options field is optional. 431The options field is optional.
432The keytype is 432The supported key types are:
433.Dq ecdsa-sha2-nistp256 , 433.Pp
434.Dq ecdsa-sha2-nistp384 , 434.Bl -item -compact -offset indent
435.Dq ecdsa-sha2-nistp521 , 435.It
436.Dq ssh-ed25519 , 436sk-ecdsa-sha2-nistp256@openssh.com
437.Dq ssh-dss 437.It
438or 438ecdsa-sha2-nistp256
439.Dq ssh-rsa ; 439.It
440the comment field is not used for anything (but may be convenient for the 440ecdsa-sha2-nistp384
441.It
442ecdsa-sha2-nistp521
443.It
444ssh-ed25519
445.It
446ssh-dss
447.It
448ssh-rsa
449.El
450.Pp
451The comment field is not used for anything (but may be convenient for the
441user to identify the key). 452user to identify the key).
442.Pp 453.Pp
443Note that lines in this file can be several hundred bytes long 454Note that lines in this file can be several hundred bytes long
444(because of the size of the public key encoding) up to a limit of 455(because of the size of the public key encoding) up to a limit of
4458 kilobytes, which permits DSA keys up to 8 kilobits and RSA 4568 kilobytes, which permits RSA keys up to 16 kilobits.
446keys up to 16 kilobits.
447You don't want to type them in; instead, copy the 457You don't want to type them in; instead, copy the
448.Pa id_dsa.pub , 458.Pa id_dsa.pub ,
449.Pa id_ecdsa.pub , 459.Pa id_ecdsa.pub ,
460.Pa id_ecdsa_sk.pub ,
450.Pa id_ed25519.pub , 461.Pa id_ed25519.pub ,
451or the 462or the
452.Pa id_rsa.pub 463.Pa id_rsa.pub
diff --git a/sshd_config.5 b/sshd_config.5
index 9486f2a1c..f4caa162d 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.291 2019/11/07 08:38:38 naddy Exp $
37.Dd $Mdocdate: September 6 2019 $ 37.Dd $Mdocdate: November 7 2019 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -690,7 +690,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
690ecdsa-sha2-nistp384-cert-v01@openssh.com, 690ecdsa-sha2-nistp384-cert-v01@openssh.com,
691ecdsa-sha2-nistp521-cert-v01@openssh.com, 691ecdsa-sha2-nistp521-cert-v01@openssh.com,
692ssh-ed25519-cert-v01@openssh.com, 692ssh-ed25519-cert-v01@openssh.com,
693rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, 693rsa-sha2-512-cert-v01@openssh.com,
694rsa-sha2-256-cert-v01@openssh.com,
694ssh-rsa-cert-v01@openssh.com, 695ssh-rsa-cert-v01@openssh.com,
695ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 696ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
696ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 697ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -768,7 +769,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
768ecdsa-sha2-nistp384-cert-v01@openssh.com, 769ecdsa-sha2-nistp384-cert-v01@openssh.com,
769ecdsa-sha2-nistp521-cert-v01@openssh.com, 770ecdsa-sha2-nistp521-cert-v01@openssh.com,
770ssh-ed25519-cert-v01@openssh.com, 771ssh-ed25519-cert-v01@openssh.com,
771rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, 772rsa-sha2-512-cert-v01@openssh.com,
773rsa-sha2-256-cert-v01@openssh.com,
772ssh-rsa-cert-v01@openssh.com, 774ssh-rsa-cert-v01@openssh.com,
773ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 775ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
774ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 776ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -1425,12 +1427,15 @@ character, then the specified key types will be placed at the head of the
1425default set. 1427default set.
1426The default for this option is: 1428The default for this option is:
1427.Bd -literal -offset 3n 1429.Bd -literal -offset 3n
1430sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1428ecdsa-sha2-nistp256-cert-v01@openssh.com, 1431ecdsa-sha2-nistp256-cert-v01@openssh.com,
1429ecdsa-sha2-nistp384-cert-v01@openssh.com, 1432ecdsa-sha2-nistp384-cert-v01@openssh.com,
1430ecdsa-sha2-nistp521-cert-v01@openssh.com, 1433ecdsa-sha2-nistp521-cert-v01@openssh.com,
1431ssh-ed25519-cert-v01@openssh.com, 1434ssh-ed25519-cert-v01@openssh.com,
1432rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, 1435rsa-sha2-512-cert-v01@openssh.com,
1436rsa-sha2-256-cert-v01@openssh.com,
1433ssh-rsa-cert-v01@openssh.com, 1437ssh-rsa-cert-v01@openssh.com,
1438sk-ecdsa-sha2-nistp256@openssh.com,
1434ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 1439ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1435ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 1440ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1436.Ed 1441.Ed