diff options
Diffstat (limited to 'PROTOCOL.certkeys')
-rw-r--r-- | PROTOCOL.certkeys | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys index 64cb18700..11363fdc3 100644 --- a/PROTOCOL.certkeys +++ b/PROTOCOL.certkeys | |||
@@ -25,6 +25,10 @@ raw user keys. The ssh client will support automatic verification of | |||
25 | acceptance of certified host keys, by adding a similar ability to | 25 | acceptance of certified host keys, by adding a similar ability to |
26 | specify CA keys in ~/.ssh/known_hosts. | 26 | specify CA keys in ~/.ssh/known_hosts. |
27 | 27 | ||
28 | All certificate types include certification information along with the | ||
29 | public key that is used to sign challenges. In OpenSSH, ssh-keygen | ||
30 | performs the CA signing operation. | ||
31 | |||
28 | Certified keys are represented using new key types: | 32 | Certified keys are represented using new key types: |
29 | 33 | ||
30 | ssh-rsa-cert-v01@openssh.com | 34 | ssh-rsa-cert-v01@openssh.com |
@@ -33,9 +37,17 @@ Certified keys are represented using new key types: | |||
33 | ecdsa-sha2-nistp384-cert-v01@openssh.com | 37 | ecdsa-sha2-nistp384-cert-v01@openssh.com |
34 | ecdsa-sha2-nistp521-cert-v01@openssh.com | 38 | ecdsa-sha2-nistp521-cert-v01@openssh.com |
35 | 39 | ||
36 | These include certification information along with the public key | 40 | Two additional types exist for RSA certificates to force use of |
37 | that is used to sign challenges. ssh-keygen performs the CA signing | 41 | SHA-2 signatures (SHA-256 and SHA-512 respectively): |
38 | operation. | 42 | |
43 | rsa-sha2-256-cert-v01@openssh.com | ||
44 | rsa-sha2-512-cert-v01@openssh.com | ||
45 | |||
46 | These RSA/SHA-2 types should not appear in keys at rest or transmitted | ||
47 | on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms | ||
48 | field or in the "public key algorithm name" field of a "publickey" | ||
49 | SSH_USERAUTH_REQUEST to indicate that the signature will use the | ||
50 | specified algorithm. | ||
39 | 51 | ||
40 | Protocol extensions | 52 | Protocol extensions |
41 | ------------------- | 53 | ------------------- |
@@ -174,7 +186,7 @@ certificate. Each represents a time in seconds since 1970-01-01 | |||
174 | 186 | ||
175 | valid after <= current time < valid before | 187 | valid after <= current time < valid before |
176 | 188 | ||
177 | criticial options is a set of zero or more key options encoded as | 189 | critical options is a set of zero or more key options encoded as |
178 | below. All such options are "critical" in the sense that an implementation | 190 | below. All such options are "critical" in the sense that an implementation |
179 | must refuse to authorise a key that has an unrecognised option. | 191 | must refuse to authorise a key that has an unrecognised option. |
180 | 192 | ||
@@ -291,4 +303,4 @@ permit-user-rc empty Flag indicating that execution of | |||
291 | of this script will not be permitted if | 303 | of this script will not be permitted if |
292 | this option is not present. | 304 | this option is not present. |
293 | 305 | ||
294 | $OpenBSD: PROTOCOL.certkeys,v 1.13 2017/11/03 02:32:19 djm Exp $ | 306 | $OpenBSD: PROTOCOL.certkeys,v 1.15 2018/07/03 11:39:54 djm Exp $ |