Age | Commit message (Collapse) | Author |
|
test?
OpenBSD-Regress-ID: 3b953df5a7e14081ff6cf495d4e8d40e153cbc3a
|
|
and PIN prompting in the dummy middleware that we use for the tests. Should
fix breakage spotted by dtucker@
OpenBSD-Regress-ID: 379cf9eabfea57aaf7f3f59dafde59889566c484
|
|
line option change to ssh-keygen(1).
OpenBSD-Regress-ID: 744a72755004377e9669b662c13c6aa9ead8a0c3
|
|
"ssh-keygen -K". This will save public/private keys into the current
directory.
This is handy if you move a token between hosts.
feedback & ok markus@
OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6
|
|
markus@
OpenBSD-Commit-ID: 5d6f96a966d10d7fa689ff9aa9e1d6767ad5a076
|
|
-compact;
OpenBSD-Commit-ID: 6492c72280482c6d072be46236b365cb359fc280
|
|
|
|
|
|
|
|
FIDO/U2F-specific key flags. Instead these flags may be specified via -O.
ok markus@
OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
|
|
ok markus@
OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
|
|
Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during
ssh-keygen of resident keys.
feedback and ok markus@
OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
|
|
OpenBSD-Commit-ID: 4ccd8ddabb8df4f995107dd3b7ea58220e93cb81
|
|
Allow passing a PIN via the SK API (API major crank) and let the
ssh-sk-helper API follow.
Also enhance the ssh-sk-helper API to support passing back an error
code instead of a complete reply. Will be used to signal "wrong PIN",
etc.
feedback and ok markus@
OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
|
|
"ssh-add -O" will load resident keys from a FIDO2 token and add them
to a ssh-agent.
feedback and ok markus@
OpenBSD-Commit-ID: 608104ae957a7d65cb84e0a3a26c8f60e0df3290
|
|
feedback and ok markus@
OpenBSD-Commit-ID: b273c23769ea182c55c4a7b8f9cbd9181722011a
|
|
Adds a sk_load_resident_keys() function to the security key
API that accepts a security key provider and a PIN and returns
a list of keys.
Implement support for this in the usbhid middleware.
feedback and ok markus@
OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0
|
|
We'll reuse this for extracting resident keys from a device.
feedback and ok markus@
OpenBSD-Commit-ID: 9bc1efd9c6897eac4df0983746cf6578c1542273
|
|
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a
device-resident key.
feedback and ok markus@
OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
|
|
Move all moduli generation options to live under the -O flag.
Frees up seven single-letter flags.
NB. this change break existing ssh-keygen commandline syntax for moduli-
related operations. Very few people use these fortunately.
feedback and ok markus@
OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935
|
|
Move list of available certificate options in ssh-keygen.1 to the
CERTIFICATES section.
Collect options specified by -O but delay parsing/validation of
certificate options until we're sure that we're acting as a CA.
ok markus@
OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
|
|
done in synopsis;
OpenBSD-Commit-ID: 86d033c5764404057616690d7be992e445b42274
|
|
OpenBSD-Commit-ID: 24c2e6a3aeab6e050a0271ffc73fdff91c10dcaa
|
|
authenticator".
The polysemous use of "key" was too confusing. Input from markus@.
ok jmc@
OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
|
|
OpenBSD-Regress-ID: 24f693f78290b2c17725dab2c614dffe4a88c8da
|
|
OpenBSD-Regress-ID: 9fb45326106669a27e4bf150575c321806e275b1
|
|
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in addition
to yes/no.
Patch by Eric Chiang, manpage by me; ok markus@
OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265
|
|
path sentence. ok markus@
OpenBSD-Commit-ID: 67d7971ca1a020acd6c151426c54bd29d784bd6b
|
|
ones. Move oSecurityProvider to match the order in the OpCodes enum. Patch
from openbsd@academicsolutions.ch, ok djm@
OpenBSD-Commit-ID: 061e4505861ec1e02ba3a63e3d1b3be3cad458ec
|
|
Patch from openbsd@academicsolutions.ch, ok djm@
OpenBSD-Commit-ID: 395c202228872ce8d9044cc08552ac969f51e01b
|
|
comment. Patch from openbsd@academicsolutions.ch, ok djm@
OpenBSD-Commit-ID: 35862beb0927b1cb0af476ec23cc07f6e3006101
|
|
keys.
Update the list of default host key algorithms in ssh_config.5 and
sshd_config.5. Copy the description of the SecurityKeyProvider
option to sshd_config.5.
ok jmc@
OpenBSD-Commit-ID: edadf3566ab5e94582df4377fee3b8b702c7eca0
|
|
correct term. Add "MAC" since we use that acronym in other man pages. ok
naddy@
OpenBSD-Commit-ID: c35529e511788586725fb63bda3459e10738c5f5
|
|
how SSH works ok markus@ jmc@
OpenBSD-Commit-ID: 8e34973f232ab48c4d4f5d07df48d501708b9160
|
|
the safer xstrdup which fatals on allocation failures.
ok markus@
OpenBSD-Commit-ID: 8b608d387120630753cbcb8110e0b019c0c9a0d0
|
|
for now
OpenBSD-Commit-ID: c97e22c2b28c0d12ee389b8b4ef5f2ada7908828
|
|
|
|
|
|
|
|
OpenBSD-Regress-ID: 40481999a5928d635ab2e5b029e8239c112005ea
|
|
in sshd, so don't double the tests' work by trying both off/on
OpenBSD-Regress-ID: d366665466dbd09e9b707305da884be3e7619c68
|
|
spurious warnings from the cfgparse regress test
OpenBSD-Commit-ID: ba49ea7a5c92b8a16cb9c2e975dbb163853afc54
|
|
SecurityKeyProvider=internal - unbreaks cfgparse regress test
OpenBSD-Commit-ID: d2ddcf525c0dc3c8339522360c10b3c70f1fd641
|
|
OpenBSD-Commit-ID: 1fe822a7f714df19a7e7184e3a3bbfbf546811d3
|
|
keys.
Previously we didn't do this because we didn't want to expose
the attack surface presented by USB and FIDO protocol handling,
but now that this is insulated behind ssh-sk-helper there is
less risk.
ok markus@
OpenBSD-Commit-ID: 77b068dd133b8d87e0f010987bd5131e640ee64c
|
|
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
|
|
Fixes build when linking against OpenSSLs built with no-ec.
|
|
The ssh-sk-helper client API gives us a nice place to disable
security key support when it is wasn't enabled at compile time,
so we don't need to check everywere.
Also, verification of security key signatures can remain enabled
all the time - it has no additional dependencies. So sshd can
accept security key pubkeys in authorized_keys, etc regardless of
the host's support for dlopen, etc.
|
|
|
|
|