openssh.git -

Age	Commit message (Collapse)	Author
2020-05-01	upstream: when signing a challenge using a FIDO toke, perform the	djm@openbsd.org
	hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@ OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
2020-02-21	upstream: Fix some typos and an incorrect word in docs. Patch from	dtucker@openbsd.org
	itoama at live.jp via github PR#172. OpenBSD-Commit-ID: 166ee8f93a7201fef431b9001725ab8b269d5874
2020-01-29	upstream: changes to support FIDO attestation	djm@openbsd.org
	Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
2020-01-26	upstream: improve the error message for u2f enrollment errors by	djm@openbsd.org
	making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
2020-01-06	upstream: Extends the SK API to accept a set of key/value options	djm@openbsd.org
	for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2019-12-30	upstream: document SK API changes in PROTOCOL.u2f	djm@openbsd.org
	ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
2019-12-30	upstream: basic support for generating FIDO2 resident keys	djm@openbsd.org
	"ssh-keygen -t ecdsa-sk\|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
2019-12-21	upstream: SSH U2F keys can now be used as host keys. Fix a garden	naddy@openbsd.org
	path sentence. ok markus@ OpenBSD-Commit-ID: 67d7971ca1a020acd6c151426c54bd29d784bd6b
2019-12-14	upstream: add a note about the 'extensions' field in the signed	djm@openbsd.org
	object OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
2019-12-11	upstream: some more corrections for documentation problems spotted	djm@openbsd.org
	by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
2019-12-11	upstream: loading security keys into ssh-agent used the extension	djm@openbsd.org
	constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
2019-12-11	upstream: chop some unnecessary and confusing verbiage from the	djm@openbsd.org
	security key protocol description; feedback from Ron Frederick OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
2019-11-28	upstream: tweak wording	djm@openbsd.org
	OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
2019-11-20	upstream: adjust on-wire signature encoding for ecdsa-sk keys to	djm@openbsd.org
	better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne NB. if you are depending on security keys (already?) then make sure you update both your clients and servers. OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
2019-11-18	upstream: document ed25519-sk pubkey, private key and certificate	djm@openbsd.org
	formats OpenBSD-Commit-ID: 795a7c1c80315412e701bef90e31e376ea2f3c88
2019-11-18	upstream: correct order or ecdsa-sk private key fields	djm@openbsd.org
	OpenBSD-Commit-ID: 4d4a0c13226a79f0080ce6cbe74f73b03ed8092e
2019-11-18	upstream: correct description of fields in pub/private keys (was	djm@openbsd.org
	missing curve name); spotted by Sebastian Kinne OpenBSD-Commit-ID: 2a11340dc7ed16200342d384fb45ecd4fcce26e7
2019-11-13	upstream: remove extra layer for ed25519 signature; ok djm@	markus@openbsd.org
	OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
2019-11-13	upstream: update sk-api to version 2 for ed25519 support; ok djm	markus@openbsd.org
	OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a
2019-11-02	upstream: fix miscellaneous text problems; ok djm@	naddy@openbsd.org
	OpenBSD-Commit-ID: 0cbf411a14d8fa0b269b69cbb1b4fc0ca699fe9f
2019-11-01	upstream: Protocol documentation for U2F/FIDO keys in OpenSSH	djm@openbsd.org
	OpenBSD-Commit-ID: 8f3247317c2909870593aeb306dff848bc427915