openssh.git -

Age	Commit message (Collapse)	Author
2020-09-09	upstream: when writing an attestation blob for a FIDO key, record all	djm@openbsd.org
	the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature. spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@ OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
2020-08-31	upstream: Add RCS IDs to the few files that are missing them; from	djm@openbsd.org
	Pedro Martelletto OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3
2020-06-22	upstream: Add support for FIDO webauthn (verification only).	djm@openbsd.org
	webauthn is a standard for using FIDO keys in web browsers. webauthn signatures are a slightly different format to plain FIDO signatures - this support allows verification of these. Feedback and ok markus@ OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
2020-05-27	upstream: fix non-ASCII quote that snuck in; spotted by Gabriel	djm@openbsd.org
	Kihlman OpenBSD-Commit-ID: 04bcde311de2325d9e45730c744c8de079b49800
2020-05-27	upstream: clarify role of FIDO tokens in multi-factor	djm@openbsd.org
	authentictation; mostly from Pedro Martelletto OpenBSD-Commit-ID: fbe05685a1f99c74b1baca7130c5a03c2df7c0ac
2020-05-01	upstream: when signing a challenge using a FIDO toke, perform the	djm@openbsd.org
	hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@ OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
2020-02-21	upstream: Fix some typos and an incorrect word in docs. Patch from	dtucker@openbsd.org
	itoama at live.jp via github PR#172. OpenBSD-Commit-ID: 166ee8f93a7201fef431b9001725ab8b269d5874
2020-01-29	upstream: changes to support FIDO attestation	djm@openbsd.org
	Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
2020-01-26	upstream: improve the error message for u2f enrollment errors by	djm@openbsd.org
	making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
2020-01-06	upstream: Extends the SK API to accept a set of key/value options	djm@openbsd.org
	for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2019-12-30	upstream: document SK API changes in PROTOCOL.u2f	djm@openbsd.org
	ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
2019-12-30	upstream: basic support for generating FIDO2 resident keys	djm@openbsd.org
	"ssh-keygen -t ecdsa-sk\|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
2019-12-21	upstream: SSH U2F keys can now be used as host keys. Fix a garden	naddy@openbsd.org
	path sentence. ok markus@ OpenBSD-Commit-ID: 67d7971ca1a020acd6c151426c54bd29d784bd6b
2019-12-14	upstream: add a note about the 'extensions' field in the signed	djm@openbsd.org
	object OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
2019-12-11	upstream: some more corrections for documentation problems spotted	djm@openbsd.org
	by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
2019-12-11	upstream: loading security keys into ssh-agent used the extension	djm@openbsd.org
	constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
2019-12-11	upstream: chop some unnecessary and confusing verbiage from the	djm@openbsd.org
	security key protocol description; feedback from Ron Frederick OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
2019-11-28	upstream: tweak wording	djm@openbsd.org
	OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
2019-11-20	upstream: adjust on-wire signature encoding for ecdsa-sk keys to	djm@openbsd.org
	better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne NB. if you are depending on security keys (already?) then make sure you update both your clients and servers. OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
2019-11-18	upstream: document ed25519-sk pubkey, private key and certificate	djm@openbsd.org
	formats OpenBSD-Commit-ID: 795a7c1c80315412e701bef90e31e376ea2f3c88
2019-11-18	upstream: correct order or ecdsa-sk private key fields	djm@openbsd.org
	OpenBSD-Commit-ID: 4d4a0c13226a79f0080ce6cbe74f73b03ed8092e
2019-11-18	upstream: correct description of fields in pub/private keys (was	djm@openbsd.org
	missing curve name); spotted by Sebastian Kinne OpenBSD-Commit-ID: 2a11340dc7ed16200342d384fb45ecd4fcce26e7
2019-11-13	upstream: remove extra layer for ed25519 signature; ok djm@	markus@openbsd.org
	OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
2019-11-13	upstream: update sk-api to version 2 for ed25519 support; ok djm	markus@openbsd.org
	OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a
2019-11-02	upstream: fix miscellaneous text problems; ok djm@	naddy@openbsd.org
	OpenBSD-Commit-ID: 0cbf411a14d8fa0b269b69cbb1b4fc0ca699fe9f
2019-11-01	upstream: Protocol documentation for U2F/FIDO keys in OpenSSH	djm@openbsd.org
	OpenBSD-Commit-ID: 8f3247317c2909870593aeb306dff848bc427915