summaryrefslogtreecommitdiff
path: root/PROTOCOL
AgeCommit message (Collapse)Author
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-01-09 - djm@cvs.openbsd.org 2010/01/09 00:57:10Darren Tucker
[PROTOCOL] tweak language
2010-01-08 - djm@cvs.openbsd.org 2009/12/20 23:20:40Darren Tucker
[PROTOCOL] fix an incorrect magic number and typo in PROTOCOL; bz#1688 report and fix from ueno AT unixuser.org
2009-02-14 - djm@cvs.openbsd.org 2009/02/14 06:35:49Damien Miller
[PROTOCOL] mention that eow and no-more-sessions extensions are sent only to OpenSSH peers
2008-07-05 - djm@cvs.openbsd.org 2008/07/05 05:16:01Damien Miller
[PROTOCOL] grammar
2008-07-02 - djm@cvs.openbsd.org 2008/06/30 12:18:34Darren Tucker
[PROTOCOL] clarify that eow@openssh.com is only sent on session channels
2008-06-30 - djm@cvs.openbsd.org 2008/06/28 14:08:30Damien Miller
[PROTOCOL PROTOCOL.agent] document the protocol used by ssh-agent; "looks ok" markus@
2008-06-30 - djm@cvs.openbsd.org 2008/06/28 07:25:07Damien Miller
[PROTOCOL] spelling fixes
2008-06-13 - djm@cvs.openbsd.org 2008/06/12 05:15:41Darren Tucker
[PROTOCOL] document tun@openssh.com forwarding method
2008-06-11 - djm@cvs.openbsd.org 2008/06/10 22:15:23Darren Tucker
[PROTOCOL ssh.c serverloop.c] Add a no-more-sessions@openssh.com global request extension that the client sends when it knows that it will never request another session (i.e. when session multiplexing is disabled). This allows a server to disallow further session requests and terminate the session. Why would a non-multiplexing client ever issue additional session requests? It could have been attacked with something like SSH'jack: http://www.storm.net.nz/projects/7 feedback & ok markus
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/09 13:38:46Darren Tucker
[PROTOCOL] Use a $OpenBSD tag so our scripts will sync changes.
2008-06-09 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29Darren Tucker
[PROTOCOL] Have the sftp client store the statvfs replies in wire format, which prevents problems when the server's native sizes exceed the client's. Also extends the sizes of the remaining 32bit wire format to 64bit, they're specified as unsigned long in the standard.
2008-06-09 - djm@cvs.openbsd.org 2008/06/07 21:52:46Darren Tucker
[PROTOCOL] statvfs member fsid needs to be wider, increase it to 64 bits and crank extension revision number to 2; prodded and ok dtucker@
2008-05-19 - djm@cvs.openbsd.org 2008/05/16 08:30:42Damien Miller
[PROTOCOL] document our protocol extensions and deviations; ok markus@ - djm@cvs.openbsd.org 2008/05/17 01:31:56 [PROTOCOL] grammar and correctness fixes from stevesk@