Age | Commit message (Collapse) | Author |
|
that a signature came from a trusted signer. To discourage accidental or
unintentional use, this is invoked by the deliberately ugly option name
"check-novalidate"
from Sebastian Kinne
OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b
|
|
OpenBSD-Commit-ID: e891dd6c7996114cb32f0924cb7898ab55efde6e
|
|
OpenBSD-Commit-ID: 0abd728aef6b5b35f6db43176aa83b7e3bf3ce27
|
|
Markus
ok markus/me
OpenBSD-Commit-ID: ea4f46ad5a16b27af96e08c4877423918c4253e9
|
|
for OpenSSH
This adds a simple manual signature scheme to OpenSSH.
Signatures can be made and verified using ssh-keygen -Y sign|verify
Signatures embed the key used to make them. At verification time, this
is matched via principal name against an authorized_keys-like list
of allowed signers.
Mostly by Sebastian Kinne w/ some tweaks by me
ok markus@
OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb
|
|
hosts (i.e. "ssh-keygen -vF host") to print the matching host's random- art
signature too. bz#3003 "amusing, pretty" deraadt@
OpenBSD-Commit-ID: 686221a5447d6507f40a2ffba5393984d889891f
|
|
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
private keys to disk.
The OpenSSH native key format remains the default, but PKCS8 is a
superior format to PEM if interoperability with non-OpenSSH software
is required, as it may use a less terrible KDF (IIRC PEM uses a single
round of MD5 as a KDF).
adapted from patch by Jakub Jelen via bz3013; ok markus
OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
|
|
OpenBSD-Commit-ID: 42f39f22f53cfcb913bce401ae0f1bb93e08dd6c
|
|
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
will therefore be incompatible with OpenSSH < 7.2 unless the default is
overridden.
Document the ability of the ssh-keygen -t flag to override the
signature algorithm when signing certificates, and the new default.
ok deraadt@
OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
|
|
sebastiaanlokhorst at gmail.com via bz#2997.
OpenBSD-Commit-ID: bdd62ff5d4d649d2147904e91bf7cefa82fe11e1
|
|
kn@
OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
|
|
signed in a single commandline.
OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
|
|
support it
Be more explicit in the description of -m about where it may be used
Prompted by Jakub Jelen in bz2904
OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c
|
|
private
OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb
|
|
and give some hints on how keys may be converted or written in the old
format.
OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
|
|
OpenBSD-Commit-ID: e26c8bf2f2a808f3c47960e1e490d2990167ec39
|
|
authorized_keys) and -R (remove host from authorized_keys) options may accept
either a bare hostname or a [hostname]:port combo. bz#2935
OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780
|
|
OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
|
|
to create KRLs using SHA256/base64 key fingerprints; ok markus@
OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
|
|
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
by most OpenSSH versions in active use.
It is possible to convert new-format private keys to the older
format using "ssh-keygen -f /path/key -pm PEM".
ok deraadt dtucker
OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
|
|
simple way of giving a key an expiry date. ok markus@
OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
|
|
certificate options are case-sensitive; fix case on one
that had it wrong.
move a badly-place sentence to a less bad place
OpenBSD-Commit-ID: 231e516bba860699a1eece6d48532d825f5f747b
|
|
allow certificate validity intervals that specify only a
start or stop time (we already support specifying both or neither)
OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
|
|
slightly rework previous, to avoid an article issue;
Upstream-ID: 15a315f0460ddd3d4e2ade1f16d6c640a8c41b30
|
|
When generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. zero-length keys could
previously be made if ssh-keygen failed part way through generating them, so
avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@
Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
|
|
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus
Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
|
|
remove superfluous protocol 2 mentions; ok jmc@
Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
|
|
more protocol 1 stuff to go; ok djm
Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
|
|
rsa1 is no longer valid;
Upstream-ID: 9953d09ed9841c44b7dcf7019fa874783a709d89
|
|
more -O shuffle; ok djm
Upstream-ID: c239991a3a025cdbb030b73e990188dd9bfbeceb
|
|
tidy up -O somewhat; ok djm
Upstream-ID: 804405f716bf7ef15c1f36ab48581ca16aeb4d52
|
|
remove KEY_RSA1
ok markus@
Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
|
|
tweak previous;
Upstream-ID: a3abc6857455299aa42a046d232b7984568bceb9
|
|
allow ssh-keygen to include arbitrary string or flag
certificate extensions and critical options. ok markus@ dtucker@
Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
|
|
keys stored in openssh format can have comments too; diff
from yonas yanfa, tweaked a bit;
ok djm
Upstream-ID: 03d48536da6e51510d73ade6fcd44ace731ceb27
|
|
correct article;
Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168
|
|
make nethack^wrandomart fingerprint flag more readily
searchable pointed out by Matt Johnston
Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb
|
|
since these pages now clearly tell folks to avoid v1,
normalise the docs from a v2 perspective (i.e. stop pointing out which bits
are v2 only);
ok/tweaks djm ok markus
Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
|
|
support multiple certificates (one per line) and
reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@
Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
|
|
"commandline" -> "command line", since there are so few
examples of the former in the pages, so many of the latter, and in some of
these pages we had multiple spellings;
prompted by tj
Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659
|
|
In the certificates section, be consistent about using
"host_key" and "user_key" for the respective key types. ok sthen@ deraadt@
Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
|
|
refuse to generate or accept RSA keys smaller than 1024
bits; feedback and ok dtucker@
Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
|
|
add -v (show ASCII art) to -l's synopsis; ok djm@
|
|
Add FingerprintHash option to control algorithm used for
key fingerprints. Default changes from MD5 to SHA256 and format from hex to
base64.
Feedback and ok naddy@ markus@
|
|
improve capitalization for the Ed25519 public-key
signature system.
ok djm@
|
|
[ssh-keygen.1]
the text for the -K option was inserted in the wrong place in -r1.108;
fix From: Matthew Clarke
|
|
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
Improve usage() and documentation towards the standard form.
In particular, this line saves a lot of man page reading time.
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
[-N new_passphrase] [-C comment] [-f output_keyfile]
ok schwarze jmc
|
|
[ssh-keygen.1 ssh-keygen.c]
tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
while here, fix ordering in usage(); requested by jmc@
|
|
[ssh-keygen.1]
small typo
|
|
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
[ssh_config.5 sshd.8 sshd_config.5]
add missing mentions of ed25519; ok djm@
|