Age | Commit message (Collapse) | Author |
|
[ssh-keygen.1]
tweak previous;
|
|
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
[krl.c krl.h PROTOCOL.krl]
add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
|
|
[ssh-keygen.1]
a little more info on certificate validity;
requested by Ross L Richardson, and provided by djm
|
|
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add options to specify starting line number and number of lines to process
when screening moduli candidates. This allows processing of different
parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
|
|
[moduli.c ssh-keygen.1 ssh-keygen.c]
Add optional checkpoints for moduli screening. feedback & ok deraadt
|
|
[ssh-keygen.1]
typo (they vs the) found by Lawrence Teo
|
|
[ssh-keygen.1]
mention valid -b sizes for ECDSA keys; bz#1862
|
|
[ssh-keygen.1]
improve wording; bz#1861
|
|
[ssh-keygen.1]
zap trailing whitespace;
|
|
[ssh-keygen.1]
-q not used in /etc/rc now so remove statement.
|
|
[ssh-keygen.1 ssh-keygen.c]
Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa)
for which host keys do not exist, generate the host keys with the
default key file path, an empty passphrase, default bits for the key
type, and default comment. This will be used by /etc/rc to generate
new host keys. Idea from deraadt.
ok deraadt
|
|
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
knock out some "-*- nroff -*-" lines;
|
|
[ssh-keygen.1]
* mention ECDSA in more places
* less repetition in FILES section
* SSHv1 keys are still encrypted with 3DES
help and ok jmc@
|
|
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
[authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
[monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
[ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
[ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
[ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
[uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be
subject to change.
feedback and ok markus@
|
|
[ssh-keygen.1 ssh-keygen.c]
Support CA keys in PKCS#11 tokens; feedback and ok markus@
|
|
[ssh-keygen.1]
repair incorrect block nesting, which screwed up indentation;
problem reported and fix OK by jmc@
|
|
[ssh-keygen.1]
tweak previous;
|
|
[ssh-keygen.1 ssh-keygen.c]
allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
bz#1749; ok markus@
|
|
[ssh-keygen.1 ssh-keygen.c]
tweak previous; ok djm
|
|
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
[auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
[ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
[sshconnect.c sshconnect2.c sshd.c]
revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:
move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash
Rename "constraints" field to "critical options"
Add a new non-critical "extensions" field
Add a serial number
The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)
ok markus@
|
|
[ssh-keygen.1]
fix a formatting error (args need quoted); noted by stevesk
|
|
[ssh-keygen.1]
Certificates are named *-cert.pub, not *_cert.pub; committing a diff
from stevesk@ ok me
|
|
[ssh-keygen.1]
typos; from Ross Richardson
closes prs 6334 and 6335
|
|
[ssh-keygen.1]
sort the list of constraints (to -O); ok djm
|
|
[ssh-keygen.1]
document permit-agent-forwarding certificate constraint; patch from
stevesk@
|
|
[ssh-keygen.1]
fix Bk/Ek;
|
|
[ssh-keygen.1 ssh-keygen.c]
Add a -L flag to print the contents of a certificate; ok markus@
|
|
[ssh-keygen.1 ssh.1 sshd.8]
tweak previous;
|
|
- djm@cvs.openbsd.org 2010/02/26 20:29:54
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
[auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
[hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
[myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
[ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
[sshconnect2.c sshd.8 sshd.c sshd_config.5]
Add support for certificate key types for users and hosts.
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as sh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
|
|
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
pkcs#11 is no longer optional; improve wording; ok jmc@
|
|
[ssh-add.1 ssh-keygen.1 ssh.1 ssh.c]
tweak previous; ok markus
|
|
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
replace our obsolete smartcard code with PKCS#11.
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
provider (shared library) while ssh-agent(1) delegates PKCS#11 to
a forked a ssh-pkcs11-helper process.
PKCS#11 is currently a compile time option.
feedback and ok djm@; inspired by patches from Alon Bar-Lev
`
|
|
[ssh-keygen.1]
ssh-keygen now uses AES-128 for private keys
|
|
[ssh-keygen.1]
Add "ssh-keygen -F -l" to synopsis (displays fingerprint from
known_hosts). ok djm@
|
|
[ssh_config.5 ssh-keygen.1]
tweak the ascii art text; ok grunk
|
|
[ssh-keygen.c ssh-keygen.1]
ssh-keygen would write fingerprints to STDOUT, and random art to STDERR,
that is not how it was envisioned.
Also correct manpage saying that -v is needed along with -l for it to work.
spotted by naddy@
|
|
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
sshconnect.c]
Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
graphical hash visualization schemes known as "random art", and by
Dan Kaminsky's musings on the subject during a BlackOp talk at the
23C3 in Berlin.
Scientific publication (original paper):
"Hash Visualization: a New Technique to improve Real-World Security",
Perrig A. and Song D., 1999, International Workshop on Cryptographic
Techniques and E-Commerce (CrypTEC '99)
http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
The algorithm used here is a worm crawling over a discrete plane,
leaving a trace (augmenting the field) everywhere it goes.
Movement is taken from dgst_raw 2bit-wise. Bumping into walls
makes the respective movement vector be ignored for this turn,
thus switching to the other color of the chessboard.
Graphs are not unambiguous for now, because circles in graphs can be
walked in either direction.
discussions with several people,
help, corrections and ok markus@ djm@
|
|
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
convert to new .Dd format;
(We will need to teach mdoc2man.awk to understand this too.)
|
|
[ssh-keygen.1 ssh-keygen.c]
more secsh -> rfc 4716 updates;
spotted by wiz@netbsd
ok markus
|
|
[ssh-keygen.1 ssh.1]
add rfc 4716 (public key format); ok jmc
|
|
Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
increase minumum RSA key size to 768 bits and update man page to reflect
these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
ok djm@, grudging ok deraadt@.
|
|
[ssh-keygen.1]
grammar;
|
|
[ssh-keygen.1 ssh-keygen.c]
generate a protocol 2 RSA key by default
|
|
[ssh-keygen.1 ssh-keygen.c sshd.8]
increase default rsa/dsa key length from 1024 to 2048 bits;
ok markus@ deraadt@
|
|
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
[sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
variable, so don't say that we do (bz #623); ok deraadt@
|
|
[ssh-keygen.1]
Correct description of -H (bz #997); ok markus@, punctuation jmc@
|
|
[ssh-keygen.1]
sort options (no attempt made at synopsis clean up though);
spelling (occurance -> occurrence);
use prompt before examples;
grammar;
|
|
[ssh-keygen.1]
whitespace;
|
|
[ssh-keygen.1 ssh-keygen.c ssh_config.5]
add tools for managing known_hosts files with hashed hostnames, including
hashing existing files and deleting hosts by name; ok markus@ deraadt@
|
|
[ssh-keygen.1]
kill whitespace at eol;
|