openssh.git -

Age	Commit message (Collapse)	Author
2020-10-18	Adjust various OpenBSD-specific references in manual pages	Colin Watson
	No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch
2020-09-09	upstream: when writing an attestation blob for a FIDO key, record all	djm@openbsd.org
	the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature. spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@ OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
2020-08-27	upstream: tweak previous;	jmc@openbsd.org
	OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7
2020-08-27	upstream: Request PIN ahead of time for certain FIDO actions	djm@openbsd.org
	When we know that a particular action will require a PIN, such as downloading resident keys or generating a verify-required key, request the PIN before attempting it. joint work with Pedro Martelletto; ok markus@ OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727
2020-08-27	upstream: support for user-verified FIDO keys	djm@openbsd.org
	FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@ OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
2020-07-17	upstream: - Add [-a rounds] in ssh-keygen man page and usage() -	solene@openbsd.org
	Reorder parameters list in the first usage() case - Sentence rewording ok dtucker@ jmc@ noticed usage() missed -a flag too OpenBSD-Commit-ID: f06b9afe91cc96f260b929a56e9930caecbde246
2020-07-15	upstream: Add default for number of rounds (-a). ok djm@	dtucker@openbsd.org
	OpenBSD-Commit-ID: cb7e9aa04ace01a98e63e4bd77f34a42ab169b15
2020-04-03	upstream: give ssh-keygen the ability to dump the contents of a	djm@openbsd.org
	binary key revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker OpenBSD-Commit-ID: b76afc4e3b74ab735dbde4e5f0cfa1f02356033b
2020-02-24	upstream: Fix typo. Patch from itoama at live.jp via github PR#173.	dtucker@openbsd.org
	OpenBSD-Commit-ID: 5cdaafab38bbdea0d07e24777d00bfe6f972568a
2020-02-07	upstream: sync the description of the $SSH_SK_PROVIDER environment	djm@openbsd.org
	variable with that of the SecurityKeyProvider ssh/sshd_config(5) directive, as the latter was more descriptive. OpenBSD-Commit-ID: 0488f09530524a7e53afca6b6e1780598022552f
2020-02-04	upstream: require FIDO application strings to start with "ssh:"; ok	djm@openbsd.org
	markus@ OpenBSD-Commit-ID: 94e9c1c066d42b76f035a3d58250a32b14000afb
2020-02-04	upstream: use better markup for challenge and write-attestation, and	jmc@openbsd.org
	rejig the challenge text a little; ok djm OpenBSD-Commit-ID: 9f351e6da9edfdc907d5c3fdaf2e9ff3ab0a7a6f
2020-02-02	upstream: shuffle the challenge keyword to keep the -O list sorted;	jmc@openbsd.org
	OpenBSD-Commit-ID: 08efad608b790949a9a048d65578fae9ed5845fe
2020-01-29	upstream: changes to support FIDO attestation	djm@openbsd.org
	Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
2020-01-25	upstream: ssh-keygen -Y find-principals fixes based on feedback	djm@openbsd.org
	from Markus: use "principals" instead of principal, as allowed_signers lines may list multiple. When the signing key is a certificate, emit only principals that match the certificate principal list. NB. the command -Y name changes: "find-principal" => "find-principals" ok markus@ OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf
2020-01-23	upstream: new sentence, new line;	jmc@openbsd.org
	OpenBSD-Commit-ID: b6c3f2f36ec77e99198619b38a9f146655281925
2020-01-23	upstream: add a new signature operations "find-principal" to look	djm@openbsd.org
	up the principal associated with a signature from an allowed-signers file. Work by Sebastian Kinne; ok dtucker@ OpenBSD-Commit-ID: 6f782cc7e18e38fcfafa62af53246a1dcfe74e5d
2020-01-21	upstream: one more replacement "(security) key" -> "(FIDO)	naddy@openbsd.org
	authenticator" OpenBSD-Commit-ID: 031bca03c1d1f878ab929facd561911f1bc68dfd
2020-01-21	upstream: undo merge error and replace the term "security key"	naddy@openbsd.org
	again OpenBSD-Commit-ID: 341749062c089cc360a7877e9ee3a887aecde395
2020-01-21	upstream: sync ssh-keygen.1 and ssh-keygen's usage() with each	naddy@openbsd.org
	other and reality ok markus@ OpenBSD-Commit-ID: cdf64454f2c3604c25977c944e5b6262a3bcce92
2020-01-09	upstream: put the fido options in a list, and tidy up the text a	jmc@openbsd.org
	little; ok djm OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb
2020-01-06	upstream: Extends the SK API to accept a set of key/value options	djm@openbsd.org
	for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2020-01-04	upstream: the download resident keys option is -K (upper) not -k	jmc@openbsd.org
	(lower); ok djm OpenBSD-Commit-ID: 71dc28a3e1fa7c553844abc508845bcf5766e091
2020-01-03	upstream: ability to download FIDO2 resident keys from a token via	djm@openbsd.org
	"ssh-keygen -K". This will save public/private keys into the current directory. This is handy if you move a token between hosts. feedback & ok markus@ OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6
2020-01-03	upstream: simplify the list for moduli options - no need for	jmc@openbsd.org
	-compact; OpenBSD-Commit-ID: 6492c72280482c6d072be46236b365cb359fc280
2019-12-30	upstream: Remove the -x option currently used for	djm@openbsd.org
	FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
2019-12-30	upstream: remove single-letter flags for moduli options	djm@openbsd.org
	Move all moduli generation options to live under the -O flag. Frees up seven single-letter flags. NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately. feedback and ok markus@ OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935
2019-12-30	upstream: prepare for use of ssh-keygen -O flag beyond certs	djm@openbsd.org
	Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
2019-12-30	upstream: sort -Y internally in the options list, as is already	jmc@openbsd.org
	done in synopsis; OpenBSD-Commit-ID: 86d033c5764404057616690d7be992e445b42274
2019-12-30	upstream: in the options list, sort -Y and -y;	jmc@openbsd.org
	OpenBSD-Commit-ID: 24c2e6a3aeab6e050a0271ffc73fdff91c10dcaa
2019-12-30	upstream: Replace the term "security key" with "(FIDO)	naddy@openbsd.org
	authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@ OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
2019-12-11	upstream: tweak the Nd lines for a bit of consistency; ok markus	jmc@openbsd.org
	OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-11-25	upstream: allow "ssh-keygen -x no-touch-required" when generating a	djm@openbsd.org
	security key keypair to request one that does not require a touch for each authentication attempt. The default remains to require touch. feedback deraadt; ok markus@ OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
2019-11-25	upstream: add a "no-touch-required" option for authorized_keys and	djm@openbsd.org
	a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-20	upstream: more missing mentions of ed25519-sk; ok djm@	naddy@openbsd.org
	OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-18	upstream: mention ed25519-sk in places where it is accepted;	djm@openbsd.org
	prompted by jmc@ OpenBSD-Commit-ID: 076d386739ebe7336c2137e583bc7a5c9538a442
2019-11-15	upstream: directly support U2F/FIDO2 security keys in OpenSSH by	djm@openbsd.org
	linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-08	upstream: Fill in missing man page bits for U2F security key support:	naddy@openbsd.org
	Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-10-29	upstream: fixes from lucas;	jmc@openbsd.org
	OpenBSD-Commit-ID: 4c4bfd2806c5bbc753788ffe19c5ee13aaf418b2
2019-10-04	upstream: use a more common options order in SYNOPSIS and sync	jmc@openbsd.org
	usage(); while here, no need for Bk/Ek; ok dtucker OpenBSD-Commit-ID: 38715c3f10b166f599a2283eb7bc14860211bb90
2019-10-01	upstream: group and sort single letter options; ok deraadt	jmc@openbsd.org
	OpenBSD-Commit-ID: e1480e760a2b582f79696cdcff70098e23fc603f
2019-10-01	upstream: fix the DH-GEX text in -a; because this required a comma,	jmc@openbsd.org
	i added a comma to the first part, for balance... OpenBSD-Commit-ID: 2c3464e9e82a41e8cdfe8f0a16d94266e43dbb58
2019-10-01	upstream: new sentence, new line;	jmc@openbsd.org
	OpenBSD-Commit-ID: c35ca5ec07be460e95e7406af12eee04a77b6698
2019-09-16	upstream: Allow testing signature syntax and validity without verifying	djm@openbsd.org
	that a signature came from a trusted signer. To discourage accidental or unintentional use, this is invoked by the deliberately ugly option name "check-novalidate" from Sebastian Kinne OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b
2019-09-05	upstream: macro fix; ok djm	jmc@openbsd.org
	OpenBSD-Commit-ID: e891dd6c7996114cb32f0924cb7898ab55efde6e
2019-09-05	upstream: tweak previous;	jmc@openbsd.org
	OpenBSD-Commit-ID: 0abd728aef6b5b35f6db43176aa83b7e3bf3ce27
2019-09-03	upstream: sshsig tweaks and improvements from and suggested by	djm@openbsd.org
	Markus ok markus/me OpenBSD-Commit-ID: ea4f46ad5a16b27af96e08c4877423918c4253e9
2019-09-03	upstream: sshsig: lightweight signature and verification ability	djm@openbsd.org
	for OpenSSH This adds a simple manual signature scheme to OpenSSH. Signatures can be made and verified using ssh-keygen -Y sign\|verify Signatures embed the key used to make them. At verification time, this is matched via principal name against an authorized_keys-like list of allowed signers. Mostly by Sebastian Kinne w/ some tweaks by me ok markus@ OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb
2019-07-19	upstream: Accept the verbose flag when searching for host keys in known	djm@openbsd.org
	hosts (i.e. "ssh-keygen -vF host") to print the matching host's random- art signature too. bz#3003 "amusing, pretty" deraadt@ OpenBSD-Commit-ID: 686221a5447d6507f40a2ffba5393984d889891f
2019-07-15	upstream: support PKCS8 as an optional format for storage of	djm@openbsd.org
	private keys, enabled via "ssh-keygen -m PKCS8" on operations that save private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less terrible KDF (IIRC PEM uses a single round of MD5 as a KDF). adapted from patch by Jakub Jelen via bz3013; ok markus OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1