Age | Commit message (Collapse) | Author |
|
Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.
Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.
ok markus@
OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
|
|
from Markus:
use "principals" instead of principal, as allowed_signers lines may list
multiple.
When the signing key is a certificate, emit only principals that match
the certificate principal list.
NB. the command -Y name changes: "find-principal" => "find-principals"
ok markus@
OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf
|
|
OpenBSD-Commit-ID: b6c3f2f36ec77e99198619b38a9f146655281925
|
|
up the principal associated with a signature from an allowed-signers file.
Work by Sebastian Kinne; ok dtucker@
OpenBSD-Commit-ID: 6f782cc7e18e38fcfafa62af53246a1dcfe74e5d
|
|
authenticator"
OpenBSD-Commit-ID: 031bca03c1d1f878ab929facd561911f1bc68dfd
|
|
again
OpenBSD-Commit-ID: 341749062c089cc360a7877e9ee3a887aecde395
|
|
other and reality ok markus@
OpenBSD-Commit-ID: cdf64454f2c3604c25977c944e5b6262a3bcce92
|
|
little; ok djm
OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb
|
|
for all operations. These are intended to future-proof the API a little by
making it easier to specify additional fields for without having to change
the API version for each.
At present, only two options are defined: one to explicitly specify
the device for an operation (rather than accepting the middleware's
autoselection) and another to specify the FIDO2 username that may
be used when generating a resident key. These new options may be
invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour
of uint32_t for the algorithm argument in the API, to make implementation
of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
|
|
(lower); ok djm
OpenBSD-Commit-ID: 71dc28a3e1fa7c553844abc508845bcf5766e091
|
|
"ssh-keygen -K". This will save public/private keys into the current
directory.
This is handy if you move a token between hosts.
feedback & ok markus@
OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6
|
|
-compact;
OpenBSD-Commit-ID: 6492c72280482c6d072be46236b365cb359fc280
|
|
FIDO/U2F-specific key flags. Instead these flags may be specified via -O.
ok markus@
OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
|
|
Move all moduli generation options to live under the -O flag.
Frees up seven single-letter flags.
NB. this change break existing ssh-keygen commandline syntax for moduli-
related operations. Very few people use these fortunately.
feedback and ok markus@
OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935
|
|
Move list of available certificate options in ssh-keygen.1 to the
CERTIFICATES section.
Collect options specified by -O but delay parsing/validation of
certificate options until we're sure that we're acting as a CA.
ok markus@
OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
|
|
done in synopsis;
OpenBSD-Commit-ID: 86d033c5764404057616690d7be992e445b42274
|
|
OpenBSD-Commit-ID: 24c2e6a3aeab6e050a0271ffc73fdff91c10dcaa
|
|
authenticator".
The polysemous use of "key" was too confusing. Input from markus@.
ok jmc@
OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
|
|
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
|
|
security key keypair to request one that does not require a touch for each
authentication attempt. The default remains to require touch.
feedback deraadt; ok markus@
OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
|
|
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.
feedback deraadt, ok markus
OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
|
|
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
|
|
prompted by jmc@
OpenBSD-Commit-ID: 076d386739ebe7336c2137e583bc7a5c9538a442
|
|
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
|
|
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.
Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.
ok djm@
OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
|
|
OpenBSD-Commit-ID: 4c4bfd2806c5bbc753788ffe19c5ee13aaf418b2
|
|
usage(); while here, no need for Bk/Ek;
ok dtucker
OpenBSD-Commit-ID: 38715c3f10b166f599a2283eb7bc14860211bb90
|
|
OpenBSD-Commit-ID: e1480e760a2b582f79696cdcff70098e23fc603f
|
|
i added a comma to the first part, for balance...
OpenBSD-Commit-ID: 2c3464e9e82a41e8cdfe8f0a16d94266e43dbb58
|
|
OpenBSD-Commit-ID: c35ca5ec07be460e95e7406af12eee04a77b6698
|
|
that a signature came from a trusted signer. To discourage accidental or
unintentional use, this is invoked by the deliberately ugly option name
"check-novalidate"
from Sebastian Kinne
OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b
|
|
OpenBSD-Commit-ID: e891dd6c7996114cb32f0924cb7898ab55efde6e
|
|
OpenBSD-Commit-ID: 0abd728aef6b5b35f6db43176aa83b7e3bf3ce27
|
|
Markus
ok markus/me
OpenBSD-Commit-ID: ea4f46ad5a16b27af96e08c4877423918c4253e9
|
|
for OpenSSH
This adds a simple manual signature scheme to OpenSSH.
Signatures can be made and verified using ssh-keygen -Y sign|verify
Signatures embed the key used to make them. At verification time, this
is matched via principal name against an authorized_keys-like list
of allowed signers.
Mostly by Sebastian Kinne w/ some tweaks by me
ok markus@
OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb
|
|
hosts (i.e. "ssh-keygen -vF host") to print the matching host's random- art
signature too. bz#3003 "amusing, pretty" deraadt@
OpenBSD-Commit-ID: 686221a5447d6507f40a2ffba5393984d889891f
|
|
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
private keys to disk.
The OpenSSH native key format remains the default, but PKCS8 is a
superior format to PEM if interoperability with non-OpenSSH software
is required, as it may use a less terrible KDF (IIRC PEM uses a single
round of MD5 as a KDF).
adapted from patch by Jakub Jelen via bz3013; ok markus
OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
|
|
OpenBSD-Commit-ID: 42f39f22f53cfcb913bce401ae0f1bb93e08dd6c
|
|
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
will therefore be incompatible with OpenSSH < 7.2 unless the default is
overridden.
Document the ability of the ssh-keygen -t flag to override the
signature algorithm when signing certificates, and the new default.
ok deraadt@
OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
|
|
sebastiaanlokhorst at gmail.com via bz#2997.
OpenBSD-Commit-ID: bdd62ff5d4d649d2147904e91bf7cefa82fe11e1
|
|
kn@
OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
|
|
signed in a single commandline.
OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
|
|
support it
Be more explicit in the description of -m about where it may be used
Prompted by Jakub Jelen in bz2904
OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c
|
|
private
OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb
|
|
and give some hints on how keys may be converted or written in the old
format.
OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
|
|
OpenBSD-Commit-ID: e26c8bf2f2a808f3c47960e1e490d2990167ec39
|
|
authorized_keys) and -R (remove host from authorized_keys) options may accept
either a bare hostname or a [hostname]:port combo. bz#2935
OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780
|
|
OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
|
|
to create KRLs using SHA256/base64 key fingerprints; ok markus@
OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
|
|
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
by most OpenSSH versions in active use.
It is possible to convert new-format private keys to the older
format using "ssh-keygen -f /path/key -pm PEM".
ok deraadt dtucker
OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
|