summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
AgeCommit message (Collapse)Author
2010-04-18 - jmc@cvs.openbsd.org 2010/04/16 06:47:04Damien Miller
[ssh-keygen.1 ssh-keygen.c] tweak previous; ok djm
2010-04-16 - djm@cvs.openbsd.org 2010/04/16 01:47:26Damien Miller
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
2010-03-22 - jmc@cvs.openbsd.org 2010/03/13 23:38:13Damien Miller
[ssh-keygen.1] fix a formatting error (args need quoted); noted by stevesk
2010-03-22 - djm@cvs.openbsd.org 2010/03/13 21:45:46Damien Miller
[ssh-keygen.1] Certificates are named *-cert.pub, not *_cert.pub; committing a diff from stevesk@ ok me
2010-03-22 - jmc@cvs.openbsd.org 2010/03/10 07:40:35Damien Miller
[ssh-keygen.1] typos; from Ross Richardson closes prs 6334 and 6335
2010-03-22 - jmc@cvs.openbsd.org 2010/03/08 09:41:27Damien Miller
[ssh-keygen.1] sort the list of constraints (to -O); ok djm
2010-03-08 - djm@cvs.openbsd.org 2010/03/08 00:28:55Damien Miller
[ssh-keygen.1] document permit-agent-forwarding certificate constraint; patch from stevesk@
2010-03-05 - jmc@cvs.openbsd.org 2010/03/04 22:52:40Damien Miller
[ssh-keygen.1] fix Bk/Ek;
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 20:35:08Damien Miller
[ssh-keygen.1 ssh-keygen.c] Add a -L flag to print the contents of a certificate; ok markus@
2010-03-03 - jmc@cvs.openbsd.org 2010/02/26 22:09:28Damien Miller
[ssh-keygen.1 ssh.1 sshd.8] tweak previous;
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-02-12 - markus@cvs.openbsd.org 2010/02/10 23:20:38Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5] pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 - jmc@cvs.openbsd.org 2010/02/08 22:03:05Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh.c] tweak previous; ok markus
2010-02-12 - markus@cvs.openbsd.org 2010/02/08 10:50:20Damien Miller
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev `
2009-10-24 - dtucker@cvs.openbsd.org 2009/10/24 00:48:34Darren Tucker
[ssh-keygen.1] ssh-keygen now uses AES-128 for private keys
2008-11-03 - sthen@cvs.openbsd.org 2008/07/24 23:55:30Damien Miller
[ssh-keygen.1] Add "ssh-keygen -F -l" to synopsis (displays fingerprint from known_hosts). ok djm@
2008-06-13 - jmc@cvs.openbsd.org 2008/06/12 19:10:09Darren Tucker
[ssh_config.5 ssh-keygen.1] tweak the ascii art text; ok grunk
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 22:20:46Darren Tucker
[ssh-keygen.c ssh-keygen.1] ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, that is not how it was envisioned. Also correct manpage saying that -v is needed along with -l for it to work. spotted by naddy@
2008-06-13 - grunk@cvs.openbsd.org 2008/06/11 21:01:35Darren Tucker
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c sshconnect.c] Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the graphical hash visualization schemes known as "random art", and by Dan Kaminsky's musings on the subject during a BlackOp talk at the 23C3 in Berlin. Scientific publication (original paper): "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf The algorithm used here is a worm crawling over a discrete plane, leaving a trace (augmenting the field) everywhere it goes. Movement is taken from dgst_raw 2bit-wise. Bumping into walls makes the respective movement vector be ignored for this turn, thus switching to the other color of the chessboard. Graphs are not unambiguous for now, because circles in graphs can be walked in either direction. discussions with several people, help, corrections and ok markus@ djm@
2007-06-05 - jmc@cvs.openbsd.org 2007/05/31 19:20:16Darren Tucker
[scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] convert to new .Dd format; (We will need to teach mdoc2man.awk to understand this too.)
2007-02-19 - jmc@cvs.openbsd.org 2007/01/12 20:20:41Darren Tucker
[ssh-keygen.1 ssh-keygen.c] more secsh -> rfc 4716 updates; spotted by wiz@netbsd ok markus
2007-01-05 - markus@cvs.openbsd.org 2006/12/11 21:25:46Damien Miller
[ssh-keygen.1 ssh.1] add rfc 4716 (public key format); ok jmc
2005-11-28 [ssh-keygen.1 ssh-keygen.c]Darren Tucker
Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, increase minumum RSA key size to 768 bits and update man page to reflect these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), ok djm@, grudging ok deraadt@.
2005-11-05 - jmc@cvs.openbsd.org 2005/10/31 19:55:25Damien Miller
[ssh-keygen.1] grammar;
2005-11-05 - djm@cvs.openbsd.org 2005/10/31 11:12:49Damien Miller
[ssh-keygen.1 ssh-keygen.c] generate a protocol 2 RSA key by default
2005-06-16 - djm@cvs.openbsd.org 2005/06/08 03:50:00Damien Miller
[ssh-keygen.1 ssh-keygen.c sshd.8] increase default rsa/dsa key length from 1024 to 2048 bits; ok markus@ deraadt@
2005-05-26 - djm@cvs.openbsd.org 2005/04/21 06:17:50Damien Miller
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment variable, so don't say that we do (bz #623); ok deraadt@
2005-03-14 - dtucker@cvs.openbsd.org 2005/03/14 10:09:03Darren Tucker
[ssh-keygen.1] Correct description of -H (bz #997); ok markus@, punctuation jmc@
2005-03-02 - jmc@cvs.openbsd.org 2005/03/01 18:15:56Damien Miller
[ssh-keygen.1] sort options (no attempt made at synopsis clean up though); spelling (occurance -> occurrence); use prompt before examples; grammar;
2005-03-02 - jmc@cvs.openbsd.org 2005/03/01 15:05:00Damien Miller
[ssh-keygen.1] whitespace;
2005-03-01 - djm@cvs.openbsd.org 2005/03/01 10:42:49Damien Miller
[ssh-keygen.1 ssh-keygen.c ssh_config.5] add tools for managing known_hosts files with hashed hostnames, including hashing existing files and deleting hosts by name; ok markus@ deraadt@
2004-08-13 - jmc@cvs.openbsd.org 2004/08/13 00:01:43Darren Tucker
[ssh-keygen.1] kill whitespace at eol;
2004-08-13 - jakob@cvs.openbsd.org 2004/08/12 21:41:13Darren Tucker
[ssh-keygen.1 ssh.1] improve SSHFP documentation; ok deraadt@
2003-12-31 - djm@cvs.openbsd.org 2003/12/22 09:16:58Darren Tucker
[moduli.c ssh-keygen.1 ssh-keygen.c] tidy up moduli generation debugging, add -v (verbose/debug) option to ssh-keygen; ok markus@
2003-08-02 - djm@cvs.openbsd.org 2003/07/28 09:49:56Darren Tucker
[ssh-keygen.1 ssh-keygen.c] Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen. Based on code from Phil Karn, William Allen Simpson and Niels Provos. ok markus@, thanks jmc@
2003-06-11 - jmc@cvs.openbsd.org 2003/06/10 09:12:11Damien Miller
[scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5] [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] - section reorder - COMPATIBILITY merge - macro cleanup - kill whitespace at EOL - new sentence, new line ssh pages ok markus@
2003-05-23 - jmc@cvs.openbsd.org 2003/05/20 12:09:31Damien Miller
[ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1] new sentence, new line
2003-05-15 - jakob@cvs.openbsd.org 2003/05/14 18:16:20Damien Miller
[key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c] [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c] add experimental support for verifying hos keys using DNS as described in draft-ietf-secsh-dns-xx.txt. more information in README.dns. ok markus@ and henning@
2003-04-01 - (djm) OpenBSD CVS SyncDamien Miller
- jmc@cvs.openbsd.org 2003/03/28 10:11:43 [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5] [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] - killed whitespace - new sentence new line - .Bk for arguments ok markus@
2002-12-23 - stevesk@cvs.openbsd.org 2002/11/26 02:35:30Ben Lindstrom
[ssh-keygen.1] remove outdated statement; ok markus@ deraadt@
2002-06-21 - deraadt@cvs.openbsd.org 2002/06/19 00:27:55Ben Lindstrom
[auth-bsdauth.c auth-skey.c auth1.c auth2-chall.c auth2-none.c authfd.c authfd.h monitor_wrap.c msg.c nchan.c radix.c readconf.c scp.c sftp.1 ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh-keysign.c ssh.1 sshconnect.c sshconnect.h sshconnect2.c ttymodes.c xmalloc.h] KNF done automatically while reading....
2002-02-19 - stevesk@cvs.openbsd.org 2002/02/16 14:53:37Damien Miller
[ssh-keygen.1] -t required now for key generation
2002-01-22 - djm@cvs.openbsd.org 2001/12/21 08:52:22Damien Miller
[ssh-keygen.1 ssh-keygen.c] Remove default (rsa1) key type; ok markus@
2001-12-06 - stevesk@cvs.openbsd.org 2001/11/21 18:49:14Ben Lindstrom
[ssh-keygen.1] more on passphrase construction; ok markus@
2001-11-12 - markus@cvs.openbsd.org 2001/10/25 21:14:32Damien Miller
[ssh-keygen.1 ssh-keygen.c] better docu for fingerprinting, ok deraadt@
2001-09-12 - deraadt@cvs.openbsd.org 2001/09/05 06:23:07Ben Lindstrom
[scp.1 sftp.1 ssh.1 ssh-agent.1 sshd.8 ssh-keygen.1 ssh-keyscan.1] avoid first person in manual pages
2001-08-06 - jakob@cvs.openbsd.org 2001/08/02 15:07:23Ben Lindstrom
[ssh-keygen.1] document smartcard upload/download. ok markus@
2001-08-06 - aaron@cvs.openbsd.org 2001/07/23 14:14:18Ben Lindstrom
[ssh-keygen.1] Fix typo.
2001-07-04 - markus@cvs.openbsd.org 2001/06/25 17:18:27Ben Lindstrom
[ssh-keygen.1] sshd(8) will never read the private keys, but ssh(1) does; hugh@mimosa.com
2001-06-25 - deraadt@cvs.openbsd.org 2001/06/23 05:57:09Ben Lindstrom
[sftp.1 sftp-server.8 ssh-keygen.1] ok, tmac is now fixed