summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
AgeCommit message (Collapse)Author
2019-11-25upstream: allow "ssh-keygen -x no-touch-required" when generating adjm@openbsd.org
security key keypair to request one that does not require a touch for each authentication attempt. The default remains to require touch. feedback deraadt; ok markus@ OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
2019-11-25upstream: add a "no-touch-required" option for authorized_keys anddjm@openbsd.org
a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-20upstream: more missing mentions of ed25519-sk; ok djm@naddy@openbsd.org
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-18upstream: mention ed25519-sk in places where it is accepted;djm@openbsd.org
prompted by jmc@ OpenBSD-Commit-ID: 076d386739ebe7336c2137e583bc7a5c9538a442
2019-11-15upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-08upstream: Fill in missing man page bits for U2F security key support:naddy@openbsd.org
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-10-29upstream: fixes from lucas;jmc@openbsd.org
OpenBSD-Commit-ID: 4c4bfd2806c5bbc753788ffe19c5ee13aaf418b2
2019-10-04upstream: use a more common options order in SYNOPSIS and syncjmc@openbsd.org
usage(); while here, no need for Bk/Ek; ok dtucker OpenBSD-Commit-ID: 38715c3f10b166f599a2283eb7bc14860211bb90
2019-10-01upstream: group and sort single letter options; ok deraadtjmc@openbsd.org
OpenBSD-Commit-ID: e1480e760a2b582f79696cdcff70098e23fc603f
2019-10-01upstream: fix the DH-GEX text in -a; because this required a comma,jmc@openbsd.org
i added a comma to the first part, for balance... OpenBSD-Commit-ID: 2c3464e9e82a41e8cdfe8f0a16d94266e43dbb58
2019-10-01upstream: new sentence, new line;jmc@openbsd.org
OpenBSD-Commit-ID: c35ca5ec07be460e95e7406af12eee04a77b6698
2019-09-16upstream: Allow testing signature syntax and validity without verifyingdjm@openbsd.org
that a signature came from a trusted signer. To discourage accidental or unintentional use, this is invoked by the deliberately ugly option name "check-novalidate" from Sebastian Kinne OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b
2019-09-05upstream: macro fix; ok djmjmc@openbsd.org
OpenBSD-Commit-ID: e891dd6c7996114cb32f0924cb7898ab55efde6e
2019-09-05upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: 0abd728aef6b5b35f6db43176aa83b7e3bf3ce27
2019-09-03upstream: sshsig tweaks and improvements from and suggested bydjm@openbsd.org
Markus ok markus/me OpenBSD-Commit-ID: ea4f46ad5a16b27af96e08c4877423918c4253e9
2019-09-03upstream: sshsig: lightweight signature and verification abilitydjm@openbsd.org
for OpenSSH This adds a simple manual signature scheme to OpenSSH. Signatures can be made and verified using ssh-keygen -Y sign|verify Signatures embed the key used to make them. At verification time, this is matched via principal name against an authorized_keys-like list of allowed signers. Mostly by Sebastian Kinne w/ some tweaks by me ok markus@ OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb
2019-07-19upstream: Accept the verbose flag when searching for host keys in knowndjm@openbsd.org
hosts (i.e. "ssh-keygen -vF host") to print the matching host's random- art signature too. bz#3003 "amusing, pretty" deraadt@ OpenBSD-Commit-ID: 686221a5447d6507f40a2ffba5393984d889891f
2019-07-15upstream: support PKCS8 as an optional format for storage ofdjm@openbsd.org
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less terrible KDF (IIRC PEM uses a single round of MD5 as a KDF). adapted from patch by Jakub Jelen via bz3013; ok markus OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
2019-05-21upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: 42f39f22f53cfcb913bce401ae0f1bb93e08dd6c
2019-05-20upstream: When signing certificates with an RSA key, default todjm@openbsd.org
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH < 7.2 unless the default is overridden. Document the ability of the ssh-keygen -t flag to override the signature algorithm when signing certificates, and the new default. ok deraadt@ OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
2019-05-08upstream: Document new default RSA key size. Fromdtucker@openbsd.org
sebastiaanlokhorst at gmail.com via bz#2997. OpenBSD-Commit-ID: bdd62ff5d4d649d2147904e91bf7cefa82fe11e1
2019-03-08upstream: PKCS#11 support is no longer limited to RSA; ok benno@naddy@openbsd.org
kn@ OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
2019-01-23upstream: allow auto-incrementing certificate serial number for certsdjm@openbsd.org
signed in a single commandline. OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
2019-01-22upstream: Include -m in the synopsis for a few more commands thatdjm@openbsd.org
support it Be more explicit in the description of -m about where it may be used Prompted by Jakub Jelen in bz2904 OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c
2019-01-22upstream: clarify: ssh-keygen -e only writes public keys, neverdjm@openbsd.org
private OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb
2019-01-22upstream: mention the new vs. old key formats in the introductiondjm@openbsd.org
and give some hints on how keys may be converted or written in the old format. OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
2018-12-27upstream: fix option letter pasto in previousdjm@openbsd.org
OpenBSD-Commit-ID: e26c8bf2f2a808f3c47960e1e490d2990167ec39
2018-12-27upstream: mention that the ssh-keygen -F (find host indjm@openbsd.org
authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780
2018-09-12upstream: fix edit mistake; spotted by jmc@djm@openbsd.org
OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
2018-09-12upstream: allow key revocation by SHA256 hash and allow ssh-keygendjm@openbsd.org
to create KRLs using SHA256/base64 key fingerprints; ok markus@ OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
2018-08-08upstream: Use new private key format by default. This format isdjm@openbsd.org
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported by most OpenSSH versions in active use. It is possible to convert new-format private keys to the older format using "ssh-keygen -f /path/key -pm PEM". ok deraadt dtucker OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
2018-03-14upstream: add valid-before="[time]" authorized_keys option. Adjm@openbsd.org
simple way of giving a key an expiry date. ok markus@ OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
2018-02-07upstream commitdjm@openbsd.org
certificate options are case-sensitive; fix case on one that had it wrong. move a badly-place sentence to a less bad place OpenBSD-Commit-ID: 231e516bba860699a1eece6d48532d825f5f747b
2017-11-03upstream commitdjm@openbsd.org@openbsd.org
allow certificate validity intervals that specify only a start or stop time (we already support specifying both or neither) OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
2017-07-21upstream commitjmc@openbsd.org
slightly rework previous, to avoid an article issue; Upstream-ID: 15a315f0460ddd3d4e2ade1f16d6c640a8c41b30
2017-07-21upstream commitdjm@openbsd.org
When generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed part way through generating them, so avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@ Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
2017-06-28upstream commitdjm@openbsd.org
Allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 ok markus Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
2017-05-08upstream commitnaddy@openbsd.org
remove superfluous protocol 2 mentions; ok jmc@ Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
2017-05-08upstream commitjmc@openbsd.org
more protocol 1 stuff to go; ok djm Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
2017-05-08upstream commitjmc@openbsd.org
rsa1 is no longer valid; Upstream-ID: 9953d09ed9841c44b7dcf7019fa874783a709d89
2017-05-08upstream commitjmc@openbsd.org
more -O shuffle; ok djm Upstream-ID: c239991a3a025cdbb030b73e990188dd9bfbeceb
2017-05-08upstream commitjmc@openbsd.org
tidy up -O somewhat; ok djm Upstream-ID: 804405f716bf7ef15c1f36ab48581ca16aeb4d52
2017-05-01upstream commitdjm@openbsd.org
remove KEY_RSA1 ok markus@ Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-05-01upstream commitjmc@openbsd.org
tweak previous; Upstream-ID: a3abc6857455299aa42a046d232b7984568bceb9
2017-05-01upstream commitdjm@openbsd.org
allow ssh-keygen to include arbitrary string or flag certificate extensions and critical options. ok markus@ dtucker@ Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
2016-06-24upstream commitjmc@openbsd.org
keys stored in openssh format can have comments too; diff from yonas yanfa, tweaked a bit; ok djm Upstream-ID: 03d48536da6e51510d73ade6fcd44ace731ceb27
2016-05-05upstream commitjmc@openbsd.org
correct article; Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168
2016-05-04upstream commitdjm@openbsd.org
make nethack^wrandomart fingerprint flag more readily searchable pointed out by Matt Johnston Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb
2016-02-18upstream commitjmc@openbsd.org
since these pages now clearly tell folks to avoid v1, normalise the docs from a v2 perspective (i.e. stop pointing out which bits are v2 only); ok/tweaks djm ok markus Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2015-11-16upstream commitdjm@openbsd.org
support multiple certificates (one per line) and reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@ Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db