summaryrefslogtreecommitdiff
path: root/ssh-keygen.c
AgeCommit message (Collapse)Author
2012-06-20 - djm@cvs.openbsd.org 2012/05/23 03:28:28Damien Miller
[dns.c dns.h key.c key.h ssh-keygen.c] add support for RFC6594 SSHFP DNS records for ECDSA key types. patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
2012-04-22 - djm@cvs.openbsd.org 2012/02/29 11:21:26Damien Miller
[ssh-keygen.c] allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
2012-02-06 - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platformsDamien Miller
that don't support ECC. Patch from Phil Oleson
2011-10-18 - jmc@cvs.openbsd.org 2011/10/16 15:02:41Damien Miller
[ssh-keygen.c] put -K in the right place (usage());
2011-10-18 - dtucker@cvs.openbsd.org 2011/10/16 11:02:46Damien Miller
[moduli.c ssh-keygen.1 ssh-keygen.c] Add optional checkpoints for moduli screening. feedback & ok deraadt
2011-09-04 - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementationsDarren Tucker
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-05-05 - djm@cvs.openbsd.org 2011/05/04 21:15:29Damien Miller
[authfile.c authfile.h ssh-add.c] allow "ssh-add - < key"; feedback and ok markus@
2011-05-05 - djm@cvs.openbsd.org 2011/04/12 04:23:50Damien Miller
[ssh-keygen.c] fix -Wshadow
2011-05-05 - stevesk@cvs.openbsd.org 2011/03/24 22:14:54Damien Miller
[ssh-keygen.c] use strcasecmp() for "clear" cert permission option also; ok djm
2011-05-05 - stevesk@cvs.openbsd.org 2011/03/23 16:50:04Damien Miller
[ssh-keygen.c] remove -d, documentation removed >10 years ago; ok markus
2011-05-05 - stevesk@cvs.openbsd.org 2011/03/23 15:16:22Damien Miller
[ssh-keygen.1 ssh-keygen.c] Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This will be used by /etc/rc to generate new host keys. Idea from deraadt. ok deraadt
2011-05-05 - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]Damien Miller
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms.
2011-01-11 - djm@cvs.openbsd.org 2011/01/11 06:13:10Damien Miller
[clientloop.c ssh-keygen.c sshd.c] some unsigned long long casts that make things a bit easier for portable without resorting to dropping PRIu64 formats everywhere
2010-11-11 - (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys onDamien Miller
platforms that don't support ECC. Fixes some spurious warnings reported by tim@
2010-11-05 - djm@cvs.openbsd.org 2010/10/28 11:22:09Damien Miller
[authfile.c key.c key.h ssh-keygen.c] fix a possible NULL deref on loading a corrupt ECDH key store ECDH group information in private keys files as "named groups" rather than as a set of explicit group parameters (by setting the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and retrieves the group's OpenSSL NID that we need for various things.
2010-09-10 - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]Damien Miller
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c] [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on platforms that don't have the requisite OpenSSL support. ok dtucker@
2010-09-10 - naddy@cvs.openbsd.org 2010/09/02 17:21:50Damien Miller
[ssh-keygen.c] Switch ECDSA default key size to 256 bits, which according to RFC5656 should still be better than our current RSA-2048 default. ok djm@, markus@
2010-09-10 - markus@cvs.openbsd.org 2010/09/02 16:07:25Damien Miller
[ssh-keygen.c] permit -b 256, 384 or 521 as key size for ECDSA; ok djm@
2010-09-10 - djm@cvs.openbsd.org 2010/08/31 12:33:38Damien Miller
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] reintroduce commit from tedu@, which I pulled out for release engineering: OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
2010-08-31 - djm@cvs.openbsd.org 2010/08/31 11:54:45Damien Miller
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
2010-08-31 - djm@cvs.openbsd.org 2010/08/16 04:06:06Damien Miller
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] backout previous temporarily; discussed with deraadt@
2010-08-31 - tedu@cvs.openbsd.org 2010/08/12 23:34:39Damien Miller
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 06:07:11Damien Miller
[ssh-keygen.1 ssh-keygen.c] Support CA keys in PKCS#11 tokens; feedback and ok markus@
2010-08-05 - djm@cvs.openbsd.org 2010/08/04 05:40:39Damien Miller
[PROTOCOL.certkeys ssh-keygen.c] tighten the rules for certificate encoding by requiring that options appear in lexical order and make our ssh-keygen comply. ok markus@
2010-08-03 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/07/16 04:45:30 [ssh-keygen.c] avoid bogus compiler warning
2010-07-02 - jmc@cvs.openbsd.org 2010/06/30 07:26:03Damien Miller
[ssh-keygen.c] sort usage();
2010-07-02 - djm@cvs.openbsd.org 2010/06/29 23:15:30Damien Miller
[ssh-keygen.1 ssh-keygen.c] allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys; bz#1749; ok markus@
2010-06-26 - djm@cvs.openbsd.org 2010/06/23 02:59:02Damien Miller
[ssh-keygen.c] fix printing of extensions in v01 certificates that I broke in r1.190
2010-06-26 - djm@cvs.openbsd.org 2010/06/22 04:32:06Damien Miller
[ssh-keygen.c] standardise error messages when attempting to open private key files to include "progname: filename: error reason" bz#1783; ok dtucker@
2010-05-21 - djm@cvs.openbsd.org 2010/05/20 23:46:02Damien Miller
[PROTOCOL.certkeys auth-options.c ssh-keygen.c] Move the permit-* options to the non-critical "extensions" field for v01 certificates. The logic is that if another implementation fails to implement them then the connection just loses features rather than fails outright. ok markus@
2010-05-10 - djm@cvs.openbsd.org 2010/04/23 22:48:31Damien Miller
[ssh-keygen.c] refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS, since we would refuse to use them anyway. bz#1516; ok dtucker@
2010-05-10 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/04/23 01:47:41 [ssh-keygen.c] bz#1740: display a more helpful error message when $HOME is inaccessible while trying to create .ssh directory. Based on patch from jchadima AT redhat.com; ok dtucker@
2010-04-18 - jmc@cvs.openbsd.org 2010/04/16 06:47:04Damien Miller
[ssh-keygen.1 ssh-keygen.c] tweak previous; ok djm
2010-04-16 - djm@cvs.openbsd.org 2010/04/16 01:47:26Damien Miller
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c] [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
2010-03-22 - stevesk@cvs.openbsd.org 2010/03/15 19:40:02Damien Miller
[key.c key.h ssh-keygen.c] also print certificate type (user or host) for ssh-keygen -L ok djm kettenis
2010-03-08 - djm@cvs.openbsd.org 2010/03/07 22:16:01Damien Miller
[ssh-keygen.c] make internal strptime string match strftime format; suggested by vinschen AT redhat.com and markus@
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 23:27:25Damien Miller
[auth-options.c ssh-keygen.c] "force-command" is not spelled "forced-command"; spotted by imorgan AT nas.nasa.gov
2010-03-05 - djm@cvs.openbsd.org 2010/03/04 20:35:08Damien Miller
[ssh-keygen.1 ssh-keygen.c] Add a -L flag to print the contents of a certificate; ok markus@
2010-03-04 - djm@cvs.openbsd.org 2010/03/04 10:36:03Damien Miller
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] Add a TrustedUserCAKeys option to sshd_config to specify CA keys that are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
2010-03-04 - (djm) [ssh-keygen.c] Use correct local variable, instead ofDamien Miller
maybe-undefined global "optarg"
2010-03-03 - djm@cvs.openbsd.org 2010/03/02 23:20:57Damien Miller
[ssh-keygen.c] POSIX strptime is stricter than OpenBSD's so do a little dance to appease it.
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 00:50:59Damien Miller
[ssh-keygen.c] fix -Wall
2010-02-12 - markus@cvs.openbsd.org 2010/02/08 10:50:20Damien Miller
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev `
2010-01-12 - djm@cvs.openbsd.org 2010/01/11 10:51:07Darren Tucker
[ssh-keygen.c] when converting keys, truncate key comments at 72 chars as per RFC4716; bz#1630 reported by tj AT castaglia.org; ok markus@
2009-10-07 - djm@cvs.openbsd.org 2009/08/27 17:33:49Darren Tucker
[ssh-keygen.c] force use of correct hash function for random-art signature display as it was inheriting the wrong one when bubblebabble signatures were activated; bz#1611 report and patch from fwojcik+openssh AT besh.com; ok markus@
2009-06-22 - dtucker@cvs.openbsd.org 2009/06/22 05:39:28Darren Tucker
[monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c] alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm (Id sync only; these were already in order in -portable)
2009-02-22 - (djm) OpenBSD CVS SyncDamien Miller
- tobias@cvs.openbsd.org 2009/02/21 19:32:04 [misc.c sftp-server-main.c ssh-keygen.c] Added missing newlines in error messages. ok dtucker
2008-11-11 - stevesk@cvs.openbsd.org 2008/11/07 00:42:12Darren Tucker
[ssh-keygen.c] spelling/typo in comment
2008-07-14 - sthen@cvs.openbsd.org 2008/07/13 21:22:52Damien Miller
[ssh-keygen.c] Change "ssh-keygen -F [host] -l" to not display random art unless -v is also specified, making it consistent with the manual and other uses of -l. ok grunk@