summaryrefslogtreecommitdiff
path: root/ssh-keygen.c
AgeCommit message (Collapse)Author
2015-01-15upstream commitdjm@openbsd.org
sync ssh-keysign, ssh-keygen and some dependencies to the new buffer/key API; mostly mechanical, ok markus@
2015-01-15more --without-opensslDamien Miller
fix some regressions caused by upstream merges enable KRLs now that they no longer require BIGNUMs
2015-01-15support --without-openssl at configure timeDamien Miller
Disables and removes dependency on OpenSSL. Many features don't work and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now.
2014-12-22upstream commitdjm@openbsd.org
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
2014-10-13upstream commitdoug@openbsd.org
Free resources on error in mkstemp and fdopen ok djm@
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 03:47:27Damien Miller
[ssh-keygen.c] When hashing or removing hosts using ssh-keygen, don't choke on @revoked markers and don't remove @cert-authority markers; bz#2241, reported by mlindgren AT runelind.net
2014-07-03 - djm@cvs.openbsd.org 2014/07/03 03:34:09Damien Miller
[gss-serv.c session.c ssh-keygen.c] standardise on NI_MAXHOST for gethostname() string lengths; about 1/2 the cases were using it already. Fixes bz#2239 en passant
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 01:13:21Damien Miller
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e.
2014-05-15 - markus@cvs.openbsd.org 2014/04/29 18:01:49Damien Miller
[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
2014-05-15 - djm@cvs.openbsd.org 2014/04/28 03:09:18Damien Miller
[authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h] [ssh-keygen.c] buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
2014-05-15 - logan@cvs.openbsd.org 2014/04/20 09:24:26Damien Miller
[dns.c dns.h ssh-keygen.c] Add support for SSHFP DNS records for ED25519 key types. OK from djm@
2014-04-20 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26Damien Miller
[ssh-agent.c ssh-keygen.1 ssh-keygen.c] Improve usage() and documentation towards the standard form. In particular, this line saves a lot of man page reading time. usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase] [-C comment] [-f output_keyfile] ok schwarze jmc
2014-04-20 - djm@cvs.openbsd.org 2014/03/12 04:50:32Damien Miller
[auth-bsdauth.c ssh-keygen.c] don't count on things that accept arguments by reference to clear things for us on error; most things do, but it's unsafe form.
2014-02-07 - naddy@cvs.openbsd.org 2014/02/05 20:13:25Damien Miller
[ssh-keygen.1 ssh-keygen.c] tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@ while here, fix ordering in usage(); requested by jmc@
2014-02-04 - djm@cvs.openbsd.org 2014/02/02 03:44:32Damien Miller
[auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c] [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c] [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c] [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c] [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c] [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c] [sshd.c] convert memset of potentially-private data to explicit_bzero()
2014-02-04 - tedu@cvs.openbsd.org 2014/01/31 16:39:19Damien Miller
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c] [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c] [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c] [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c] [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h] replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
2013-12-07 - markus@cvs.openbsd.org 2013/12/06 13:39:49Damien Miller
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
2013-12-07 - markus@cvs.openbsd.org 2013/12/06 13:34:54Damien Miller
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c] [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
2013-12-07 - djm@cvs.openbsd.org 2013/12/06 03:40:51Damien Miller
[ssh-keygen.c] remove duplicated character ('g') in getopt() string; document the (few) remaining option characters so we don't have to rummage next time.
2013-10-26 - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] RemoveDamien Miller
unnecessary arc4random_stir() calls. The only ones left are to ensure that the PRNG gets a different state after fork() for platforms that have broken the API.
2013-10-23 - djm@cvs.openbsd.org 2013/10/23 04:16:22Damien Miller
[ssh-keygen.c] Make code match documentation: relative-specified certificate expiry time should be relative to current time and not the validity start time. Reported by Petr Lautrbach; ok deraadt@
2013-09-14 - deraadt@cvs.openbsd.org 2013/09/02 22:00:34Damien Miller
[ssh-keygen.c sshconnect1.c sshd.c] All the instances of arc4random_stir() are bogus, since arc4random() does this itself, inside itself, and has for a very long time.. Actually, this was probably reducing the entropy available. ok djm ID SYNC ONLY for portable; we don't trust other arc4random implementations to do this right.
2013-09-14 - mikeb@cvs.openbsd.org 2013/08/28 12:34:27Damien Miller
[ssh-keygen.c] improve batch processing a bit by making use of the quite flag a bit more often and exit with a non zero code if asked to find a hostname in a known_hosts file and it wasn't there; originally from reyk@, ok djm
2013-08-21 - djm@cvs.openbsd.org 2013/08/13 18:33:08Damien Miller
[ssh-keygen.c] another of the same typo
2013-08-21 - djm@cvs.openbsd.org 2013/08/13 18:32:08Damien Miller
[ssh-keygen.c] typo in error message; from Stephan Rickauer
2013-07-20 - djm@cvs.openbsd.org 2013/07/20 01:44:37Damien Miller
[ssh-keygen.c ssh.c] More useful error message on missing current user in /etc/passwd
2013-07-18 - djm@cvs.openbsd.org 2013/07/12 05:42:03Damien Miller
[ssh-keygen.c] do_print_resource_record() can never be called with a NULL filename, so don't attempt (and bungle) asking for one if it has not been specified bz#2127 ok dtucker@
2013-07-18 - djm@cvs.openbsd.org 2013/07/12 00:20:00Damien Miller
[sftp.c ssh-keygen.c ssh-pkcs11.c] fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
2013-06-02 - djm@cvs.openbsd.org 2013/05/17 00:13:13Darren Tucker
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@
2013-04-23 - djm@cvs.openbsd.org 2013/04/19 01:01:00Damien Miller
[ssh-keygen.c] fix some memory leaks; bz#2088 ok dtucker@
2013-02-12 - djm@cvs.openbsd.org 2013/02/10 23:32:10Damien Miller
[ssh-keygen.c] append to moduli file when screening candidates rather than overwriting. allows resumption of interrupted screen; patch from Christophe Garault in bz#1957; ok dtucker@
2013-01-20 - jmc@cvs.openbsd.org 2013/01/18 07:59:46Damien Miller
[ssh-keygen.c] -u before -V in usage();
2013-01-18 - djm@cvs.openbsd.org 2013/01/17 23:00:01Damien Miller
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] [krl.c krl.h PROTOCOL.krl] add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
2013-01-09 - djm@cvs.openbsd.org 2013/01/09 05:40:17Damien Miller
[ssh-keygen.c] correctly initialise fingerprint type for fingerprinting PKCS#11 keys
2013-01-09 - djm@cvs.openbsd.org 2013/01/03 23:22:58Damien Miller
[ssh-keygen.c] allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ... ok markus@
2012-12-03 - djm@cvs.openbsd.org 2012/12/03 00:14:06Damien Miller
[auth2-chall.c ssh-keygen.c] Fix compilation with -Wall -Werror (trivial type fixes)
2012-11-14 - djm@cvs.openbsd.org 2012/11/14 02:32:15Damien Miller
[ssh-keygen.c] allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-10-05 - djm@cvs.openbsd.org 2012/10/02 07:07:45Darren Tucker
[ssh-keygen.c] fix -z option, broken in revision 1.215
2012-09-06 - djm@cvs.openbsd.org 2012/08/17 01:25:58Darren Tucker
[ssh-keygen.c] print details of which host lines were deleted when using "ssh-keygen -R host"; ok markus@
2012-07-31 - jmc@cvs.openbsd.org 2012/07/06 06:38:03Damien Miller
[ssh-keygen.c] missing full stop in usage();
2012-07-06 - dtucker@cvs.openbsd.org 2012/07/06 00:41:59Damien Miller
[moduli.c ssh-keygen.1 ssh-keygen.c] Add options to specify starting line number and number of lines to process when screening moduli candidates. This allows processing of different parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
2012-06-20 - djm@cvs.openbsd.org 2012/05/23 03:28:28Damien Miller
[dns.c dns.h key.c key.h ssh-keygen.c] add support for RFC6594 SSHFP DNS records for ECDSA key types. patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
2012-04-22 - djm@cvs.openbsd.org 2012/02/29 11:21:26Damien Miller
[ssh-keygen.c] allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
2012-02-06 - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platformsDamien Miller
that don't support ECC. Patch from Phil Oleson
2011-10-18 - jmc@cvs.openbsd.org 2011/10/16 15:02:41Damien Miller
[ssh-keygen.c] put -K in the right place (usage());
2011-10-18 - dtucker@cvs.openbsd.org 2011/10/16 11:02:46Damien Miller
[moduli.c ssh-keygen.1 ssh-keygen.c] Add optional checkpoints for moduli screening. feedback & ok deraadt
2011-09-04 - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementationsDarren Tucker
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-05-05 - djm@cvs.openbsd.org 2011/05/04 21:15:29Damien Miller
[authfile.c authfile.h ssh-add.c] allow "ssh-add - < key"; feedback and ok markus@
2011-05-05 - djm@cvs.openbsd.org 2011/04/12 04:23:50Damien Miller
[ssh-keygen.c] fix -Wshadow
2011-05-05 - stevesk@cvs.openbsd.org 2011/03/24 22:14:54Damien Miller
[ssh-keygen.c] use strcasecmp() for "clear" cert permission option also; ok djm