summaryrefslogtreecommitdiff
path: root/ssh-keygen.c
AgeCommit message (Collapse)Author
2020-01-29upstream: changes to support FIDO attestationdjm@openbsd.org
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
2020-01-26upstream: improve the error message for u2f enrollment errors bydjm@openbsd.org
making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
2020-01-26upstream: factor out reading/writing sshbufs to dedicateddjm@openbsd.org
functions; feedback and ok markus@ OpenBSD-Commit-ID: dc09e5f1950b7acc91b8fdf8015347782d2ecd3d
2020-01-25Put EC key export inside OPENSSL_HAS_ECC.Darren Tucker
Fixes link error when building against an OpenSSL that does not have ECC.
2020-01-25upstream: expose PKCS#11 key labels/X.509 subjects as commentsdjm@openbsd.org
Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on https://github.com/openssh/openssh-portable/pull/138 by Danielle Church feedback and ok markus@ OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
2020-01-25upstream: minor tweaks to ssh-keygen -Y find-principals:djm@openbsd.org
emit matched principals one per line to stdout rather than as comma- separated and with a free-text preamble (easy confusion opportunity) emit "not found" error to stderr fix up argument testing for -Y operations and improve error message for unsupported operations OpenBSD-Commit-ID: 3d9c9a671ab07fc04a48f543edfa85eae77da69c
2020-01-25upstream: when signing a certificate with an RSA key, default todjm@openbsd.org
a safe signature algorithm (rsa-sha-512) if not is explicitly specified by the user; ok markus@ OpenBSD-Commit-ID: e05f638f0be6c0266e1d3d799716b461011e83a9
2020-01-25upstream: allow PEM export of DSA and ECDSA keys; bz3091, patchdjm@openbsd.org
from Jakub Jelen ok markus@ OpenBSD-Commit-ID: a58edec8b9f07acab4b962a71a5125830d321b51
2020-01-25upstream: ssh-keygen -Y find-principals fixes based on feedbackdjm@openbsd.org
from Markus: use "principals" instead of principal, as allowed_signers lines may list multiple. When the signing key is a certificate, emit only principals that match the certificate principal list. NB. the command -Y name changes: "find-principal" => "find-principals" ok markus@ OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf
2020-01-23upstream: remove trailing period characters from pub/priv keydjm@openbsd.org
pathnames - they make them needlessly more difficult to cut and paste without error; ok markus@ & dtucker@ OpenBSD-Commit-ID: abdcfd1a5723fcac0711feee7665edc66ae2335a
2020-01-23upstream: add a new signature operations "find-principal" to lookdjm@openbsd.org
up the principal associated with a signature from an allowed-signers file. Work by Sebastian Kinne; ok dtucker@ OpenBSD-Commit-ID: 6f782cc7e18e38fcfafa62af53246a1dcfe74e5d
2020-01-22upstream: For ssh-keygen -lF only add a space after key fingerprintclaudio@openbsd.org
when there is a comment. This makes copy-paste of fingerprints into ssh easier. OK djm@ OpenBSD-Commit-ID: fa01d95624f65c1eb4dc7c575d20d77c78010dfd
2020-01-21upstream: don't #ifdef out the KRL code when compiling withoutdjm@openbsd.org
libcrypto support; it works just fine and disabling it breaks a few tests. ok dtucker@ OpenBSD-Commit-ID: 65f6272c4241eb4b04de78b012fe98b2b555ad44
2020-01-21upstream: sync ssh-keygen.1 and ssh-keygen's usage() with eachnaddy@openbsd.org
other and reality ok markus@ OpenBSD-Commit-ID: cdf64454f2c3604c25977c944e5b6262a3bcce92
2020-01-06upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org
for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2020-01-03upstream: ability to download FIDO2 resident keys from a token viadjm@openbsd.org
"ssh-keygen -K". This will save public/private keys into the current directory. This is handy if you move a token between hosts. feedback & ok markus@ OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6
2019-12-30upstream: Remove the -x option currently used fordjm@openbsd.org
FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
2019-12-30upstream: translate and return error codes; retry on bad PINdjm@openbsd.org
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@ OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
2019-12-30upstream: SK API and sk-helper error/PIN passingdjm@openbsd.org
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
2019-12-30upstream: basic support for generating FIDO2 resident keysdjm@openbsd.org
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
2019-12-30upstream: remove single-letter flags for moduli optionsdjm@openbsd.org
Move all moduli generation options to live under the -O flag. Frees up seven single-letter flags. NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately. feedback and ok markus@ OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935
2019-12-30upstream: prepare for use of ssh-keygen -O flag beyond certsdjm@openbsd.org
Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
2019-12-14remove a bunch of ENABLE_SK #ifdefsDamien Miller
The ssh-sk-helper client API gives us a nice place to disable security key support when it is wasn't enabled at compile time, so we don't need to check everywere. Also, verification of security key signatures can remain enabled all the time - it has no additional dependencies. So sshd can accept security key pubkeys in authorized_keys, etc regardless of the host's support for dlopen, etc.
2019-12-11upstream: when acting as a CA and using a security key as the CAdjm@openbsd.org
key, remind the user to touch they key to authorise the signature. OpenBSD-Commit-ID: fe58733edd367362f9766b526a8b56827cc439c1
2019-11-25upstream: Print a key touch reminder when generating a securitydjm@openbsd.org
key. Most keys require a touch to authorize the operation. OpenBSD-Commit-ID: 7fe8b23edbf33e1bb81741b9f25e9a63be5f6b68
2019-11-25upstream: allow "ssh-keygen -x no-touch-required" when generating adjm@openbsd.org
security key keypair to request one that does not require a touch for each authentication attempt. The default remains to require touch. feedback deraadt; ok markus@ OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
2019-11-25upstream: add a "no-touch-required" option for authorized_keys anddjm@openbsd.org
a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-25upstream: Add new structure for signature optionsdjm@openbsd.org
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
2019-11-20upstream: more missing mentions of ed25519-sk; ok djm@naddy@openbsd.org
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-20upstream: additional missing stdarg.h includes when built withoutnaddy@openbsd.org
WITH_OPENSSL; ok djm@ OpenBSD-Commit-ID: 881f9a2c4e2239849cee8bbf4faec9bab128f55b
2019-11-18upstream: Fix incorrect error message when key certification failsdjm@openbsd.org
OpenBSD-Commit-ID: 7771bd77ee73f7116df37c734c41192943a73cee
2019-11-18upstream: allow *-sk key types to be turned into certificatesdjm@openbsd.org
OpenBSD-Commit-ID: cd365ee343934862286d0b011aa77fa739d2a945
2019-11-18upstream: missing break in getopt switch; spotted by Sebastian Kinnedjm@openbsd.org
OpenBSD-Commit-ID: f002dbf14dba5586e8407e90f0141148ade8e8fc
2019-11-15upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-13upstream: security keys typically need to be tapped/touched indjm@openbsd.org
order to perform a signature operation. Notify the user when this is expected via the TTY (if available) or $SSH_ASKPASS if we can. ok markus@ OpenBSD-Commit-ID: 0ef90a99a85d4a2a07217a58efb4df8444818609
2019-11-13Remove leftover if statement from sync.Darren Tucker
2019-11-13upstream: enable ed25519 support; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-11upstream: duplicate 'x' character in getopt(3) optstringdjm@openbsd.org
OpenBSD-Commit-ID: 64c81caa0cb5798de3621eca16b7dd22e5d0d8a7
2019-11-08upstream: Fill in missing man page bits for U2F security key support:naddy@openbsd.org
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
2019-11-01autoconf pieces for U2F supportDamien Miller
Mostly following existing logic for PKCS#11 - turning off support when either libcrypto or dlopen(3) are unavailable.
2019-11-01upstream: fix -Wshadow warningdjm@openbsd.org
OpenBSD-Commit-ID: 3441eb04f872a00c2483c11a5f1570dfe775103c
2019-11-01upstream: Refactor signing - use sshkey_sign for everything,djm@openbsd.org
including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@ OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
2019-11-01upstream: ssh-keygen support for generating U2F/FIDO keysdjm@openbsd.org
OpenBSD-Commit-ID: 6ce04f2b497ac9dd8c327f76f1e6c724fb1d1b37
2019-10-16upstream: free buf before return; reported by krishnaiah bommudjm@openbsd.org
OpenBSD-Commit-ID: 091bb23a6e913af5d4f72c50030b53ce1cef4de1
2019-10-09wrap stdint.h include in HAVE_STDINT_HDamien Miller
make the indenting a little more consistent too.. Fixes Solaris 2.6; reported by Tom G. Christensen
2019-10-04upstream: use a more common options order in SYNOPSIS and syncjmc@openbsd.org
usage(); while here, no need for Bk/Ek; ok dtucker OpenBSD-Commit-ID: 38715c3f10b166f599a2283eb7bc14860211bb90
2019-10-02upstream: thinko in previous; spotted by Mantasdjm@openbsd.org
=?UTF-8?q?=20Mikul=C4=97nas?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: ffa3f5a45e09752fc47d9041e2203ee2ec15b24d
2019-10-02upstream: ban empty namespace strings for sdjm@openbsd.org
=?UTF-8?q?shsig;=20spotted=20by=20Mantas=20Mikul=C4=97nas?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenBSD-Commit-ID: 7c5bcf40bed8f4e826230176f4aa353c52aeb698
2019-10-01upstream: group and sort single letter options; ok deraadtjmc@openbsd.org
OpenBSD-Commit-ID: e1480e760a2b582f79696cdcff70098e23fc603f
2019-10-01upstream: identity_file[] should be PATH_MAX, not the arbitraryderaadt@openbsd.org
number 1024 OpenBSD-Commit-ID: e775f94ad47ce9ab37bd1410d7cf3b7ea98b11b7