From ed7bd5d93fe14c7bd90febd29b858ea985d14d45 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 8 Aug 2018 01:16:01 +0000 Subject: upstream: Use new private key format by default. This format is suported by OpenSSH >= 6.5 (released January 2014), so it should be supported by most OpenSSH versions in active use. It is possible to convert new-format private keys to the older format using "ssh-keygen -f /path/key -pm PEM". ok deraadt dtucker OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8 --- ssh-keygen.1 | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3525d7d17..dd6e7e5a8 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 12 2018 $ +.Dd $Mdocdate: August 8 2018 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -233,10 +233,8 @@ This is used by .Pa /etc/rc to generate new host keys. .It Fl a Ar rounds -When saving a new-format private key (i.e. an ed25519 key or when the -.Fl o -flag is set), this option specifies the number of KDF (key derivation function) -rounds used. +When saving a private key this option specifies the number of KDF +(key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen). .Pp @@ -264,8 +262,6 @@ flag will be ignored. Provides a new comment. .It Fl c Requests changing the comment in the private and public key files. -This operation is only supported for keys stored in the -newer OpenSSH format. The program will prompt for the file containing the private keys, for the passphrase if the key has one, and for the new comment. .It Fl D Ar pkcs11 @@ -410,6 +406,10 @@ or (PEM public key). The default conversion format is .Dq RFC4716 . +Setting a format of +.Dq PEM +when generating or updating a supported private key type will cause the +key to be stored in the legacy PEM private key format. .It Fl N Ar new_passphrase Provides the new passphrase. .It Fl n Ar principals @@ -504,14 +504,6 @@ The is a comma-separated list of one or more address/netmask pairs in CIDR format. .El -.It Fl o -Causes -.Nm -to save private keys using the new OpenSSH format rather than -the more compatible PEM format. -The new format has increased resistance to brute-force password cracking -but is not supported by versions of OpenSSH prior to 6.5. -Ed25519 keys always use the new private key format. .It Fl P Ar passphrase Provides the (old) passphrase. .It Fl p -- cgit v1.2.3 From f48c4fd12f8ecd275226e357454e45f10c20ac92 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:09 +0000 Subject: Adjust various OpenBSD-specific references in manual pages No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch --- moduli.5 | 4 ++-- ssh-keygen.1 | 12 ++++-------- ssh.1 | 4 ++++ sshd.8 | 5 ++--- sshd_config.5 | 3 +-- 5 files changed, 13 insertions(+), 15 deletions(-) (limited to 'ssh-keygen.1') diff --git a/moduli.5 b/moduli.5 index ef0de0850..149846c8c 100644 --- a/moduli.5 +++ b/moduli.5 @@ -21,7 +21,7 @@ .Nd Diffie-Hellman moduli .Sh DESCRIPTION The -.Pa /etc/moduli +.Pa /etc/ssh/moduli file contains prime numbers and generators for use by .Xr sshd 8 in the Diffie-Hellman Group Exchange key exchange method. @@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough Diffie-Hellman output to sufficiently key the selected symmetric cipher. .Xr sshd 8 then randomly selects a modulus from -.Fa /etc/moduli +.Fa /etc/ssh/moduli that best meets the size requirement. .Sh SEE ALSO .Xr ssh-keygen 1 , diff --git a/ssh-keygen.1 b/ssh-keygen.1 index dd6e7e5a8..33e0bbcc1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -176,9 +176,7 @@ key in .Pa ~/.ssh/id_ed25519 or .Pa ~/.ssh/id_rsa . -Additionally, the system administrator may use this to generate host keys, -as seen in -.Pa /etc/rc . +Additionally, the system administrator may use this to generate host keys. .Pp Normally this program generates the key and asks for a file in which to store the private key. @@ -229,9 +227,7 @@ If .Fl f has also been specified, its argument is used as a prefix to the default path for the resulting host key files. -This is used by -.Pa /etc/rc -to generate new host keys. +This is used by system administration scripts to generate new host keys. .It Fl a Ar rounds When saving a private key this option specifies the number of KDF (key derivation function) rounds used. @@ -677,7 +673,7 @@ option. Valid generator values are 2, 3, and 5. .Pp Screened DH groups may be installed in -.Pa /etc/moduli . +.Pa /etc/ssh/moduli . It is important that this file contains moduli of a range of bit lengths and that both ends of a connection share common moduli. .Sh CERTIFICATES @@ -864,7 +860,7 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. .Pp -.It Pa /etc/moduli +.It Pa /etc/ssh/moduli Contains Diffie-Hellman groups used for DH-GEX. The file format is described in .Xr moduli 5 . diff --git a/ssh.1 b/ssh.1 index cb0fdd50e..d41426781 100644 --- a/ssh.1 +++ b/ssh.1 @@ -850,6 +850,10 @@ implements public key authentication protocol automatically, using one of the DSA, ECDSA, Ed25519 or RSA algorithms. The HISTORY section of .Xr ssl 8 +(on non-OpenBSD systems, see +.nh +http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) +.hy contains a brief discussion of the DSA and RSA algorithms. .Pp The file diff --git a/sshd.8 b/sshd.8 index 57a7fd66b..4abc01d66 100644 --- a/sshd.8 +++ b/sshd.8 @@ -65,7 +65,7 @@ over an insecure network. .Nm listens for connections from clients. It is normally started at boot from -.Pa /etc/rc . +.Pa /etc/init.d/ssh . It forks a new daemon for each incoming connection. The forked daemons handle @@ -884,7 +884,7 @@ This file is for host-based authentication (see .Xr ssh 1 ) . It should only be writable by root. .Pp -.It Pa /etc/moduli +.It Pa /etc/ssh/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" key exchange method. The file format is described in @@ -982,7 +982,6 @@ The content of this file is not sensitive; it can be world-readable. .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , -.Xr login.conf 5 , .Xr moduli 5 , .Xr sshd_config 5 , .Xr inetd 8 , diff --git a/sshd_config.5 b/sshd_config.5 index 96a69ab55..9774831fe 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -384,8 +384,7 @@ then no banner is displayed. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via -PAM or through authentication styles supported in -.Xr login.conf 5 ) +PAM). The default is .Cm yes . .It Cm ChrootDirectory -- cgit v1.2.3