From 9405c6214f667be604a820c6823b27d0ea77937d Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 12 Sep 2018 01:21:34 +0000 Subject: upstream: allow key revocation by SHA256 hash and allow ssh-keygen to create KRLs using SHA256/base64 key fingerprints; ok markus@ OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94 --- ssh-keygen.1 | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index dd6e7e5a8..d1aad6f20 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.149 2018/09/12 01:21:34 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 8 2018 $ +.Dd $Mdocdate: September 12 2018 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -814,7 +814,20 @@ option. Revokes the specified key. If a certificate is listed, then it is revoked as a plain public key. .It Cm sha1 : Ar public_key -Revokes the specified key by its SHA1 hash. +Revokes the specified key by including its SHA1 hash in the KRL. +.It Cm sha256 : Ar public_key +Revokes the specified key by including its SHA256 hash in the KRL. +KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions +prior to 7.9. +.It Cm hash : Ar fingerprint +Revokes a key using by fingerprint hash, as obtained from a +.Xr sshd 8 +authentication log message or the +.Nm +.Fl l +flag. +Only SHA256 fingerprints are supported here and resultant KRLs are +not supported by OpenSSH versions prior to 7.9. .El .Pp KRLs may be updated using the -- cgit v1.2.3 From f0fcd7e65087db8c2496f13ed39d772f8e38b088 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 12 Sep 2018 06:18:59 +0000 Subject: upstream: fix edit mistake; spotted by jmc@ OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6 --- ssh-keygen.1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index d1aad6f20..bfa2eb5f3 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.149 2018/09/12 01:21:34 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.150 2018/09/12 06:18:59 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -820,7 +820,7 @@ Revokes the specified key by including its SHA256 hash in the KRL. KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions prior to 7.9. .It Cm hash : Ar fingerprint -Revokes a key using by fingerprint hash, as obtained from a +Revokes a key using a fingerprint hash, as obtained from a .Xr sshd 8 authentication log message or the .Nm -- cgit v1.2.3 From 96c85e746d4f94c7d2748a200e5817ad8a987918 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:09 +0000 Subject: Adjust various OpenBSD-specific references in manual pages No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: openbsd-docs.patch --- moduli.5 | 4 ++-- ssh-keygen.1 | 12 ++++-------- ssh.1 | 4 ++++ sshd.8 | 5 ++--- sshd_config.5 | 3 +-- 5 files changed, 13 insertions(+), 15 deletions(-) (limited to 'ssh-keygen.1') diff --git a/moduli.5 b/moduli.5 index ef0de0850..149846c8c 100644 --- a/moduli.5 +++ b/moduli.5 @@ -21,7 +21,7 @@ .Nd Diffie-Hellman moduli .Sh DESCRIPTION The -.Pa /etc/moduli +.Pa /etc/ssh/moduli file contains prime numbers and generators for use by .Xr sshd 8 in the Diffie-Hellman Group Exchange key exchange method. @@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough Diffie-Hellman output to sufficiently key the selected symmetric cipher. .Xr sshd 8 then randomly selects a modulus from -.Fa /etc/moduli +.Fa /etc/ssh/moduli that best meets the size requirement. .Sh SEE ALSO .Xr ssh-keygen 1 , diff --git a/ssh-keygen.1 b/ssh-keygen.1 index bfa2eb5f3..da6b5ed76 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -176,9 +176,7 @@ key in .Pa ~/.ssh/id_ed25519 or .Pa ~/.ssh/id_rsa . -Additionally, the system administrator may use this to generate host keys, -as seen in -.Pa /etc/rc . +Additionally, the system administrator may use this to generate host keys. .Pp Normally this program generates the key and asks for a file in which to store the private key. @@ -229,9 +227,7 @@ If .Fl f has also been specified, its argument is used as a prefix to the default path for the resulting host key files. -This is used by -.Pa /etc/rc -to generate new host keys. +This is used by system administration scripts to generate new host keys. .It Fl a Ar rounds When saving a private key this option specifies the number of KDF (key derivation function) rounds used. @@ -677,7 +673,7 @@ option. Valid generator values are 2, 3, and 5. .Pp Screened DH groups may be installed in -.Pa /etc/moduli . +.Pa /etc/ssh/moduli . It is important that this file contains moduli of a range of bit lengths and that both ends of a connection share common moduli. .Sh CERTIFICATES @@ -877,7 +873,7 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. .Pp -.It Pa /etc/moduli +.It Pa /etc/ssh/moduli Contains Diffie-Hellman groups used for DH-GEX. The file format is described in .Xr moduli 5 . diff --git a/ssh.1 b/ssh.1 index 81f29af43..5dfad6daa 100644 --- a/ssh.1 +++ b/ssh.1 @@ -860,6 +860,10 @@ implements public key authentication protocol automatically, using one of the DSA, ECDSA, Ed25519 or RSA algorithms. The HISTORY section of .Xr ssl 8 +(on non-OpenBSD systems, see +.nh +http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) +.hy contains a brief discussion of the DSA and RSA algorithms. .Pp The file diff --git a/sshd.8 b/sshd.8 index 57a7fd66b..4abc01d66 100644 --- a/sshd.8 +++ b/sshd.8 @@ -65,7 +65,7 @@ over an insecure network. .Nm listens for connections from clients. It is normally started at boot from -.Pa /etc/rc . +.Pa /etc/init.d/ssh . It forks a new daemon for each incoming connection. The forked daemons handle @@ -884,7 +884,7 @@ This file is for host-based authentication (see .Xr ssh 1 ) . It should only be writable by root. .Pp -.It Pa /etc/moduli +.It Pa /etc/ssh/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" key exchange method. The file format is described in @@ -982,7 +982,6 @@ The content of this file is not sensitive; it can be world-readable. .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , -.Xr login.conf 5 , .Xr moduli 5 , .Xr sshd_config 5 , .Xr inetd 8 , diff --git a/sshd_config.5 b/sshd_config.5 index 37e6be38f..23f71fd1d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -395,8 +395,7 @@ Certificates signed using other algorithms will not be accepted for public key or host-based authentication. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via -PAM or through authentication styles supported in -.Xr login.conf 5 ) +PAM). The default is .Cm yes . .It Cm ChrootDirectory -- cgit v1.2.3