tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: Replace the term "security key" with "(FIDO) 

authenticator".

The polysemous use of "key" was too confusing.  Input from markus@.
ok jmc@

OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
This commit is contained in:
naddy@openbsd.org 2019-12-21 20:22:34 +00:00 committed by Damien Miller
parent fbd9729d4e
commit 141df487ba
8 changed files with 52 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
ssh-add.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-add.1,v 1.76 2019/11/30 07:07:59 jmc Exp $ .\" $OpenBSD: ssh-add.1,v 1.77 2019/12/21 20:22:34 naddy Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: November 30 2019 $ .Dd $Mdocdate: December 21 2019 $
.Dt SSH-ADD 1 .Dt SSH-ADD 1
.Os .Os
.Sh NAME .Sh NAME
@ -135,8 +135,8 @@ Lists fingerprints of all identities currently represented by the agent.
.It Fl q .It Fl q
Be quiet after a successful operation. Be quiet after a successful operation.
.It Fl S Ar provider .It Fl S Ar provider
Specifies a path to a security key provider library that will be used when Specifies a path to a library that will be used when adding
adding any security key-hosted keys, overriding the default of using the FIDO authenticator-hosted keys, overriding the default of using the
internal USB HID support. internal USB HID support.
.It Fl s Ar pkcs11 .It Fl s Ar pkcs11
Add keys provided by the PKCS#11 shared library Add keys provided by the PKCS#11 shared library
@ -197,23 +197,18 @@ Identifies the path of a
.Ux Ns -domain .Ux Ns -domain
socket used to communicate with the agent. socket used to communicate with the agent.
.It Ev SSH_SK_PROVIDER .It Ev SSH_SK_PROVIDER
Specifies the path to a security key provider library used to interact with Specifies the path to a library used to interact with FIDO authenticators.
hardware security keys.
.El .El
.Sh FILES .Sh FILES
.Bl -tag -width Ds .Bl -tag -width Ds -compact
.It Pa ~/.ssh/id_dsa .It Pa ~/.ssh/id_dsa
Contains the DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa .It Pa ~/.ssh/id_ecdsa
Contains the ECDSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa_sk .It Pa ~/.ssh/id_ecdsa_sk
Contains the security key-hosted ECDSA authentication identity of the user.
.It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_ed25519
Contains the Ed25519 authentication identity of the user.
.It Pa ~/.ssh/id_ed25519_sk .It Pa ~/.ssh/id_ed25519_sk
Contains the security key-hosted Ed25519 authentication identity of the user.
.It Pa ~/.ssh/id_rsa .It Pa ~/.ssh/id_rsa
Contains the RSA authentication identity of the user. Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
authenticator-hosted Ed25519 or RSA authentication identity of the user.
.El .El
.Pp .Pp
Identity files should not be readable by anyone but the user. Identity files should not be readable by anyone but the user.

8
ssh-agent.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-agent.1,v 1.69 2019/11/30 07:07:59 jmc Exp $ .\" $OpenBSD: ssh-agent.1,v 1.70 2019/12/21 20:22:34 naddy Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: November 30 2019 $ .Dd $Mdocdate: December 21 2019 $
.Dt SSH-AGENT 1 .Dt SSH-AGENT 1
.Os .Os
.Sh NAME .Sh NAME
@ -98,8 +98,8 @@ Kill the current agent (given by the
.Ev SSH_AGENT_PID .Ev SSH_AGENT_PID
environment variable). environment variable).
.It Fl P Ar provider_whitelist .It Fl P Ar provider_whitelist
Specify a pattern-list of acceptable paths for PKCS#11 and security key shared Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator
libraries that may be used with the shared libraries that may be used with the
.Fl S .Fl S
or or
.Fl s .Fl s

25
ssh-keygen.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keygen.1,v 1.179 2019/11/30 07:07:59 jmc Exp $ .\" $OpenBSD: ssh-keygen.1,v 1.180 2019/12/21 20:22:34 naddy Exp $
.\" .\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd $Mdocdate: November 30 2019 $ .Dd $Mdocdate: December 21 2019 $
.Dt SSH-KEYGEN 1 .Dt SSH-KEYGEN 1
.Os .Os
.Sh NAME .Sh NAME
@ -537,7 +537,7 @@ Allows X11 forwarding.
.It Ic no-touch-required .It Ic no-touch-required
Do not require signatures made using this key require demonstration Do not require signatures made using this key require demonstration
of user presence (e.g. by having the user touch the key). of user presence (e.g. by having the user touch the key).
This option only makes sense for the Security Key algorithms This option only makes sense for the FIDO authenticator algorithms
.Cm ecdsa-sk .Cm ecdsa-sk
and and
.Cm ed25519-sk . .Cm ed25519-sk .
@ -673,11 +673,11 @@ The maximum is 3.
.It Fl W Ar generator .It Fl W Ar generator
Specify desired generator when testing candidate moduli for DH-GEX. Specify desired generator when testing candidate moduli for DH-GEX.
.It Fl w Ar provider .It Fl w Ar provider
Specifies a path to a security key provider library that will be used when Specifies a path to a library that will be used when creating
creating any security key-hosted keys, overriding the default of the FIDO authenticator-hosted keys, overriding the default of using
internal support for USB HID keys. the internal USB HID support.
.It Fl x Ar flags .It Fl x Ar flags
Specifies the security key flags to use when enrolling a security key-hosted Specifies the authenticator flags to use when enrolling an authenticator-hosted
key. key.
Flags may be specified by name or directly as a hexadecimal value. Flags may be specified by name or directly as a hexadecimal value.
Only one named flag is supported at present: Only one named flag is supported at present:
@ -1053,8 +1053,7 @@ user2@example.com namespaces="file" ssh-ed25519 AAA41...
.Sh ENVIRONMENT .Sh ENVIRONMENT
.Bl -tag -width Ds .Bl -tag -width Ds
.It Ev SSH_SK_PROVIDER .It Ev SSH_SK_PROVIDER
Specifies the path to a security key provider library used to interact with Specifies the path to a library used to interact with FIDO authenticators.
hardware security keys.
.El .El
.Sh FILES .Sh FILES
.Bl -tag -width Ds -compact .Bl -tag -width Ds -compact
@ -1064,8 +1063,8 @@ hardware security keys.
.It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_ed25519
.It Pa ~/.ssh/id_ed25519_sk .It Pa ~/.ssh/id_ed25519_sk
.It Pa ~/.ssh/id_rsa .It Pa ~/.ssh/id_rsa
Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519, Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
security key-hosted Ed25519 or RSA authentication identity of the user. authenticator-hosted Ed25519 or RSA authentication identity of the user.
This file should not be readable by anyone but the user. This file should not be readable by anyone but the user.
It is possible to It is possible to
specify a passphrase when generating the key; that passphrase will be specify a passphrase when generating the key; that passphrase will be
@ -1082,8 +1081,8 @@ will read this file when a login attempt is made.
.It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_ed25519.pub
.It Pa ~/.ssh/id_ed25519_sk.pub .It Pa ~/.ssh/id_ed25519_sk.pub
.It Pa ~/.ssh/id_rsa.pub .It Pa ~/.ssh/id_rsa.pub
Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519, Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
security key-hosted Ed25519 or RSA public key for authentication. authenticator-hosted Ed25519 or RSA public key for authentication.
The contents of this file should be added to The contents of this file should be added to
.Pa ~/.ssh/authorized_keys .Pa ~/.ssh/authorized_keys
on all machines on all machines

8
ssh-sk-helper.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-sk-helper.8,v 1.2 2019/11/30 07:07:59 jmc Exp $ .\" $OpenBSD: ssh-sk-helper.8,v 1.3 2019/12/21 20:22:34 naddy Exp $
.\" .\"
.\" Copyright (c) 2010 Markus Friedl. All rights reserved. .\" Copyright (c) 2010 Markus Friedl. All rights reserved.
.\" .\"
@ -14,12 +14,12 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.Dd $Mdocdate: November 30 2019 $ .Dd $Mdocdate: December 21 2019 $
.Dt SSH-SK-HELPER 8 .Dt SSH-SK-HELPER 8
.Os .Os
.Sh NAME .Sh NAME
.Nm ssh-sk-helper .Nm ssh-sk-helper
.Nd OpenSSH helper for security key support .Nd OpenSSH helper for FIDO authenticator support
.Sh SYNOPSIS .Sh SYNOPSIS
.Nm .Nm
.Op Fl v .Op Fl v
@ -27,7 +27,7 @@
.Nm .Nm
is used by is used by
.Xr ssh-agent 1 .Xr ssh-agent 1
to access keys provided by a security key. to access keys provided by a FIDO authenticator.
.Pp .Pp
.Nm .Nm
is not intended to be invoked by the user, but from is not intended to be invoked by the user, but from

12
ssh.1
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh.1,v 1.408 2019/11/30 07:07:59 jmc Exp $ .\" $OpenBSD: ssh.1,v 1.409 2019/12/21 20:22:34 naddy Exp $
.Dd $Mdocdate: November 30 2019 $ .Dd $Mdocdate: December 21 2019 $
.Dt SSH 1 .Dt SSH 1
.Os .Os
.Sh NAME .Sh NAME
@ -903,11 +903,11 @@ This stores the private key in
.Pa ~/.ssh/id_ecdsa .Pa ~/.ssh/id_ecdsa
(ECDSA), (ECDSA),
.Pa ~/.ssh/id_ecdsa_sk .Pa ~/.ssh/id_ecdsa_sk
(security key-hosted ECDSA), (authenticator-hosted ECDSA),
.Pa ~/.ssh/id_ed25519 .Pa ~/.ssh/id_ed25519
(Ed25519), (Ed25519),
.Pa ~/.ssh/id_ed25519_sk .Pa ~/.ssh/id_ed25519_sk
(security key-hosted Ed25519), (authenticator-hosted Ed25519),
or or
.Pa ~/.ssh/id_rsa .Pa ~/.ssh/id_rsa
(RSA) (RSA)
@ -917,11 +917,11 @@ and stores the public key in
.Pa ~/.ssh/id_ecdsa.pub .Pa ~/.ssh/id_ecdsa.pub
(ECDSA), (ECDSA),
.Pa ~/.ssh/id_ecdsa_sk.pub .Pa ~/.ssh/id_ecdsa_sk.pub
(security key-hosted ECDSA), (authenticator-hosted ECDSA),
.Pa ~/.ssh/id_ed25519.pub .Pa ~/.ssh/id_ed25519.pub
(Ed25519), (Ed25519),
.Pa ~/.ssh/id_ed25519_sk.pub .Pa ~/.ssh/id_ed25519_sk.pub
(security key-hosted Ed25519), (authenticator-hosted Ed25519),
or or
.Pa ~/.ssh/id_rsa.pub .Pa ~/.ssh/id_rsa.pub
(RSA) (RSA)

12
ssh_config.5
View File

@ -33,7 +33,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.312 2019/12/21 02:19:13 djm Exp $ .\" $OpenBSD: ssh_config.5,v 1.313 2019/12/21 20:22:34 naddy Exp $
.Dd $Mdocdate: December 21 2019 $ .Dd $Mdocdate: December 21 2019 $
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
@ -936,8 +936,8 @@ or the tokens described in the
.Sx TOKENS .Sx TOKENS
section. section.
.It Cm IdentityFile .It Cm IdentityFile
Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA, Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
Ed25519 or RSA authentication identity is read. Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
The default is The default is
.Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa , .Pa ~/.ssh/id_ecdsa ,
@ -1462,9 +1462,9 @@ an OpenSSH Key Revocation List (KRL) as generated by
For more information on KRLs, see the KEY REVOCATION LISTS section in For more information on KRLs, see the KEY REVOCATION LISTS section in
.Xr ssh-keygen 1 . .Xr ssh-keygen 1 .
.It Cm SecurityKeyProvider .It Cm SecurityKeyProvider
Specifies a path to a security key provider library that will be used when Specifies a path to a library that will be used when loading any
loading any security key-hosted keys, overriding the default of using FIDO authenticator-hosted keys, overriding the default of using
the built-in support for USB HID keys. the built-in USB HID support.
.Pp .Pp
If the specified value begins with a If the specified value begins with a
.Sq $ .Sq $

6
sshd.8
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd.8,v 1.310 2019/12/19 03:50:01 dtucker Exp $ .\" $OpenBSD: sshd.8,v 1.311 2019/12/21 20:22:34 naddy Exp $
.Dd $Mdocdate: December 19 2019 $ .Dd $Mdocdate: December 21 2019 $
.Dt SSHD 8 .Dt SSHD 8
.Os .Os
.Sh NAME .Sh NAME
@ -627,7 +627,7 @@ option.
.It Cm no-touch-required .It Cm no-touch-required
Do not require demonstration of user presence Do not require demonstration of user presence
for signatures made using this key. for signatures made using this key.
This option only makes sense for the Security Key algorithms This option only makes sense for the FIDO authenticator algorithms
.Cm ecdsa-sk .Cm ecdsa-sk
and and
.Cm ed25519-sk . .Cm ed25519-sk .

18
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $ .\" $OpenBSD: sshd_config.5,v 1.297 2019/12/21 20:22:34 naddy Exp $
.Dd $Mdocdate: December 19 2019 $ .Dd $Mdocdate: December 21 2019 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -1462,20 +1462,20 @@ and
.Pp .Pp
The The
.Cm touch-required .Cm touch-required
option causes public key authentication using a security key algorithm option causes public key authentication using a FIDO authenticator algorithm
(i.e.\& (i.e.\&
.Cm ecdsa-sk .Cm ecdsa-sk
or or
.Cm ed25519-sk ) .Cm ed25519-sk )
to always require the signature to attest that a physically present user to always require the signature to attest that a physically present user
explicitly confirmed the authentication (usually by touching the security key). explicitly confirmed the authentication (usually by touching the authenticator).
By default, By default,
.Xr sshd 8 .Xr sshd 8
requires key touch unless overridden with an authorized_keys option. requires user presence unless overridden with an authorized_keys option.
The The
.Cm touch-required .Cm touch-required
flag disables this override. flag disables this override.
This option has no effect for other, non-security key, public key types. This option has no effect for other, non-authenticator public key types.
.It Cm PubkeyAuthentication .It Cm PubkeyAuthentication
Specifies whether public key authentication is allowed. Specifies whether public key authentication is allowed.
The default is The default is
@ -1527,9 +1527,9 @@ If the routing domain is set to
.Cm \&%D , .Cm \&%D ,
then the domain in which the incoming connection was received will be applied. then the domain in which the incoming connection was received will be applied.
.It Cm SecurityKeyProvider .It Cm SecurityKeyProvider
Specifies a path to a security key provider library that will be used when Specifies a path to a library that will be used when loading
loading any security key-hosted keys, overriding the default of using FIDO authenticator-hosted keys, overriding the default of using
the built-in support for USB HID keys. the built-in USB HID support.
.It Cm SetEnv .It Cm SetEnv
Specifies one or more environment variables to set in child sessions started Specifies one or more environment variables to set in child sessions started
by by