upstream: Use new private key format by default. This format is
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported by most OpenSSH versions in active use. It is possible to convert new-format private keys to the older format using "ssh-keygen -f /path/key -pm PEM". ok deraadt dtucker OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
This commit is contained in:
parent
967226a1bd
commit
ed7bd5d93f
24
ssh-keygen.1
24
ssh-keygen.1
|
@ -1,4 +1,4 @@
|
||||||
.\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $
|
.\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $
|
||||||
.\"
|
.\"
|
||||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -35,7 +35,7 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.Dd $Mdocdate: March 12 2018 $
|
.Dd $Mdocdate: August 8 2018 $
|
||||||
.Dt SSH-KEYGEN 1
|
.Dt SSH-KEYGEN 1
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -233,10 +233,8 @@ This is used by
|
||||||
.Pa /etc/rc
|
.Pa /etc/rc
|
||||||
to generate new host keys.
|
to generate new host keys.
|
||||||
.It Fl a Ar rounds
|
.It Fl a Ar rounds
|
||||||
When saving a new-format private key (i.e. an ed25519 key or when the
|
When saving a private key this option specifies the number of KDF
|
||||||
.Fl o
|
(key derivation function) rounds used.
|
||||||
flag is set), this option specifies the number of KDF (key derivation function)
|
|
||||||
rounds used.
|
|
||||||
Higher numbers result in slower passphrase verification and increased
|
Higher numbers result in slower passphrase verification and increased
|
||||||
resistance to brute-force password cracking (should the keys be stolen).
|
resistance to brute-force password cracking (should the keys be stolen).
|
||||||
.Pp
|
.Pp
|
||||||
|
@ -264,8 +262,6 @@ flag will be ignored.
|
||||||
Provides a new comment.
|
Provides a new comment.
|
||||||
.It Fl c
|
.It Fl c
|
||||||
Requests changing the comment in the private and public key files.
|
Requests changing the comment in the private and public key files.
|
||||||
This operation is only supported for keys stored in the
|
|
||||||
newer OpenSSH format.
|
|
||||||
The program will prompt for the file containing the private keys, for
|
The program will prompt for the file containing the private keys, for
|
||||||
the passphrase if the key has one, and for the new comment.
|
the passphrase if the key has one, and for the new comment.
|
||||||
.It Fl D Ar pkcs11
|
.It Fl D Ar pkcs11
|
||||||
|
@ -410,6 +406,10 @@ or
|
||||||
(PEM public key).
|
(PEM public key).
|
||||||
The default conversion format is
|
The default conversion format is
|
||||||
.Dq RFC4716 .
|
.Dq RFC4716 .
|
||||||
|
Setting a format of
|
||||||
|
.Dq PEM
|
||||||
|
when generating or updating a supported private key type will cause the
|
||||||
|
key to be stored in the legacy PEM private key format.
|
||||||
.It Fl N Ar new_passphrase
|
.It Fl N Ar new_passphrase
|
||||||
Provides the new passphrase.
|
Provides the new passphrase.
|
||||||
.It Fl n Ar principals
|
.It Fl n Ar principals
|
||||||
|
@ -504,14 +504,6 @@ The
|
||||||
is a comma-separated list of one or more address/netmask pairs in CIDR
|
is a comma-separated list of one or more address/netmask pairs in CIDR
|
||||||
format.
|
format.
|
||||||
.El
|
.El
|
||||||
.It Fl o
|
|
||||||
Causes
|
|
||||||
.Nm
|
|
||||||
to save private keys using the new OpenSSH format rather than
|
|
||||||
the more compatible PEM format.
|
|
||||||
The new format has increased resistance to brute-force password cracking
|
|
||||||
but is not supported by versions of OpenSSH prior to 6.5.
|
|
||||||
Ed25519 keys always use the new private key format.
|
|
||||||
.It Fl P Ar passphrase
|
.It Fl P Ar passphrase
|
||||||
Provides the (old) passphrase.
|
Provides the (old) passphrase.
|
||||||
.It Fl p
|
.It Fl p
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: ssh-keygen.c,v 1.318 2018/07/09 21:59:10 markus Exp $ */
|
/* $OpenBSD: ssh-keygen.c,v 1.319 2018/08/08 01:16:01 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -179,7 +179,7 @@ char *key_type_name = NULL;
|
||||||
char *pkcs11provider = NULL;
|
char *pkcs11provider = NULL;
|
||||||
|
|
||||||
/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
|
/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
|
||||||
int use_new_format = 0;
|
int use_new_format = 1;
|
||||||
|
|
||||||
/* Cipher for new-format private keys */
|
/* Cipher for new-format private keys */
|
||||||
char *new_format_cipher = NULL;
|
char *new_format_cipher = NULL;
|
||||||
|
@ -2434,6 +2434,7 @@ main(int argc, char **argv)
|
||||||
}
|
}
|
||||||
if (strcasecmp(optarg, "PEM") == 0) {
|
if (strcasecmp(optarg, "PEM") == 0) {
|
||||||
convert_format = FMT_PEM;
|
convert_format = FMT_PEM;
|
||||||
|
use_new_format = 0;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
fatal("Unsupported conversion format \"%s\"", optarg);
|
fatal("Unsupported conversion format \"%s\"", optarg);
|
||||||
|
@ -2441,7 +2442,7 @@ main(int argc, char **argv)
|
||||||
cert_principals = optarg;
|
cert_principals = optarg;
|
||||||
break;
|
break;
|
||||||
case 'o':
|
case 'o':
|
||||||
use_new_format = 1;
|
/* no-op; new format is already the default */
|
||||||
break;
|
break;
|
||||||
case 'p':
|
case 'p':
|
||||||
change_passphrase = 1;
|
change_passphrase = 1;
|
||||||
|
|
Loading…
Reference in New Issue