Commit Graph

128 Commits

Author SHA1 Message Date
jmc@openbsd.org 9283884e64 upstream commit
correct article;

Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168
2016-05-05 00:01:49 +10:00
djm@openbsd.org cdcd941994 upstream commit
make nethack^wrandomart fingerprint flag more readily
 searchable pointed out by Matt Johnston

Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb
2016-05-04 01:58:46 +10:00
jmc@openbsd.org a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
djm@openbsd.org 94bc0b72c2 upstream commit
support multiple certificates (one per line) and
 reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@

Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
2015-11-16 11:31:36 +11:00
jmc@openbsd.org 8b29008bbe upstream commit
"commandline" -> "command line", since there are so few
 examples of the former in the pages, so many of the latter, and in some of
 these pages we had multiple spellings;

prompted by tj

Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659
2015-11-09 14:25:35 +11:00
naddy@openbsd.org 05291e5288 upstream commit
In the certificates section, be consistent about using
 "host_key" and "user_key" for the respective key types.  ok sthen@ deraadt@

Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
2015-08-21 13:43:24 +10:00
djm@openbsd.org 933935ce8d upstream commit
refuse to generate or accept RSA keys smaller than 1024
 bits; feedback and ok dtucker@

Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15 15:36:02 +10:00
naddy@openbsd.org 6288e3a935 upstream commit
add -v (show ASCII art) to -l's synopsis; ok djm@
2015-02-26 04:32:08 +11:00
djm@openbsd.org 56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
sobrado@openbsd.org f70b22bcdd upstream commit
improve capitalization for the Ed25519 public-key
 signature system.

ok djm@
2014-10-13 11:37:32 +11:00
Damien Miller 43b156cf72 - jmc@cvs.openbsd.org 2014/03/31 13:39:34
[ssh-keygen.1]
     the text for the -K option was inserted in the wrong place in -r1.108;
     fix From: Matthew Clarke
2014-04-20 13:23:03 +10:00
Damien Miller f0858de6e1 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     Improve usage() and documentation towards the standard form.
     In particular, this line saves a lot of man page reading time.
       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                         [-N new_passphrase] [-C comment] [-f output_keyfile]
     ok schwarze jmc
2014-04-20 13:01:30 +10:00
Damien Miller 6ce35b6cc4 - naddy@cvs.openbsd.org 2014/02/05 20:13:25
[ssh-keygen.1 ssh-keygen.c]
     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
     while here, fix ordering in usage(); requested by jmc@
2014-02-07 09:24:14 +11:00
Damien Miller 137977180b - tedu@cvs.openbsd.org 2013/12/21 07:10:47
[ssh-keygen.1]
     small typo
2013-12-29 17:47:14 +11:00
Damien Miller 8ba0ead698 - naddy@cvs.openbsd.org 2013/12/07 11:58:46
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     add missing mentions of ed25519; ok djm@
2013-12-18 17:46:27 +11:00
Damien Miller 4f752cf71c - djm@cvs.openbsd.org 2013/12/07 08:08:26
[ssh-keygen.1]
     document -a and -o wrt new key format
2013-12-18 17:45:35 +11:00
Damien Miller fecfd118d6 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     do not use Sx for sections outwith the man page - ingo informs me that
     stuff like html will render with broken links;

     issue reported by Eric S. Raymond, via djm
2013-07-18 16:11:50 +10:00
Damien Miller a0a7ee8bf4 - jmc@cvs.openbsd.org 2013/01/19 07:13:25
[ssh-keygen.1]
     fix some formatting; ok djm
2013-01-20 22:35:06 +11:00
Damien Miller 881a7a2c5d - jmc@cvs.openbsd.org 2013/01/18 21:48:43
[ssh-keygen.1]
     command-line (adj.) -> command line (n.);
2013-01-20 22:34:46 +11:00
Damien Miller 072fdcd198 - jmc@cvs.openbsd.org 2013/01/18 08:39:04
[ssh-keygen.1]
     add -Q to the options list; ok djm
2013-01-20 22:34:04 +11:00
Damien Miller ac5542b6b8 - jmc@cvs.openbsd.org 2013/01/18 07:57:47
[ssh-keygen.1]
     tweak previous;
2013-01-20 22:33:02 +11:00
Damien Miller f3747bf401 - djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
     [krl.c krl.h PROTOCOL.krl]
     add support for Key Revocation Lists (KRLs). These are a compact way to
     represent lists of revoked keys and certificates, taking as little as
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@
2013-01-18 11:44:04 +11:00
Darren Tucker 3ee50c5d9f - jmc@cvs.openbsd.org 2012/08/15 18:25:50
[ssh-keygen.1]
     a little more info on certificate validity;
     requested by Ross L Richardson, and provided by djm
2012-09-06 21:18:11 +10:00
Damien Miller dfceafe8b1 - dtucker@cvs.openbsd.org 2012/07/06 00:41:59
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add options to specify starting line number and number of lines to process
     when screening moduli candidates.  This allows processing of different
     parts of a candidate moduli file in parallel.  man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
Damien Miller 390d0561fc - dtucker@cvs.openbsd.org 2011/10/16 11:02:46
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add optional checkpoints for moduli screening.  feedback & ok deraadt
2011-10-18 16:05:19 +11:00
Damien Miller 6232a16a9a - deraadt@cvs.openbsd.org 2011/09/07 02:18:31
[ssh-keygen.1]
     typo (they vs the) found by Lawrence Teo
2011-09-22 21:36:00 +10:00
Damien Miller ad21032e65 - djm@cvs.openbsd.org 2011/04/13 04:09:37
[ssh-keygen.1]
     mention valid -b sizes for ECDSA keys; bz#1862
2011-05-05 14:15:54 +10:00
Damien Miller 085c90fa20 - djm@cvs.openbsd.org 2011/04/13 04:02:48
[ssh-keygen.1]
     improve wording; bz#1861
2011-05-05 14:15:33 +10:00
Damien Miller 3ca1eb373f - jmc@cvs.openbsd.org 2011/03/24 15:29:30
[ssh-keygen.1]
     zap trailing whitespace;
2011-05-05 14:13:50 +10:00
Damien Miller 4a4d161545 - stevesk@cvs.openbsd.org 2011/03/23 16:24:56
[ssh-keygen.1]
     -q not used in /etc/rc now so remove statement.
2011-05-05 14:06:39 +10:00
Damien Miller 58f1bafb3d - stevesk@cvs.openbsd.org 2011/03/23 15:16:22
[ssh-keygen.1 ssh-keygen.c]
     Add -A option.  For each of the key types (rsa1, rsa, dsa and ecdsa)
     for which host keys do not exist, generate the host keys with the
     default key file path, an empty passphrase, default bits for the key
     type, and default comment.  This will be used by /etc/rc to generate
     new host keys.  Idea from deraadt.
     ok deraadt
2011-05-05 14:06:15 +10:00
Damien Miller 55fa56505b - jmc@cvs.openbsd.org 2010/10/28 18:33:28
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     knock out some "-*- nroff -*-" lines;
2010-11-05 10:20:14 +11:00
Damien Miller 6186bbc7fb - naddy@cvs.openbsd.org 2010/09/10 15:19:29
[ssh-keygen.1]
     * mention ECDSA in more places
     * less repetition in FILES section
     * SSHv1 keys are still encrypted with 3DES
     help and ok jmc@
2010-09-24 22:00:54 +10:00
Damien Miller eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller 757f34e051 - djm@cvs.openbsd.org 2010/08/04 06:07:11
[ssh-keygen.1 ssh-keygen.c]
     Support CA keys in PKCS#11 tokens; feedback and ok markus@
2010-08-05 13:05:31 +10:00
Damien Miller bad5e03bfd - schwarze@cvs.openbsd.org 2010/07/15 21:20:38
[ssh-keygen.1]
     repair incorrect block nesting, which screwed up indentation;
     problem reported and fix OK by jmc@
2010-07-16 13:59:59 +10:00
Damien Miller ea72728ffe - jmc@cvs.openbsd.org 2010/06/30 07:24:25
[ssh-keygen.1]
     tweak previous;
2010-07-02 13:35:34 +10:00
Damien Miller 44b2504011 - djm@cvs.openbsd.org 2010/06/29 23:15:30
[ssh-keygen.1 ssh-keygen.c]
     allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
     bz#1749; ok markus@
2010-07-02 13:35:01 +10:00
Damien Miller 1f181425e9 - jmc@cvs.openbsd.org 2010/04/16 06:47:04
[ssh-keygen.1 ssh-keygen.c]
     tweak previous; ok djm
2010-04-18 08:08:03 +10:00
Damien Miller 4e270b05dd - djm@cvs.openbsd.org 2010/04/16 01:47:26
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
     [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
     [sshconnect.c sshconnect2.c sshd.c]
     revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
     following changes:

     move the nonce field to the beginning of the certificate where it can
     better protect against chosen-prefix attacks on the signature hash

     Rename "constraints" field to "critical options"

     Add a new non-critical "extensions" field

     Add a serial number

     The older format is still support for authentication and cert generation
     (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)

     ok markus@
2010-04-16 15:56:21 +10:00
Damien Miller 5a5d94b12f - jmc@cvs.openbsd.org 2010/03/13 23:38:13
[ssh-keygen.1]
     fix a formatting error (args need quoted); noted by stevesk
2010-03-22 05:57:49 +11:00
Damien Miller 1b61a2825e - djm@cvs.openbsd.org 2010/03/13 21:45:46
[ssh-keygen.1]
     Certificates are named *-cert.pub, not *_cert.pub; committing a diff
     from stevesk@ ok me
2010-03-22 05:55:06 +11:00
Damien Miller 77497e1318 - jmc@cvs.openbsd.org 2010/03/10 07:40:35
[ssh-keygen.1]
     typos; from Ross Richardson
     closes prs 6334 and 6335
2010-03-22 05:50:51 +11:00
Damien Miller c59e2443d3 - jmc@cvs.openbsd.org 2010/03/08 09:41:27
[ssh-keygen.1]
     sort the list of constraints (to -O); ok djm
2010-03-22 05:50:31 +11:00
Damien Miller 081c976e1c - djm@cvs.openbsd.org 2010/03/08 00:28:55
[ssh-keygen.1]
     document permit-agent-forwarding certificate constraint; patch from
     stevesk@
2010-03-08 11:30:00 +11:00
Damien Miller 8f6c337563 - jmc@cvs.openbsd.org 2010/03/04 22:52:40
[ssh-keygen.1]
     fix Bk/Ek;
2010-03-05 10:41:26 +11:00
Damien Miller f2b70cad75 - djm@cvs.openbsd.org 2010/03/04 20:35:08
[ssh-keygen.1 ssh-keygen.c]
     Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 07:39:35 +11:00
Damien Miller 15f5b560b1 - jmc@cvs.openbsd.org 2010/02/26 22:09:28
[ssh-keygen.1 ssh.1 sshd.8]
     tweak previous;
2010-03-03 10:25:21 +11:00
Damien Miller 0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Damien Miller a761844455 - markus@cvs.openbsd.org 2010/02/10 23:20:38
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
     pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 09:26:02 +11:00