Commit Graph

141 Commits

Author SHA1 Message Date
djm@openbsd.org@openbsd.org d52131a983 upstream commit
allow certificate validity intervals that specify only a
start or stop time (we already support specifying both or neither)

OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
2017-11-03 16:20:41 +11:00
jmc@openbsd.org dc44dd3a9e upstream commit
slightly rework previous, to avoid an article issue;

Upstream-ID: 15a315f0460ddd3d4e2ade1f16d6c640a8c41b30
2017-07-21 14:17:33 +10:00
djm@openbsd.org 853edbe057 upstream commit
When generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. zero-length keys could
previously be made if ssh-keygen failed part way through generating them, so
avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@

Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
2017-07-21 14:17:32 +10:00
djm@openbsd.org a98339edbc upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus

Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
2017-06-28 11:13:19 +10:00
naddy@openbsd.org 2e9c324b3a upstream commit
remove superfluous protocol 2 mentions; ok jmc@

Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
2017-05-08 09:18:27 +10:00
jmc@openbsd.org 2b6f799e9b upstream commit
more protocol 1 stuff to go; ok djm

Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
2017-05-08 09:18:05 +10:00
jmc@openbsd.org f10c0d32cd upstream commit
rsa1 is no longer valid;

Upstream-ID: 9953d09ed9841c44b7dcf7019fa874783a709d89
2017-05-08 09:18:05 +10:00
jmc@openbsd.org 8b60ce8d81 upstream commit
more -O shuffle; ok djm

Upstream-ID: c239991a3a025cdbb030b73e990188dd9bfbeceb
2017-05-08 09:18:04 +10:00
jmc@openbsd.org 6b84897f7f upstream commit
tidy up -O somewhat; ok djm

Upstream-ID: 804405f716bf7ef15c1f36ab48581ca16aeb4d52
2017-05-08 09:18:04 +10:00
djm@openbsd.org 873d3e7d9a upstream commit
remove KEY_RSA1

ok markus@

Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-05-01 10:05:01 +10:00
jmc@openbsd.org d4084cd230 upstream commit
tweak previous;

Upstream-ID: a3abc6857455299aa42a046d232b7984568bceb9
2017-05-01 09:35:38 +10:00
djm@openbsd.org 249516e428 upstream commit
allow ssh-keygen to include arbitrary string or flag
certificate extensions and critical options. ok markus@ dtucker@

Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
2017-05-01 09:35:38 +10:00
jmc@openbsd.org b6cf84b51b upstream commit
keys stored in openssh format can have comments too; diff
from yonas yanfa, tweaked a bit;

ok djm

Upstream-ID: 03d48536da6e51510d73ade6fcd44ace731ceb27
2016-06-24 13:35:28 +10:00
jmc@openbsd.org 9283884e64 upstream commit
correct article;

Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168
2016-05-05 00:01:49 +10:00
djm@openbsd.org cdcd941994 upstream commit
make nethack^wrandomart fingerprint flag more readily
 searchable pointed out by Matt Johnston

Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb
2016-05-04 01:58:46 +10:00
jmc@openbsd.org a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
djm@openbsd.org 94bc0b72c2 upstream commit
support multiple certificates (one per line) and
 reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@

Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
2015-11-16 11:31:36 +11:00
jmc@openbsd.org 8b29008bbe upstream commit
"commandline" -> "command line", since there are so few
 examples of the former in the pages, so many of the latter, and in some of
 these pages we had multiple spellings;

prompted by tj

Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659
2015-11-09 14:25:35 +11:00
naddy@openbsd.org 05291e5288 upstream commit
In the certificates section, be consistent about using
 "host_key" and "user_key" for the respective key types.  ok sthen@ deraadt@

Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
2015-08-21 13:43:24 +10:00
djm@openbsd.org 933935ce8d upstream commit
refuse to generate or accept RSA keys smaller than 1024
 bits; feedback and ok dtucker@

Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15 15:36:02 +10:00
naddy@openbsd.org 6288e3a935 upstream commit
add -v (show ASCII art) to -l's synopsis; ok djm@
2015-02-26 04:32:08 +11:00
djm@openbsd.org 56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
sobrado@openbsd.org f70b22bcdd upstream commit
improve capitalization for the Ed25519 public-key
 signature system.

ok djm@
2014-10-13 11:37:32 +11:00
Damien Miller 43b156cf72 - jmc@cvs.openbsd.org 2014/03/31 13:39:34
[ssh-keygen.1]
     the text for the -K option was inserted in the wrong place in -r1.108;
     fix From: Matthew Clarke
2014-04-20 13:23:03 +10:00
Damien Miller f0858de6e1 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     Improve usage() and documentation towards the standard form.
     In particular, this line saves a lot of man page reading time.
       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                         [-N new_passphrase] [-C comment] [-f output_keyfile]
     ok schwarze jmc
2014-04-20 13:01:30 +10:00
Damien Miller 6ce35b6cc4 - naddy@cvs.openbsd.org 2014/02/05 20:13:25
[ssh-keygen.1 ssh-keygen.c]
     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
     while here, fix ordering in usage(); requested by jmc@
2014-02-07 09:24:14 +11:00
Damien Miller 137977180b - tedu@cvs.openbsd.org 2013/12/21 07:10:47
[ssh-keygen.1]
     small typo
2013-12-29 17:47:14 +11:00
Damien Miller 8ba0ead698 - naddy@cvs.openbsd.org 2013/12/07 11:58:46
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     add missing mentions of ed25519; ok djm@
2013-12-18 17:46:27 +11:00
Damien Miller 4f752cf71c - djm@cvs.openbsd.org 2013/12/07 08:08:26
[ssh-keygen.1]
     document -a and -o wrt new key format
2013-12-18 17:45:35 +11:00
Damien Miller fecfd118d6 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     do not use Sx for sections outwith the man page - ingo informs me that
     stuff like html will render with broken links;

     issue reported by Eric S. Raymond, via djm
2013-07-18 16:11:50 +10:00
Damien Miller a0a7ee8bf4 - jmc@cvs.openbsd.org 2013/01/19 07:13:25
[ssh-keygen.1]
     fix some formatting; ok djm
2013-01-20 22:35:06 +11:00
Damien Miller 881a7a2c5d - jmc@cvs.openbsd.org 2013/01/18 21:48:43
[ssh-keygen.1]
     command-line (adj.) -> command line (n.);
2013-01-20 22:34:46 +11:00
Damien Miller 072fdcd198 - jmc@cvs.openbsd.org 2013/01/18 08:39:04
[ssh-keygen.1]
     add -Q to the options list; ok djm
2013-01-20 22:34:04 +11:00
Damien Miller ac5542b6b8 - jmc@cvs.openbsd.org 2013/01/18 07:57:47
[ssh-keygen.1]
     tweak previous;
2013-01-20 22:33:02 +11:00
Damien Miller f3747bf401 - djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
     [krl.c krl.h PROTOCOL.krl]
     add support for Key Revocation Lists (KRLs). These are a compact way to
     represent lists of revoked keys and certificates, taking as little as
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@
2013-01-18 11:44:04 +11:00
Darren Tucker 3ee50c5d9f - jmc@cvs.openbsd.org 2012/08/15 18:25:50
[ssh-keygen.1]
     a little more info on certificate validity;
     requested by Ross L Richardson, and provided by djm
2012-09-06 21:18:11 +10:00
Damien Miller dfceafe8b1 - dtucker@cvs.openbsd.org 2012/07/06 00:41:59
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add options to specify starting line number and number of lines to process
     when screening moduli candidates.  This allows processing of different
     parts of a candidate moduli file in parallel.  man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
Damien Miller 390d0561fc - dtucker@cvs.openbsd.org 2011/10/16 11:02:46
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add optional checkpoints for moduli screening.  feedback & ok deraadt
2011-10-18 16:05:19 +11:00
Damien Miller 6232a16a9a - deraadt@cvs.openbsd.org 2011/09/07 02:18:31
[ssh-keygen.1]
     typo (they vs the) found by Lawrence Teo
2011-09-22 21:36:00 +10:00
Damien Miller ad21032e65 - djm@cvs.openbsd.org 2011/04/13 04:09:37
[ssh-keygen.1]
     mention valid -b sizes for ECDSA keys; bz#1862
2011-05-05 14:15:54 +10:00
Damien Miller 085c90fa20 - djm@cvs.openbsd.org 2011/04/13 04:02:48
[ssh-keygen.1]
     improve wording; bz#1861
2011-05-05 14:15:33 +10:00
Damien Miller 3ca1eb373f - jmc@cvs.openbsd.org 2011/03/24 15:29:30
[ssh-keygen.1]
     zap trailing whitespace;
2011-05-05 14:13:50 +10:00
Damien Miller 4a4d161545 - stevesk@cvs.openbsd.org 2011/03/23 16:24:56
[ssh-keygen.1]
     -q not used in /etc/rc now so remove statement.
2011-05-05 14:06:39 +10:00
Damien Miller 58f1bafb3d - stevesk@cvs.openbsd.org 2011/03/23 15:16:22
[ssh-keygen.1 ssh-keygen.c]
     Add -A option.  For each of the key types (rsa1, rsa, dsa and ecdsa)
     for which host keys do not exist, generate the host keys with the
     default key file path, an empty passphrase, default bits for the key
     type, and default comment.  This will be used by /etc/rc to generate
     new host keys.  Idea from deraadt.
     ok deraadt
2011-05-05 14:06:15 +10:00
Damien Miller 55fa56505b - jmc@cvs.openbsd.org 2010/10/28 18:33:28
[scp.1 ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     knock out some "-*- nroff -*-" lines;
2010-11-05 10:20:14 +11:00
Damien Miller 6186bbc7fb - naddy@cvs.openbsd.org 2010/09/10 15:19:29
[ssh-keygen.1]
     * mention ECDSA in more places
     * less repetition in FILES section
     * SSHv1 keys are still encrypted with 3DES
     help and ok jmc@
2010-09-24 22:00:54 +10:00
Damien Miller eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller 757f34e051 - djm@cvs.openbsd.org 2010/08/04 06:07:11
[ssh-keygen.1 ssh-keygen.c]
     Support CA keys in PKCS#11 tokens; feedback and ok markus@
2010-08-05 13:05:31 +10:00
Damien Miller bad5e03bfd - schwarze@cvs.openbsd.org 2010/07/15 21:20:38
[ssh-keygen.1]
     repair incorrect block nesting, which screwed up indentation;
     problem reported and fix OK by jmc@
2010-07-16 13:59:59 +10:00
Damien Miller ea72728ffe - jmc@cvs.openbsd.org 2010/06/30 07:24:25
[ssh-keygen.1]
     tweak previous;
2010-07-02 13:35:34 +10:00