mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-27 04:12:10 +00:00
upstream: Use new private key format by default. This format is
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported by most OpenSSH versions in active use. It is possible to convert new-format private keys to the older format using "ssh-keygen -f /path/key -pm PEM". ok deraadt dtucker OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
This commit is contained in:
parent
967226a1bd
commit
ed7bd5d93f
24
ssh-keygen.1
24
ssh-keygen.1
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $
|
||||
.\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -35,7 +35,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: March 12 2018 $
|
||||
.Dd $Mdocdate: August 8 2018 $
|
||||
.Dt SSH-KEYGEN 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -233,10 +233,8 @@ This is used by
|
||||
.Pa /etc/rc
|
||||
to generate new host keys.
|
||||
.It Fl a Ar rounds
|
||||
When saving a new-format private key (i.e. an ed25519 key or when the
|
||||
.Fl o
|
||||
flag is set), this option specifies the number of KDF (key derivation function)
|
||||
rounds used.
|
||||
When saving a private key this option specifies the number of KDF
|
||||
(key derivation function) rounds used.
|
||||
Higher numbers result in slower passphrase verification and increased
|
||||
resistance to brute-force password cracking (should the keys be stolen).
|
||||
.Pp
|
||||
@ -264,8 +262,6 @@ flag will be ignored.
|
||||
Provides a new comment.
|
||||
.It Fl c
|
||||
Requests changing the comment in the private and public key files.
|
||||
This operation is only supported for keys stored in the
|
||||
newer OpenSSH format.
|
||||
The program will prompt for the file containing the private keys, for
|
||||
the passphrase if the key has one, and for the new comment.
|
||||
.It Fl D Ar pkcs11
|
||||
@ -410,6 +406,10 @@ or
|
||||
(PEM public key).
|
||||
The default conversion format is
|
||||
.Dq RFC4716 .
|
||||
Setting a format of
|
||||
.Dq PEM
|
||||
when generating or updating a supported private key type will cause the
|
||||
key to be stored in the legacy PEM private key format.
|
||||
.It Fl N Ar new_passphrase
|
||||
Provides the new passphrase.
|
||||
.It Fl n Ar principals
|
||||
@ -504,14 +504,6 @@ The
|
||||
is a comma-separated list of one or more address/netmask pairs in CIDR
|
||||
format.
|
||||
.El
|
||||
.It Fl o
|
||||
Causes
|
||||
.Nm
|
||||
to save private keys using the new OpenSSH format rather than
|
||||
the more compatible PEM format.
|
||||
The new format has increased resistance to brute-force password cracking
|
||||
but is not supported by versions of OpenSSH prior to 6.5.
|
||||
Ed25519 keys always use the new private key format.
|
||||
.It Fl P Ar passphrase
|
||||
Provides the (old) passphrase.
|
||||
.It Fl p
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.318 2018/07/09 21:59:10 markus Exp $ */
|
||||
/* $OpenBSD: ssh-keygen.c,v 1.319 2018/08/08 01:16:01 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -179,7 +179,7 @@ char *key_type_name = NULL;
|
||||
char *pkcs11provider = NULL;
|
||||
|
||||
/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
|
||||
int use_new_format = 0;
|
||||
int use_new_format = 1;
|
||||
|
||||
/* Cipher for new-format private keys */
|
||||
char *new_format_cipher = NULL;
|
||||
@ -2434,6 +2434,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
if (strcasecmp(optarg, "PEM") == 0) {
|
||||
convert_format = FMT_PEM;
|
||||
use_new_format = 0;
|
||||
break;
|
||||
}
|
||||
fatal("Unsupported conversion format \"%s\"", optarg);
|
||||
@ -2441,7 +2442,7 @@ main(int argc, char **argv)
|
||||
cert_principals = optarg;
|
||||
break;
|
||||
case 'o':
|
||||
use_new_format = 1;
|
||||
/* no-op; new format is already the default */
|
||||
break;
|
||||
case 'p':
|
||||
change_passphrase = 1;
|
||||
|
Loading…
Reference in New Issue
Block a user