Commit Graph

241 Commits

Author SHA1 Message Date
Damien Miller
1422c0887c - djm@cvs.openbsd.org 2013/01/09 05:40:17
[ssh-keygen.c]
     correctly initialise fingerprint type for fingerprinting PKCS#11 keys
2013-01-09 16:44:54 +11:00
Damien Miller
ec77c954c8 - djm@cvs.openbsd.org 2013/01/03 23:22:58
[ssh-keygen.c]
     allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
     ok markus@
2013-01-09 15:58:00 +11:00
Damien Miller
55aca027ed - djm@cvs.openbsd.org 2012/12/03 00:14:06
[auth2-chall.c ssh-keygen.c]
     Fix compilation with -Wall -Werror (trivial type fixes)
2012-12-03 11:25:30 +11:00
Damien Miller
6f3b362fa8 - djm@cvs.openbsd.org 2012/11/14 02:32:15
[ssh-keygen.c]
     allow the full range of unsigned serial numbers; 'fine' deraadt@
2012-11-14 19:04:33 +11:00
Darren Tucker
0dc283b13a - djm@cvs.openbsd.org 2012/10/02 07:07:45
[ssh-keygen.c]
     fix -z option, broken in revision 1.215
2012-10-05 10:52:51 +10:00
Darren Tucker
f09a8a6c6d - djm@cvs.openbsd.org 2012/08/17 01:25:58
[ssh-keygen.c]
     print details of which host lines were deleted when using
     "ssh-keygen -R host"; ok markus@
2012-09-06 21:20:39 +10:00
Damien Miller
709a1e90d9 - jmc@cvs.openbsd.org 2012/07/06 06:38:03
[ssh-keygen.c]
     missing full stop in usage();
2012-07-31 12:20:43 +10:00
Damien Miller
dfceafe8b1 - dtucker@cvs.openbsd.org 2012/07/06 00:41:59
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add options to specify starting line number and number of lines to process
     when screening moduli candidates.  This allows processing of different
     parts of a candidate moduli file in parallel.  man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
Damien Miller
3bde12aeef - djm@cvs.openbsd.org 2012/05/23 03:28:28
[dns.c dns.h key.c key.h ssh-keygen.c]
     add support for RFC6594 SSHFP DNS records for ECDSA key types.
     patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
2012-06-20 21:51:11 +10:00
Damien Miller
a563cced06 - djm@cvs.openbsd.org 2012/02/29 11:21:26
[ssh-keygen.c]
     allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
2012-04-22 11:07:28 +10:00
Damien Miller
b56e4930ae - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
that don't support ECC. Patch from Phil Oleson
2012-02-06 07:41:27 +11:00
Damien Miller
927d82bc6a - jmc@cvs.openbsd.org 2011/10/16 15:02:41
[ssh-keygen.c]
     put -K in the right place (usage());
2011-10-18 16:05:38 +11:00
Damien Miller
390d0561fc - dtucker@cvs.openbsd.org 2011/10/16 11:02:46
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add optional checkpoints for moduli screening.  feedback & ok deraadt
2011-10-18 16:05:19 +11:00
Darren Tucker
0dd24e02ec - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-09-04 19:59:26 +10:00
Damien Miller
2ce12ef1ac - djm@cvs.openbsd.org 2011/05/04 21:15:29
[authfile.c authfile.h ssh-add.c]
     allow "ssh-add - < key"; feedback and ok markus@
2011-05-05 14:17:18 +10:00
Damien Miller
884b63a061 - djm@cvs.openbsd.org 2011/04/12 04:23:50
[ssh-keygen.c]
     fix -Wshadow
2011-05-05 14:14:52 +10:00
Damien Miller
044f4a6cc3 - stevesk@cvs.openbsd.org 2011/03/24 22:14:54
[ssh-keygen.c]
     use strcasecmp() for "clear" cert permission option also; ok djm
2011-05-05 14:14:08 +10:00
Damien Miller
111431963e - stevesk@cvs.openbsd.org 2011/03/23 16:50:04
[ssh-keygen.c]
     remove -d, documentation removed >10 years ago; ok markus
2011-05-05 14:13:25 +10:00
Damien Miller
58f1bafb3d - stevesk@cvs.openbsd.org 2011/03/23 15:16:22
[ssh-keygen.1 ssh-keygen.c]
     Add -A option.  For each of the key types (rsa1, rsa, dsa and ecdsa)
     for which host keys do not exist, generate the host keys with the
     default key file path, an empty passphrase, default bits for the key
     type, and default comment.  This will be used by /etc/rc to generate
     new host keys.  Idea from deraadt.
     ok deraadt
2011-05-05 14:06:15 +10:00
Damien Miller
f22019bdbf - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c]
   [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c]
   [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh]
   [regress/README.regress] Remove ssh-rand-helper and all its
   tentacles. PRNGd seeding has been rolled into entropy.c directly.
   Thanks to tim@ for testing on affected platforms.
2011-05-05 13:48:37 +10:00
Damien Miller
821de0ad2e - djm@cvs.openbsd.org 2011/01/11 06:13:10
[clientloop.c ssh-keygen.c sshd.c]
     some unsigned long long casts that make things a bit easier for
     portable without resorting to dropping PRIu64 formats everywhere
2011-01-11 17:20:29 +11:00
Damien Miller
dd190ddfd7 - (djm) [servconf.c ssh-add.c ssh-keygen.c] don't look for ECDSA keys on
platforms that don't support ECC. Fixes some spurious warnings reported
   by tim@
2010-11-11 14:17:02 +11:00
Damien Miller
b472a90d4c - djm@cvs.openbsd.org 2010/10/28 11:22:09
[authfile.c key.c key.h ssh-keygen.c]
     fix a possible NULL deref on loading a corrupt ECDH key

     store ECDH group information in private keys files as "named groups"
     rather than as a set of explicit group parameters (by setting
     the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and
     retrieves the group's OpenSSL NID that we need for various things.
2010-11-05 10:19:49 +11:00
Damien Miller
6af914a15c - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c]
   [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on
   platforms that don't have the requisite OpenSSL support. ok dtucker@
2010-09-10 11:39:26 +10:00
Damien Miller
6e9f680cd2 - naddy@cvs.openbsd.org 2010/09/02 17:21:50
[ssh-keygen.c]
     Switch ECDSA default key size to 256 bits, which according to RFC5656
     should still be better than our current RSA-2048 default.
     ok djm@, markus@
2010-09-10 11:17:38 +10:00
Damien Miller
5773794d55 - markus@cvs.openbsd.org 2010/09/02 16:07:25
[ssh-keygen.c]
     permit -b 256, 384 or 521 as key size for ECDSA; ok djm@
2010-09-10 11:16:37 +10:00
Damien Miller
4314c2b548 - djm@cvs.openbsd.org 2010/08/31 12:33:38
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
     reintroduce commit from tedu@, which I pulled out for release
     engineering:
       OpenSSL_add_all_algorithms is the name of the function we have a
       man page for, so use that.  ok djm
2010-09-10 11:12:09 +10:00
Damien Miller
eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller
d96546f5b0 - djm@cvs.openbsd.org 2010/08/16 04:06:06
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
     backout previous temporarily; discussed with deraadt@
2010-08-31 22:32:12 +10:00
Damien Miller
9b87e79538 - tedu@cvs.openbsd.org 2010/08/12 23:34:39
[ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
     OpenSSL_add_all_algorithms is the name of the function we have a man page
     for, so use that.  ok djm
2010-08-31 22:31:37 +10:00
Damien Miller
757f34e051 - djm@cvs.openbsd.org 2010/08/04 06:07:11
[ssh-keygen.1 ssh-keygen.c]
     Support CA keys in PKCS#11 tokens; feedback and ok markus@
2010-08-05 13:05:31 +10:00
Damien Miller
1da6388959 - djm@cvs.openbsd.org 2010/08/04 05:40:39
[PROTOCOL.certkeys ssh-keygen.c]
     tighten the rules for certificate encoding by requiring that options
     appear in lexical order and make our ssh-keygen comply. ok markus@
2010-08-05 13:03:51 +10:00
Damien Miller
844cccfc1a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/07/16 04:45:30
     [ssh-keygen.c]
     avoid bogus compiler warning
2010-08-03 16:03:29 +10:00
Damien Miller
6022f58e3a - jmc@cvs.openbsd.org 2010/06/30 07:26:03
[ssh-keygen.c]
     sort usage();
2010-07-02 13:37:01 +10:00
Damien Miller
44b2504011 - djm@cvs.openbsd.org 2010/06/29 23:15:30
[ssh-keygen.1 ssh-keygen.c]
     allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;
     bz#1749; ok markus@
2010-07-02 13:35:01 +10:00
Damien Miller
d834d35834 - djm@cvs.openbsd.org 2010/06/23 02:59:02
[ssh-keygen.c]
     fix printing of extensions in v01 certificates that I broke in r1.190
2010-06-26 09:48:02 +10:00
Damien Miller
ba3420acd2 - djm@cvs.openbsd.org 2010/06/22 04:32:06
[ssh-keygen.c]
     standardise error messages when attempting to open private key
     files to include "progname: filename: error reason"
     bz#1783; ok dtucker@
2010-06-26 09:39:07 +10:00
Damien Miller
d0e4a8e2e0 - djm@cvs.openbsd.org 2010/05/20 23:46:02
[PROTOCOL.certkeys auth-options.c ssh-keygen.c]
     Move the permit-* options to the non-critical "extensions" field for v01
     certificates. The logic is that if another implementation fails to
     implement them then the connection just loses features rather than fails
     outright.

     ok markus@
2010-05-21 14:58:32 +10:00
Damien Miller
bebbb7e8a5 - djm@cvs.openbsd.org 2010/04/23 22:48:31
[ssh-keygen.c]
     refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS,
     since we would refuse to use them anyway. bz#1516; ok dtucker@
2010-05-10 11:54:38 +10:00
Damien Miller
50af79b118 - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/04/23 01:47:41
     [ssh-keygen.c]
     bz#1740: display a more helpful error message when $HOME is
     inaccessible while trying to create .ssh directory. Based on patch
     from jchadima AT redhat.com; ok dtucker@
2010-05-10 11:52:00 +10:00
Damien Miller
1f181425e9 - jmc@cvs.openbsd.org 2010/04/16 06:47:04
[ssh-keygen.1 ssh-keygen.c]
     tweak previous; ok djm
2010-04-18 08:08:03 +10:00
Damien Miller
4e270b05dd - djm@cvs.openbsd.org 2010/04/16 01:47:26
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
     [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
     [sshconnect.c sshconnect2.c sshd.c]
     revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
     following changes:

     move the nonce field to the beginning of the certificate where it can
     better protect against chosen-prefix attacks on the signature hash

     Rename "constraints" field to "critical options"

     Add a new non-critical "extensions" field

     Add a serial number

     The older format is still support for authentication and cert generation
     (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)

     ok markus@
2010-04-16 15:56:21 +10:00
Damien Miller
1cfbfaf4a0 - stevesk@cvs.openbsd.org 2010/03/15 19:40:02
[key.c key.h ssh-keygen.c]
     also print certificate type (user or host) for ssh-keygen -L
     ok djm kettenis
2010-03-22 05:58:24 +11:00
Damien Miller
3e1ee491f3 - djm@cvs.openbsd.org 2010/03/07 22:16:01
[ssh-keygen.c]
     make internal strptime string match strftime format;
     suggested by vinschen AT redhat.com and markus@
2010-03-08 09:24:11 +11:00
Damien Miller
689b872842 - djm@cvs.openbsd.org 2010/03/04 23:27:25
[auth-options.c ssh-keygen.c]
     "force-command" is not spelled "forced-command"; spotted by
     imorgan AT nas.nasa.gov
2010-03-05 10:42:24 +11:00
Damien Miller
f2b70cad75 - djm@cvs.openbsd.org 2010/03/04 20:35:08
[ssh-keygen.1 ssh-keygen.c]
     Add a -L flag to print the contents of a certificate; ok markus@
2010-03-05 07:39:35 +11:00
Damien Miller
1aed65eb27 - djm@cvs.openbsd.org 2010/03/04 10:36:03
[auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).

     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.

     feedback and ok markus@
2010-03-04 21:53:35 +11:00
Damien Miller
910f209c1d - (djm) [ssh-keygen.c] Use correct local variable, instead of
maybe-undefined global "optarg"
2010-03-04 14:17:22 +11:00
Damien Miller
2ca342b84b - djm@cvs.openbsd.org 2010/03/02 23:20:57
[ssh-keygen.c]
     POSIX strptime is stricter than OpenBSD's so do a little dance to
     appease it.
2010-03-03 12:14:15 +11:00
Damien Miller
0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00