Commit Graph

15 Commits

Author SHA1 Message Date
Damien Miller
eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller
0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Darren Tucker
a2e10485c5 - djm@cvs.openbsd.org 2010/01/09 00:57:10
[PROTOCOL]
     tweak language
2010-01-09 22:25:14 +11:00
Darren Tucker
f2705c8b7d - djm@cvs.openbsd.org 2009/12/20 23:20:40
[PROTOCOL]
     fix an incorrect magic number and typo in PROTOCOL; bz#1688
     report and fix from ueno AT unixuser.org
2010-01-08 18:54:17 +11:00
Damien Miller
6385e758df - djm@cvs.openbsd.org 2009/02/14 06:35:49
[PROTOCOL]
     mention that eow and no-more-sessions extensions are sent only to
     OpenSSH peers
2009-02-14 18:00:52 +11:00
Damien Miller
c9c96f2e28 - djm@cvs.openbsd.org 2008/07/05 05:16:01
[PROTOCOL]
     grammar
2008-07-05 15:17:48 +10:00
Darren Tucker
1f781b194f - djm@cvs.openbsd.org 2008/06/30 12:18:34
[PROTOCOL]
     clarify that eow@openssh.com is only sent on session channels
2008-07-02 22:33:16 +10:00
Damien Miller
1e18beb1e7 - djm@cvs.openbsd.org 2008/06/28 14:08:30
[PROTOCOL PROTOCOL.agent]
     document the protocol used by ssh-agent; "looks ok" markus@
2008-06-30 00:07:00 +10:00
Damien Miller
bd45afb5ad - djm@cvs.openbsd.org 2008/06/28 07:25:07
[PROTOCOL]
     spelling fixes
2008-06-30 00:04:57 +10:00
Darren Tucker
e5d98290a6 - djm@cvs.openbsd.org 2008/06/12 05:15:41
[PROTOCOL]
     document tun@openssh.com forwarding method
2008-06-13 04:53:27 +10:00
Darren Tucker
8901fa9c88 - djm@cvs.openbsd.org 2008/06/10 22:15:23
[PROTOCOL ssh.c serverloop.c]
     Add a no-more-sessions@openssh.com global request extension that the
     client sends when it knows that it will never request another session
     (i.e. when session multiplexing is disabled). This allows a server to
     disallow further session requests and terminate the session.
     Why would a non-multiplexing client ever issue additional session
     requests? It could have been attacked with something like SSH'jack:
     http://www.storm.net.nz/projects/7
     feedback & ok markus
2008-06-11 09:34:01 +10:00
Darren Tucker
588fe0efa4 - dtucker@cvs.openbsd.org 2008/06/09 13:38:46
[PROTOCOL]
     Use a $OpenBSD tag so our scripts will sync changes.
2008-06-09 23:52:22 +10:00
Darren Tucker
cd2ada6d06 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29
[PROTOCOL]
     Have the sftp client store the statvfs replies in wire format,
     which prevents problems when the server's native sizes exceed the
     client's.
     Also extends the sizes of the remaining 32bit wire format to 64bit,
     they're specified as unsigned long in the standard.
2008-06-09 23:49:09 +10:00
Darren Tucker
17ec5d4e02 - djm@cvs.openbsd.org 2008/06/07 21:52:46
[PROTOCOL]
     statvfs member fsid needs to be wider, increase it to 64 bits and
     crank extension revision number to 2; prodded and ok dtucker@
2008-06-09 23:47:37 +10:00
Damien Miller
58a8114880 - djm@cvs.openbsd.org 2008/05/16 08:30:42
[PROTOCOL]
     document our protocol extensions and deviations; ok markus@
   - djm@cvs.openbsd.org 2008/05/17 01:31:56
     [PROTOCOL]
     grammar and correctness fixes from stevesk@
2008-05-19 16:11:56 +10:00