summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/key.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add support for certificate key types for users and hosts.djm2010-02-261-34/+561
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* Ignore and log any Protocol 1 keys where the claimed size is not equal todtucker2010-01-131-1/+7
| | | | the actual size. Noted by Derek Martin, ok djm@
* switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537markus2009-12-111-2/+2
| | | | for the RSA public exponent; discussed with provos; ok djm@
* typo in error message; ok djm@stevesk2008-10-101-2/+2
|
* In random art visualization, make sure to use the end marker only at thegrunk2008-07-251-2/+3
| | | | end. Initial diff by Dirk Loss, tweaks and ok djm@
* /*NOTREACHED*/ for lint warning:stevesk2008-07-071-1/+2
| | | | | warning: function key_equal falls off bottom without returning value ok djm@
* add key length to visual fingerprint; zap magical constants;otto2008-06-251-3/+3
| | | | ok grunk@ djm@
* add my copyright, ok djm@grunk2008-06-121-1/+2
|
* We already mark the start of the worm, now also mark the end of the wormgrunk2008-06-121-3/+6
| | | | | in our random art drawings. ok djm@
* supply the key type (rsa1, rsa, dsa) as a caption in the frame of thegrunk2008-06-121-8/+16
| | | | | | | random art. while there, stress the fact that the field base should at least be 8 characters for the pictures to make sense. comment and ok djm@
* use an odd number of rows and columns and a separate start marker, looksotto2008-06-121-5/+5
| | | | better; ok grunk@
* #define statements that are not atoms need braces around them, else theygrunk2008-06-111-5/+5
| | | | | | | will cause trouble in some cases. Also do a computation of -1 once, and not in a loop several times. spotted by otto@
* simpler way of computing the augmentations; ok grunk@otto2008-06-111-9/+7
|
* Introduce SSH Fingerprint ASCII Visualization, a technique inspired by thegrunk2008-06-111-1/+104
| | | | | | | | | | | | | | | | | | | | | | | graphical hash visualization schemes known as "random art", and by Dan Kaminsky's musings on the subject during a BlackOp talk at the 23C3 in Berlin. Scientific publication (original paper): "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf The algorithm used here is a worm crawling over a discrete plane, leaving a trace (augmenting the field) everywhere it goes. Movement is taken from dgst_raw 2bit-wise. Bumping into walls makes the respective movement vector be ignored for this turn, thus switching to the other color of the chessboard. Graphs are not unambiguous for now, because circles in graphs can be walked in either direction. discussions with several people, help, corrections and ok markus@ djm@
* Delint: remove some unreachable statements, from Bret Lambert.ray2007-07-121-3/+1
| | | | OK markus@ and dtucker@.
* add missing checks for openssl return codes; with & ok djm@markus2006-11-061-7/+9
|
* almost entirely get rid of the culture of ".h files that include .h files"deraadt2006-08-031-3/+3
| | | | | ok djm, sort of ok stevesk makes the pain stop in one easy step
* move #include <stdio.h> out of includes.hstevesk2006-08-011-1/+2
|
* move #include <string.h> out of includes.hstevesk2006-07-221-1/+3
|
* Put $OpenBSD$ tags back (as comments) to replace the RCSID()s thatdjm2006-03-251-0/+1
| | | | Theo nuked - our scripts to sync -portable need them in the files
* introduce xcalloc() and xasprintf() failure-checked allocations functionsdjm2006-03-251-6/+4
| | | | | | | | | | and use them throughout openssh xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die feedback and ok deraadt@
* djm did a typoderaadt2006-03-201-1/+1
|
* in a switch (), break after return or goto is stupidderaadt2006-03-201-16/+2
|
* (really) last of the Coverity diffs: avoid possible NULL deref indjm2006-03-201-0/+2
| | | | key_free. via elad AT netbsd.org; markus@ ok
* RCSID() can diederaadt2006-03-191-1/+0
|
* make this -Wsign-compare clean; ok avsm@ markus@djm2005-06-171-2/+2
|
* use new buffer API to avoid fatal errors on corrupt keys in authorized_keysdjm2004-10-291-11/+27
| | | | files; ok markus@
* more s/illegal/invalid/markus2004-07-281-3/+3
|
* constify. ok markus@ & djm@jakob2003-11-101-19/+21
|
* minor tweak: when generating the hex fingerprint, give strlcat the full bound to the buffer, and add a comment below explaining why the zero-termination is one less than the bound.avsm2003-07-091-2/+4
| | | | markus@ ok
* int -> u_int; ok djm@, deraadt@, mouring@markus2003-06-241-3/+3
|
* add experimental support for verifying hos keys using DNS as describedjakob2003-05-141-2/+2
| | | | | in draft-ietf-secsh-dns-xx.txt. more information in README.dns. ok markus@ and henning@
* merge ssh-dss.h ssh-rsa.h into key.h; ok deraadt@markus2003-02-121-3/+1
|
* better debug3 messagemarkus2003-02-041-3/+3
|
* signed vs unsigned from -pedantic; ok henning@markus2002-09-091-2/+3
|
* don't allocate, copy, and discard if there is not interested in the data; ok deraadt@markus2002-07-041-10/+7
|
* patch memory leaks; grendel@zeitbombe.orgderaadt2002-07-041-1/+3
|
* minor KNFderaadt2002-06-301-7/+7
|
* KNFderaadt2002-06-231-2/+8
|
* add comment:markus2002-05-311-1/+5
| | | | | | key_verify returns 1 for a correct signature, 0 for an incorrect signature and -1 on error. CVS ----------------------------------------------------------------------
* KNF whitespacemarkus2002-03-191-2/+2
|
* add key_demote() for ssh-privsepmarkus2002-03-181-1/+44
|
* add some const EVP_MD for openssl-0.9.7markus2002-02-281-2/+2
|
* signed vs. unsigned: make size arguments u_int, ok stevesk@markus2002-02-241-10/+9
|
* use EVP_MD_size(evp_md) and not evp_md->md_size; ok steveks@markus2002-01-251-7/+6
|
* call fatal() for openssl allocation failuresmarkus2001-12-271-21/+31
|
* be more careful on allocationmarkus2001-12-251-1/+6
|
* basic KNF done while i was looking for something elsederaadt2001-12-191-4/+4
|
* minor KNFderaadt2001-12-051-13/+14
|
* mem leakmarkus2001-11-211-3/+4
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.