| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | check that the certificate matches the corresponding private key before |   djm | 2010-05-14 | 1 | -21/+29 |
| | | | | | grafting it on | ||||
| * | revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the | djm | 2010-04-16 | 1 | -2/+2 |
| | | | | | | | | | | | | | | | | | | | following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@ | ||||
| * | zap what seems to be a left-over debug message; ok markus@ |   otto | 2010-03-01 | 1 | -3/+2 |
| | | |||||
| * | Add support for certificate key types for users and hosts. | djm | 2010-02-26 | 1 | -3/+31 |
| | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@ | ||||
| * | replace our obsolete smartcard code with PKCS#11. |   markus | 2010-02-08 | 1 | -11/+9 |
| | | | | | | | | | | ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev | ||||
| * | Do not fall back to adding keys without contraints (ssh-add -c / -t ...) | djm | 2009-08-27 | 1 | -4/+1 |
| | | | | | | | | | when the agent refuses the constrained add request. This was a useful migration measure back in 2002 when constraints were new, but just adds risk now. bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@ | ||||
| * | sort synopsis and options in ssh-agent(1); usage is lowercase |   sobrado | 2007-09-09 | 1 | -2/+2 |
| | | | | | ok jmc@ | ||||
| * | almost entirely get rid of the culture of ".h files that include .h files" |   deraadt | 2006-08-03 | 1 | -4/+3 |
| | | | | | | ok djm, sort of ok stevesk makes the pain stop in one easy step | ||||
| * | move #include <stdio.h> out of includes.h |   stevesk | 2006-08-01 | 1 | -1/+2 |
| | | |||||
| * | move #include <stdlib.h> out of includes.h | stevesk | 2006-07-26 | 1 | -1/+2 |
| | | |||||
| * | move #include <sys/param.h> out of includes.h | stevesk | 2006-07-26 | 1 | -1/+2 |
| | | |||||
| * | move #include <string.h> out of includes.h | stevesk | 2006-07-22 | 1 | -1/+2 |
| | | |||||
| * | move #include <unistd.h> out of includes.h | stevesk | 2006-07-17 | 1 | -1/+2 |
| | | |||||
| * | use O_RDONLY vs. 0 in open(); no binary change | stevesk | 2006-07-09 | 1 | -2/+2 |
| | | |||||
| * | move #include <fcntl.h> out of includes.h | stevesk | 2006-07-09 | 1 | -1/+2 |
| | | |||||
| * | move #include <pwd.h> out of includes.h; ok markus@ | stevesk | 2006-07-06 | 1 | -1/+3 |
| | | |||||
| * | Sync usage() with man page and reality. |   mk | 2006-05-30 | 1 | -2/+2 |
| | | | | | ok deraadt dtucker | ||||
| * | Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that | djm | 2006-03-25 | 1 | -0/+1 |
| | | | | | Theo nuked - our scripts to sync -portable need them in the files | ||||
| * | in a switch (), break after return or goto is stupid | deraadt | 2006-03-20 | 1 | -3/+0 |
| | | |||||
| * | RCSID() can die | deraadt | 2006-03-19 | 1 | -1/+0 |
| | | |||||
| * | Make ssh-add check file permissions before attempting to load private |   dtucker | 2006-03-13 | 1 | -4/+13 |
| | | | | | | key files multiple times; it will fail anyway and this prevents confusing multiple prompts and warnings. mindrot #1138, ok djm@ | ||||
| * | move #include <sys/stat.h> out of includes.h; ok markus@ | stevesk | 2006-02-20 | 1 | -1/+4 |
| | | |||||
| * | space | deraadt | 2005-11-12 | 1 | -2/+3 |
| | | |||||
| * | ensure that stdio fds are attached; ok deraadt@ | djm | 2005-09-13 | 1 | -1/+4 |
| | | |||||
| * | knf says that a 2nd level indent is four (not three or five) spaces | djm | 2005-07-17 | 1 | -2/+2 |
| | | |||||
| * | spacing | deraadt | 2005-03-10 | 1 | -3/+3 |
| | | |||||
| * | kill a tiny header; ok deraadt@ | djm | 2004-05-08 | 1 | -2/+1 |
| | | |||||
| * | unexpand and delete whitespace at EOL; ok markus@ | djm | 2003-11-21 | 1 | -4/+4 |
| | | |||||
| * | print out key comment on each prompt; make ssh-askpass more useable; ok djm@ | markus | 2003-06-16 | 1 | -2/+3 |
| | | |||||
| * | make agent constraints (lifetime, confirm) work with smartcard keys; ok markus@ | djm | 2003-06-11 | 1 | -2/+2 |
| | | |||||
| * | fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@ | markus | 2003-03-05 | 1 | -3/+6 |
| | | |||||
| * | ssh-add -c, prompt user for confirmation (using ssh-askpass) when | markus | 2003-01-23 | 1 | -3/+14 |
| | | | | | private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@ | ||||
| * | KNF | deraadt | 2002-11-21 | 1 | -2/+2 |
| | | |||||
| * | typo; cd@kalkatraz.de | markus | 2002-09-19 | 1 | -2/+2 |
| | | |||||
| * | fix exit code for -X/-x | markus | 2002-06-26 | 1 | -2/+2 |
| | | |||||
| * | KNF done automatically while reading.... | deraadt | 2002-06-19 | 1 | -2/+2 |
| | | |||||
| * | remove the CONSTRAIN_IDENTITY messages and introduce a new | markus | 2002-06-15 | 1 | -14/+10 |
| | | | | | | ADD_ID message with contraints instead. contraints can be only added together with the private key. | ||||
| * | fix stupid typo | markus | 2002-06-15 | 1 | -2/+2 |
| | | |||||
| * | break agent key lifetime protocol and allow other contraints for key usage. | markus | 2002-06-15 | 1 | -2/+2 |
| | | |||||
| * | use convtime() to parse and validate key lifetime. can now | stevesk | 2002-06-10 | 1 | -3/+8 |
| | | | | | use '-t 2h' etc. ok markus@ provos@ | ||||
| * | ssh-add -t life, Set lifetime (in seconds) when adding identities; ok provos@ | markus | 2002-06-05 | 1 | -2/+20 |
| | | |||||
| * | add -x/-X to usage | markus | 2002-06-05 | 1 | -1/+3 |
| | | |||||
| * | ssh-add -x for lock and -X for unlocking the agent. | markus | 2002-06-05 | 1 | -2/+36 |
| | | | | | todo: encrypt private keys with locked... | ||||
| * | Add PIN-protection for secret key. |   rees | 2002-03-21 | 1 | -2/+8 |
| | | |||||
| * | ignore errors for nonexisting default keys in ssh-add, | markus | 2002-03-21 | 1 | -1/+9 |
| | | | | | fixes http://bugzilla.mindrot.org/show_bug.cgi?id=158 | ||||
| * | KNF whitespace | markus | 2002-03-19 | 1 | -3/+3 |
| | | |||||
| * | exit 2 if no agent, exit 1 if list fails; debian#61078; ok djm@ | markus | 2002-01-29 | 1 | -5/+9 |
| | | |||||
| * | try all listed keys.. how did this get broken? | deraadt | 2001-12-24 | 1 | -2/+2 |
| | | |||||
| * | Try all standard key files (id_rsa, id_dsa, identity) when invoked with | djm | 2001-12-21 | 1 | -19/+35 |
| | | | | | no arguments; ok markus@ | ||||
| * | basic KNF done while i was looking for something else | deraadt | 2001-12-19 | 1 | -9/+9 |
| | | |||||
 |
index : wireguard-openbsd | |
| WireGuard implementation for the OpenBSD kernel | Matt Dunwoodie |
| summaryrefslogtreecommitdiffstats |