summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh-keygen.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* bye, bye xfree(); ok markus@djm2013-05-171-52/+52
|
* fix some memory leaks; bz#2088 ok dtucker@djm2013-04-191-1/+4
|
* append to moduli file when screening candidates rather than overwriting.djm2013-02-101-2/+2
| | | | | allows resumption of interrupted screen; patch from Christophe Garault in bz#1957; ok dtucker@
* -u before -V in usage();jmc2013-01-181-2/+2
|
* add support for Key Revocation Lists (KRLs). These are a compact way todjm2013-01-171-7/+250
| | | | | | | | represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
* correctly initialise fingerprint type for fingerprinting PKCS#11 keysdjm2013-01-091-1/+4
|
* allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...djm2013-01-031-6/+21
| | | | ok markus@
* Fix compilation with -Wall -Werror (trivial type fixes)djm2012-12-031-2/+2
|
* allow the full range of unsigned serial numbers; 'fine' deraadt@djm2012-11-141-5/+7
|
* fix -z option, broken in revision 1.215djm2012-10-021-2/+2
|
* print details of which host lines were deleted when usingdjm2012-08-171-5/+17
| | | | "ssh-keygen -R host"; ok markus@
* missing full stop in usage();jmc2012-07-061-2/+2
|
* Add options to specify starting line number and number of lines to processdtucker2012-07-061-6/+16
| | | | | when screening moduli candidates. This allows processing of different parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
* add support for RFC6594 SSHFP DNS records for ECDSA key types.djm2012-05-231-1/+3
| | | | patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
* allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@djm2012-02-291-5/+7
|
* put -K in the right place (usage());jmc2011-10-161-2/+2
|
* Add optional checkpoints for moduli screening. feedback & ok deraadtdtucker2011-10-161-4/+12
|
* certificate options are supposed to be packed in lexical order of optiondjm2011-04-181-4/+4
| | | | | name (though we don't actually enforce this at present). Move one up that was out of sequence
* fix -Wshadowdjm2011-04-121-10/+10
|
* use strcasecmp() for "clear" cert permission option also; ok djmstevesk2011-03-241-2/+2
|
* remove -d, documentation removed >10 years ago; ok markusstevesk2011-03-231-5/+2
|
* Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa)stevesk2011-03-231-28/+138
| | | | | | | | | for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This will be used by /etc/rc to generate new host keys. Idea from deraadt. ok deraadt
* some unsigned long long casts that make things a bit easier fordjm2011-01-111-4/+7
| | | | portable without resorting to dropping PRIu64 formats everywhere
* fix a possible NULL deref on loading a corrupt ECDH keydjm2010-10-281-3/+2
| | | | | | | store ECDH group information in private keys files as "named groups" rather than as a set of explicit group parameters (by setting the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and retrieves the group's OpenSSL NID that we need for various things.
* Switch ECDSA default key size to 256 bits, which according to RFC5656naddy2010-09-021-2/+2
| | | | | should still be better than our current RSA-2048 default. ok djm@, markus@
* permit -b 256, 384 or 521 as key size for ECDSA; ok djm@markus2010-09-021-2/+4
|
* reintroduce commit from tedu@, which I pulled out for release engineering:djm2010-08-311-2/+2
| | | | | OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) anddjm2010-08-311-4/+36
| | | | | | | | | | | | | | | | | host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
* backout previous temporarily; discussed with deraadt@djm2010-08-161-2/+2
|
* OpenSSL_add_all_algorithms is the name of the function we have a man pagetedu2010-08-121-2/+2
| | | | for, so use that. ok djm
* Support CA keys in PKCS#11 tokens; feedback and ok markus@djm2010-08-041-10/+45
|
* tighten the rules for certificate encoding by requiring that optionsdjm2010-08-041-7/+7
| | | | appear in lexical order and make our ssh-keygen comply. ok markus@
* avoid bogus compiler warningdjm2010-07-161-2/+2
|
* sort usage();jmc2010-06-301-4/+4
|
* allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;djm2010-06-291-53/+228
| | | | bz#1749; ok markus@
* fix printing of extensions in v01 certificates that I broke in r1.190djm2010-06-231-50/+46
|
* standardise error messages when attempting to open private keydjm2010-06-221-65/+61
| | | | | files to include "progname: filename: error reason" bz#1783; ok dtucker@
* Move the permit-* options to the non-critical "extensions" field for v01djm2010-05-201-39/+55
| | | | | | | | certificates. The logic is that if another implementation fails to implement them then the connection just loses features rather than fails outright. ok markus@
* refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS,djm2010-04-231-1/+8
| | | | since we would refuse to use them anyway. bz#1516; ok dtucker@
* bz#1740: display a more helpful error message when $HOME isdjm2010-04-231-8/+14
| | | | | inaccessible while trying to create .ssh directory. Based on patch from jchadima AT redhat.com; ok dtucker@
* tweak previous; ok djmjmc2010-04-161-2/+3
|
* revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with thedjm2010-04-161-89/+146
| | | | | | | | | | | | | | | | | | following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
* also print certificate type (user or host) for ssh-keygen -Lstevesk2010-03-151-2/+3
| | | | ok djm kettenis
* make internal strptime string match strftime format;djm2010-03-071-5/+5
| | | | suggested by vinschen AT redhat.com and markus@
* "force-command" is not spelled "forced-command"; spotted bydjm2010-03-041-2/+2
| | | | imorgan AT nas.nasa.gov
* Add a -L flag to print the contents of a certificate; ok markus@djm2010-03-041-12/+103
|
* Add a TrustedUserCAKeys option to sshd_config to specify CA keys thatdjm2010-03-041-2/+2
| | | | | | | | | | | are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
* POSIX strptime is stricter than OpenBSD's so do a little dance todjm2010-03-021-4/+20
| | | | appease it.
* Add support for certificate key types for users and hosts.djm2010-02-261-29/+404
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* fix -Walldjm2010-02-091-2/+2
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.