summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh-keygen.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* typo in error message; from Stephan Rickauerdjm2013-08-131-2/+2
|
* More useful error message on missing current user in /etc/passwddjm2013-07-201-2/+2
|
* do_print_resource_record() can never be called with a NULL filename, sodjm2013-07-121-2/+2
| | | | | don't attempt (and bungle) asking for one if it has not been specified bz#2127 ok dtucker@
* fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@djm2013-07-121-3/+4
|
* bye, bye xfree(); ok markus@djm2013-05-171-52/+52
|
* fix some memory leaks; bz#2088 ok dtucker@djm2013-04-191-1/+4
|
* append to moduli file when screening candidates rather than overwriting.djm2013-02-101-2/+2
| | | | | allows resumption of interrupted screen; patch from Christophe Garault in bz#1957; ok dtucker@
* -u before -V in usage();jmc2013-01-181-2/+2
|
* add support for Key Revocation Lists (KRLs). These are a compact way todjm2013-01-171-7/+250
| | | | | | | | represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
* correctly initialise fingerprint type for fingerprinting PKCS#11 keysdjm2013-01-091-1/+4
|
* allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...djm2013-01-031-6/+21
| | | | ok markus@
* Fix compilation with -Wall -Werror (trivial type fixes)djm2012-12-031-2/+2
|
* allow the full range of unsigned serial numbers; 'fine' deraadt@djm2012-11-141-5/+7
|
* fix -z option, broken in revision 1.215djm2012-10-021-2/+2
|
* print details of which host lines were deleted when usingdjm2012-08-171-5/+17
| | | | "ssh-keygen -R host"; ok markus@
* missing full stop in usage();jmc2012-07-061-2/+2
|
* Add options to specify starting line number and number of lines to processdtucker2012-07-061-6/+16
| | | | | when screening moduli candidates. This allows processing of different parts of a candidate moduli file in parallel. man page help jmc@, ok djm@
* add support for RFC6594 SSHFP DNS records for ECDSA key types.djm2012-05-231-1/+3
| | | | patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
* allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@djm2012-02-291-5/+7
|
* put -K in the right place (usage());jmc2011-10-161-2/+2
|
* Add optional checkpoints for moduli screening. feedback & ok deraadtdtucker2011-10-161-4/+12
|
* certificate options are supposed to be packed in lexical order of optiondjm2011-04-181-4/+4
| | | | | name (though we don't actually enforce this at present). Move one up that was out of sequence
* fix -Wshadowdjm2011-04-121-10/+10
|
* use strcasecmp() for "clear" cert permission option also; ok djmstevesk2011-03-241-2/+2
|
* remove -d, documentation removed >10 years ago; ok markusstevesk2011-03-231-5/+2
|
* Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa)stevesk2011-03-231-28/+138
| | | | | | | | | for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This will be used by /etc/rc to generate new host keys. Idea from deraadt. ok deraadt
* some unsigned long long casts that make things a bit easier fordjm2011-01-111-4/+7
| | | | portable without resorting to dropping PRIu64 formats everywhere
* fix a possible NULL deref on loading a corrupt ECDH keydjm2010-10-281-3/+2
| | | | | | | store ECDH group information in private keys files as "named groups" rather than as a set of explicit group parameters (by setting the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and retrieves the group's OpenSSL NID that we need for various things.
* Switch ECDSA default key size to 256 bits, which according to RFC5656naddy2010-09-021-2/+2
| | | | | should still be better than our current RSA-2048 default. ok djm@, markus@
* permit -b 256, 384 or 521 as key size for ECDSA; ok djm@markus2010-09-021-2/+4
|
* reintroduce commit from tedu@, which I pulled out for release engineering:djm2010-08-311-2/+2
| | | | | OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) anddjm2010-08-311-4/+36
| | | | | | | | | | | | | | | | | host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
* backout previous temporarily; discussed with deraadt@djm2010-08-161-2/+2
|
* OpenSSL_add_all_algorithms is the name of the function we have a man pagetedu2010-08-121-2/+2
| | | | for, so use that. ok djm
* Support CA keys in PKCS#11 tokens; feedback and ok markus@djm2010-08-041-10/+45
|
* tighten the rules for certificate encoding by requiring that optionsdjm2010-08-041-7/+7
| | | | appear in lexical order and make our ssh-keygen comply. ok markus@
* avoid bogus compiler warningdjm2010-07-161-2/+2
|
* sort usage();jmc2010-06-301-4/+4
|
* allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;djm2010-06-291-53/+228
| | | | bz#1749; ok markus@
* fix printing of extensions in v01 certificates that I broke in r1.190djm2010-06-231-50/+46
|
* standardise error messages when attempting to open private keydjm2010-06-221-65/+61
| | | | | files to include "progname: filename: error reason" bz#1783; ok dtucker@
* Move the permit-* options to the non-critical "extensions" field for v01djm2010-05-201-39/+55
| | | | | | | | certificates. The logic is that if another implementation fails to implement them then the connection just loses features rather than fails outright. ok markus@
* refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS,djm2010-04-231-1/+8
| | | | since we would refuse to use them anyway. bz#1516; ok dtucker@
* bz#1740: display a more helpful error message when $HOME isdjm2010-04-231-8/+14
| | | | | inaccessible while trying to create .ssh directory. Based on patch from jchadima AT redhat.com; ok dtucker@
* tweak previous; ok djmjmc2010-04-161-2/+3
|
* revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with thedjm2010-04-161-89/+146
| | | | | | | | | | | | | | | | | | following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
* also print certificate type (user or host) for ssh-keygen -Lstevesk2010-03-151-2/+3
| | | | ok djm kettenis
* make internal strptime string match strftime format;djm2010-03-071-5/+5
| | | | suggested by vinschen AT redhat.com and markus@
* "force-command" is not spelled "forced-command"; spotted bydjm2010-03-041-2/+2
| | | | imorgan AT nas.nasa.gov
* Add a -L flag to print the contents of a certificate; ok markus@djm2010-03-041-12/+103
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.