summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh-keygen.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add optional checkpoints for moduli screening. feedback & ok deraadtdtucker2011-10-161-4/+12
|
* certificate options are supposed to be packed in lexical order of optiondjm2011-04-181-4/+4
| | | | | name (though we don't actually enforce this at present). Move one up that was out of sequence
* fix -Wshadowdjm2011-04-121-10/+10
|
* use strcasecmp() for "clear" cert permission option also; ok djmstevesk2011-03-241-2/+2
|
* remove -d, documentation removed >10 years ago; ok markusstevesk2011-03-231-5/+2
|
* Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa)stevesk2011-03-231-28/+138
| | | | | | | | | for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This will be used by /etc/rc to generate new host keys. Idea from deraadt. ok deraadt
* some unsigned long long casts that make things a bit easier fordjm2011-01-111-4/+7
| | | | portable without resorting to dropping PRIu64 formats everywhere
* fix a possible NULL deref on loading a corrupt ECDH keydjm2010-10-281-3/+2
| | | | | | | store ECDH group information in private keys files as "named groups" rather than as a set of explicit group parameters (by setting the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and retrieves the group's OpenSSL NID that we need for various things.
* Switch ECDSA default key size to 256 bits, which according to RFC5656naddy2010-09-021-2/+2
| | | | | should still be better than our current RSA-2048 default. ok djm@, markus@
* permit -b 256, 384 or 521 as key size for ECDSA; ok djm@markus2010-09-021-2/+4
|
* reintroduce commit from tedu@, which I pulled out for release engineering:djm2010-08-311-2/+2
| | | | | OpenSSL_add_all_algorithms is the name of the function we have a man page for, so use that. ok djm
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) anddjm2010-08-311-4/+36
| | | | | | | | | | | | | | | | | host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
* backout previous temporarily; discussed with deraadt@djm2010-08-161-2/+2
|
* OpenSSL_add_all_algorithms is the name of the function we have a man pagetedu2010-08-121-2/+2
| | | | for, so use that. ok djm
* Support CA keys in PKCS#11 tokens; feedback and ok markus@djm2010-08-041-10/+45
|
* tighten the rules for certificate encoding by requiring that optionsdjm2010-08-041-7/+7
| | | | appear in lexical order and make our ssh-keygen comply. ok markus@
* avoid bogus compiler warningdjm2010-07-161-2/+2
|
* sort usage();jmc2010-06-301-4/+4
|
* allow import (-i) and export (-e) of PEM and PKCS#8 encoded keys;djm2010-06-291-53/+228
| | | | bz#1749; ok markus@
* fix printing of extensions in v01 certificates that I broke in r1.190djm2010-06-231-50/+46
|
* standardise error messages when attempting to open private keydjm2010-06-221-65/+61
| | | | | files to include "progname: filename: error reason" bz#1783; ok dtucker@
* Move the permit-* options to the non-critical "extensions" field for v01djm2010-05-201-39/+55
| | | | | | | | certificates. The logic is that if another implementation fails to implement them then the connection just loses features rather than fails outright. ok markus@
* refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS,djm2010-04-231-1/+8
| | | | since we would refuse to use them anyway. bz#1516; ok dtucker@
* bz#1740: display a more helpful error message when $HOME isdjm2010-04-231-8/+14
| | | | | inaccessible while trying to create .ssh directory. Based on patch from jchadima AT redhat.com; ok dtucker@
* tweak previous; ok djmjmc2010-04-161-2/+3
|
* revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with thedjm2010-04-161-89/+146
| | | | | | | | | | | | | | | | | | following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
* also print certificate type (user or host) for ssh-keygen -Lstevesk2010-03-151-2/+3
| | | | ok djm kettenis
* make internal strptime string match strftime format;djm2010-03-071-5/+5
| | | | suggested by vinschen AT redhat.com and markus@
* "force-command" is not spelled "forced-command"; spotted bydjm2010-03-041-2/+2
| | | | imorgan AT nas.nasa.gov
* Add a -L flag to print the contents of a certificate; ok markus@djm2010-03-041-12/+103
|
* Add a TrustedUserCAKeys option to sshd_config to specify CA keys thatdjm2010-03-041-2/+2
| | | | | | | | | | | are trusted to authenticate users (in addition than doing it per-user in authorized_keys). Add a RevokedKeys option to sshd_config and a @revoked marker to known_hosts to allow keys to me revoked and banned for user or host authentication. feedback and ok markus@
* POSIX strptime is stricter than OpenBSD's so do a little dance todjm2010-03-021-4/+20
| | | | appease it.
* Add support for certificate key types for users and hosts.djm2010-02-261-29/+404
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* fix -Walldjm2010-02-091-2/+2
|
* replace our obsolete smartcard code with PKCS#11.markus2010-02-081-60/+24
| | | | | | | | | ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev
* when converting keys, truncate key comments at 72 chars as per RFC4716;djm2010-01-111-4/+8
| | | | bz#1630 reported by tj AT castaglia.org; ok markus@
* force use of correct hash function for random-art signature displaydjm2009-08-271-4/+4
| | | | | | as it was inheriting the wrong one when bubblebabble signatures were activated; bz#1611 report and patch from fwojcik+openssh AT besh.com; ok markus@
* alphabetize includes; reduces diff vs portable and style(9). ok stevesk djmdtucker2009-06-221-2/+2
|
* Added missing newlines in error messages.tobias2009-02-211-8/+8
| | | | ok dtucker
* spelling/typo in commentstevesk2008-11-071-2/+2
|
* Change "ssh-keygen -F [host] -l" to not display random art unlesssthen2008-07-131-3/+5
| | | | | | | -v is also specified, making it consistent with the manual and other uses of -l. ok grunk@
* make ssh-keygen -lf show the key type just as ssh-add -l would do itgrunk2008-06-121-5/+7
| | | | ok djm@ markus@
* ssh-keygen would write fingerprints to STDOUT, and random art to STDERR,grunk2008-06-111-4/+7
| | | | | | | that is not how it was envisioned. Also correct manpage saying that -v is needed along with -l for it to work. spotted by naddy@
* ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pubgrunk2008-06-111-3/+3
| | | | would not display you the random art as intended, spotted by canacar@
* Introduce SSH Fingerprint ASCII Visualization, a technique inspired by thegrunk2008-06-111-4/+17
| | | | | | | | | | | | | | | | | | | | | | | graphical hash visualization schemes known as "random art", and by Dan Kaminsky's musings on the subject during a BlackOp talk at the 23C3 in Berlin. Scientific publication (original paper): "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf The algorithm used here is a worm crawling over a discrete plane, leaving a trace (augmenting the field) everywhere it goes. Movement is taken from dgst_raw 2bit-wise. Bumping into walls makes the respective movement vector be ignored for this turn, thus switching to the other color of the chessboard. Graphs are not unambiguous for now, because circles in graphs can be walked in either direction. discussions with several people, help, corrections and ok markus@ djm@
* support -l (print fingerprint) in combination with -F (find host) todjm2008-05-191-7/+23
| | | | | search for a host in ~/.ssh/known_hosts and display its fingerprint; ok markus@
* unbreak line numbering (broken in revision 1.164), fix error messagedjm2008-01-191-6/+7
|
* when hashing individual hosts (ssh-keygen -Hf hostname), make sure wedjm2008-01-191-3/+4
| | | | | | hash just the specified hostname and not the entire hostspec from the keyfile. It may be of the form "hostname,ipaddr", which would lead to a hash that never matches. report and fix from jp AT devnull.cz
* handles zero-sized strings that fgets can returnchl2007-10-021-9/+7
| | | | | | | | properly removes trailing newline removes an unused variable correctly counts line number "looks ok" ray@ markus@
* use strcspn to properly overwrite '\n' in fgets returned buffergilles2007-09-111-5/+3
| | | | ok pyr@, ray@, millert@, moritz@, chl@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.