summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh-keygen.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Expand comment to document rationale for default key sizes.dtucker2019-03-251-3/+10
| | | | "seems worthwhile" deraadt.
* Increase the default RSA key size to 3072 bits. Based on the estimatesdtucker2019-03-251-3/+6
| | | | | | from NIST Special Publication 800-57, 3k bits provides security equivalent to 128 bits which is the smallest symmetric cipher we enable by default. ok markus@ deraadt@
* ssh-keygen -D pkcs11.so needs to initialize pkcs11 interactive,benno2019-02-101-2/+2
| | | | | so it can ask for the smartcards PIN. ok markus@
* allow auto-incrementing certificate serial number for certs signeddjm2019-01-231-5/+12
| | | | in a single commandline.
* move a bunch of global flag variables to main(); make the rest staticdjm2019-01-231-94/+82
|
* add -m to usage(); reminded by jmc@djm2019-01-221-3/+4
|
* when printing certificate contents "ssh-keygen -Lf /path/certificate",djm2018-10-191-3/+4
| | | | include the algorithm that the CA used to sign the cert.
* garbage-collect moribund ssh_new_private() API.djm2018-09-141-3/+3
|
* hold our collective noses and use the openssl-1.1.x API in OpenSSH;djm2018-09-131-16/+47
| | | | feedback and ok tb@ jsing@ markus@
* allow key revocation by SHA256 hash and allow ssh-keygen to create KRLsdjm2018-09-121-8/+67
| | | | using SHA256/base64 key fingerprints; ok markus@
* Use new private key format by default. This format is suported bydjm2018-08-081-3/+4
| | | | | | | | | | OpenSSH >= 6.5 (released January 2014), so it should be supported by most OpenSSH versions in active use. It is possible to convert new-format private keys to the older format using "ssh-keygen -f /path/key -pm PEM". ok deraadt dtucker
* replace cast with call to sshbuf_mutable_ptr(); ok djm@markus2018-07-091-2/+2
|
* switch config file parsing to getline(3) as this avoids static limitsmarkus2018-06-061-8/+17
| | | | noted by gerhard@; ok dtucker@, djm@
* whitespacedjm2018-06-011-2/+2
|
* return correct exit code when searching for and hashing known_hostsdjm2018-06-011-5/+4
| | | | | entries in a single operation (ssh-keygen -HF hostname); bz2772 Report and fix from Anton Kremenetsky
* add valid-before="[time]" authorized_keys option. A simple way ofdjm2018-03-121-39/+5
| | | | giving a key an expiry date. ok markus@
* Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)markus2018-02-231-4/+15
| | | | | | | The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@
* Refuse to create a certificate with an unusable number of principals;djm2018-02-101-1/+3
| | | | Prompted by gdestuynder via github
* fatal if we're unable to write all the public key; previously wedjm2018-02-101-2/+3
| | | | | would silently ignore errors writing the comment and terminating newline. Prompted by github PR from WillerZ; ok dtucker
* Remove some #ifdef notyet code from OpenSSL 0.9.8 days.jsing2018-02-071-23/+1
| | | | | | | These functions have never appeared in OpenSSL and are likely never to do so. "kill it with fire" djm@
* pass negotiated signing algorithm though to sshkey_verify() anddjm2017-12-181-2/+2
| | | | | check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
* allow certificate validity intervals that specify only a start ordjm2017-11-031-4/+8
| | | | stop time (we already support specifying both or neither)
* When generating all hostkeys (ssh-keygen -A), clobber existing keysdjm2017-07-071-34/+72
| | | | | | if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed part way through generating them, so avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@
* remove post-SSHv1 removal dead code from rsa.c and merge thedjm2017-07-011-3/+2
| | | | remaining bit that it still used into ssh-rsa.c; ok markus
* Allow ssh-keygen to use a key held in ssh-agent as a CA when signingdjm2017-06-281-9/+67
| | | | certificates. bz#2377 ok markus
* remove unused wrapper functions from key.[ch]; ok djm@markus2017-05-301-10/+10
|
* Refuse RSA keys <1024 bits in length. Improve reporting for keys thatdjm2017-05-071-8/+16
| | | | do not meet this requirement. ok markus@
* remove KEY_RSA1djm2017-04-301-22/+5
| | | | ok markus@
* unifdef WITH_SSH1djm2017-04-301-8/+1
| | | | ok markus@
* allow ssh-keygen to include arbitrary string or flag certificatedjm2017-04-291-2/+37
| | | | extensions and critical options. ok markus@ dtucker@
* ensure hostname is lower-case before hashing it; bz#2591 reported bydjm2017-03-101-1/+2
| | | | Griff Miller II; ok dtucker@
* Check l->hosts before dereferencing; fixes potential null pointer deref.dtucker2017-03-061-2/+2
| | | | ok djm@
* linenum is unsigned long so use %lu in log formats. ok deraadt@dtucker2017-03-061-6/+6
|
* fix ssh-keygen -H accidentally corrupting known_hosts that containeddjm2017-03-031-3/+3
| | | | | | already-hashed entries. HKF_MATCH_HOST_HASHED is only set by hostkeys_foreach() when hostname matching is in use, so we need to look for the hash marker explicitly.
* Do not show rsa1 key type in usage when compiled without SSH1 support.dtucker2017-02-171-3/+9
|
* Sanitise escape sequences in key comments sent to printf but preservedjm2017-02-101-4/+8
| | | | valid UTF-8 when the locale supports it; bz#2520 ok dtucker@
* Avoid printf %s NULL. From semarie@, OK djm@millert2017-02-081-2/+5
|
* Spaces->tabs.dtucker2016-09-121-3/+3
|
* Style whitespace fix. Also happens to remove a no-op diff with portable.dtucker2016-09-121-3/+2
|
* support SHA256 and SHA512 RSA signatures in certificates;djm2016-05-021-3/+9
| | | | ok markus@
* fix signed/unsigned errors reported by clang-3.7; adddjm2016-05-021-4/+4
| | | | | | sshbuf_dup_string() to replace a common idiom of strdup(sshbuf_ptr()) with better safety checking; feedback and ok markus@
* Add a function to enable security-related malloc_options. With and okdtucker2016-02-151-1/+2
| | | | deraadt@, something similar has been in the snaps for a while.
* use SSH_MAX_PUBKEY_BYTES consistently as buffer size when reading keydjm2015-12-111-3/+3
| | | | files. Increase it to match the size of the buffers already being used.
* Remove NULL-checks before sshkey_free().mmcc2015-12-111-3/+2
| | | | ok djm@
* implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)markus2015-12-041-2/+2
| | | | | based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
* do not leak temp file if there is no known_hosts filederaadt2015-11-281-2/+5
| | | | from craig leres, ok djm
* allow comment change for all supported formatshalex2015-11-201-4/+6
| | | | ok djm@
* trailing whitespacedjm2015-11-191-4/+4
|
* move the certificate validity formatting code to sshkey.[ch]djm2015-11-191-44/+8
|
* fix "ssh-keygen -l" of private key, broken in support fordjm2015-11-181-4/+11
| | | | multiple plain keys on stdin
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.