summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--ssh-add.19
-rw-r--r--ssh-agent.111
-rw-r--r--ssh-keygen.126
-rw-r--r--ssh-keyscan.17
-rw-r--r--ssh-keysign.86
-rw-r--r--ssh.120
-rw-r--r--ssh_config.510
-rw-r--r--sshd.816
-rw-r--r--sshd_config.510
10 files changed, 79 insertions, 40 deletions
diff --git a/ChangeLog b/ChangeLog
index 351bd0386..c162b7f5c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@
- djm@cvs.openbsd.org 2013/12/07 08:08:26
[ssh-keygen.1]
document -a and -o wrt new key format
+ - naddy@cvs.openbsd.org 2013/12/07 11:58:46
+ [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
+ [ssh_config.5 sshd.8 sshd_config.5]
+ add missing mentions of ed25519; ok djm@
20131208
- (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
diff --git a/ssh-add.1 b/ssh-add.1
index 44846b67e..4812448fa 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-add.1,v 1.58 2012/12/03 08:33:02 jmc Exp $
+.\" $OpenBSD: ssh-add.1,v 1.59 2013/12/07 11:58:46 naddy Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: December 3 2012 $
+.Dd $Mdocdate: December 7 2013 $
.Dt SSH-ADD 1
.Os
.Sh NAME
@@ -57,7 +57,8 @@ adds private key identities to the authentication agent,
When run without arguments, it adds the files
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
and
.Pa ~/.ssh/identity .
After loading a private key,
@@ -169,6 +170,8 @@ Contains the protocol version 1 RSA authentication identity of the user.
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa
Contains the protocol version 2 ECDSA authentication identity of the user.
+.It Pa ~/.ssh/id_ed25519
+Contains the protocol version 2 ED25519 authentication identity of the user.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.El
diff --git a/ssh-agent.1 b/ssh-agent.1
index bb801c902..281ecbdcf 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.53 2010/11/21 01:01:13 djm Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.54 2013/12/07 11:58:46 naddy Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: November 21 2010 $
+.Dd $Mdocdate: December 7 2013 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
@@ -53,7 +53,7 @@
.Sh DESCRIPTION
.Nm
is a program to hold private keys used for public key authentication
-(RSA, DSA, ECDSA).
+(RSA, DSA, ECDSA, ED25519).
The idea is that
.Nm
is started in the beginning of an X-session or a login session, and
@@ -115,7 +115,8 @@ When executed without arguments,
adds the files
.Pa ~/.ssh/id_rsa ,
.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
and
.Pa ~/.ssh/identity .
If the identity has a passphrase,
@@ -190,6 +191,8 @@ Contains the protocol version 1 RSA authentication identity of the user.
Contains the protocol version 2 DSA authentication identity of the user.
.It Pa ~/.ssh/id_ecdsa
Contains the protocol version 2 ECDSA authentication identity of the user.
+.It Pa ~/.ssh/id_ed25519
+Contains the protocol version 2 ED25519 authentication identity of the user.
.It Pa ~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of the user.
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 689db22ff..09e401bf8 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.117 2013/12/07 08:08:26 djm Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.118 2013/12/07 11:58:46 naddy Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -139,8 +139,8 @@
generates, manages and converts authentication keys for
.Xr ssh 1 .
.Nm
-can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA
-keys for use by SSH protocol version 2.
+can create RSA keys for use by SSH protocol version 1 and
+DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
The type of key to be generated is specified with the
.Fl t
option.
@@ -167,8 +167,9 @@ Normally each user wishing to use SSH
with public key authentication runs this once to create the authentication
key in
.Pa ~/.ssh/identity ,
+.Pa ~/.ssh/id_dsa ,
.Pa ~/.ssh/id_ecdsa ,
-.Pa ~/.ssh/id_dsa
+.Pa ~/.ssh/id_ed25519
or
.Pa ~/.ssh/id_rsa .
Additionally, the system administrator may use this to generate host keys,
@@ -216,7 +217,8 @@ should be placed to be activated.
The options are as follows:
.Bl -tag -width Ds
.It Fl A
-For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
+For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
+for which host keys
do not exist, generate the host keys with the default key file path,
an empty passphrase, default bits for the key type, and default comment.
This is used by
@@ -249,6 +251,9 @@ flag determines the key length by selecting from one of three elliptic
curve sizes: 256, 384 or 521 bits.
Attempting to use bit lengths other than these three values for ECDSA keys
will fail.
+ED25519 keys have a fixed length and the
+.Fl b
+flag will be ignored.
.It Fl C Ar comment
Provides a new comment.
.It Fl c
@@ -515,7 +520,8 @@ The possible values are
.Dq rsa1
for protocol version 1 and
.Dq dsa ,
-.Dq ecdsa
+.Dq ecdsa ,
+.Dq ed25519 ,
or
.Dq rsa
for protocol version 2.
@@ -795,8 +801,10 @@ There is no need to keep the contents of this file secret.
.Pp
.It Pa ~/.ssh/id_dsa
.It Pa ~/.ssh/id_ecdsa
+.It Pa ~/.ssh/id_ed25519
.It Pa ~/.ssh/id_rsa
-Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user.
+Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
specify a passphrase when generating the key; that passphrase will be
@@ -809,8 +817,10 @@ will read this file when a login attempt is made.
.Pp
.It Pa ~/.ssh/id_dsa.pub
.It Pa ~/.ssh/id_ecdsa.pub
+.It Pa ~/.ssh/id_ed25519.pub
.It Pa ~/.ssh/id_rsa.pub
-Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication.
+Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
+public key for authentication.
The contents of this file should be added to
.Pa ~/.ssh/authorized_keys
on all machines
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 79dd6aa1c..65ef43efd 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keyscan.1,v 1.32 2013/12/06 13:39:49 markus Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.33 2013/12/07 11:58:46 naddy Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\"
@@ -6,7 +6,7 @@
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
-.Dd $Mdocdate: December 6 2013 $
+.Dd $Mdocdate: December 7 2013 $
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
@@ -89,7 +89,8 @@ The possible values are
.Dq rsa1
for protocol version 1 and
.Dq dsa ,
-.Dq ecdsa
+.Dq ecdsa ,
+.Dq ed25519 ,
or
.Dq rsa
for protocol version 2.
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 5e0b2d232..69d082954 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.13 2013/07/16 00:07:52 schwarze Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.14 2013/12/07 11:58:46 naddy Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: July 16 2013 $
+.Dd $Mdocdate: December 7 2013 $
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME
@@ -63,6 +63,7 @@ is enabled.
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key
.It Pa /etc/ssh/ssh_host_ecdsa_key
+.It Pa /etc/ssh/ssh_host_ed25519_key
.It Pa /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys used to
generate the digital signature.
@@ -74,6 +75,7 @@ must be set-uid root if host-based authentication is used.
.Pp
.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
+.It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
.It Pa /etc/ssh/ssh_host_rsa_key-cert.pub
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
diff --git a/ssh.1 b/ssh.1
index fc56997f4..27794e2d0 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.342 2013/11/26 12:14:54 jmc Exp $
-.Dd $Mdocdate: November 26 2013 $
+.\" $OpenBSD: ssh.1,v 1.343 2013/12/07 11:58:46 naddy Exp $
+.Dd $Mdocdate: December 7 2013 $
.Dt SSH 1
.Os
.Sh NAME
@@ -279,7 +279,8 @@ The default is
.Pa ~/.ssh/identity
for protocol version 1, and
.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
and
.Pa ~/.ssh/id_rsa
for protocol version 2.
@@ -757,7 +758,7 @@ key pair for authentication purposes.
The server knows the public key, and only the user knows the private key.
.Nm
implements public key authentication protocol automatically,
-using one of the DSA, ECDSA or RSA algorithms.
+using one of the DSA, ECDSA, ED25519 or RSA algorithms.
Protocol 1 is restricted to using only RSA keys,
but protocol 2 may use any.
The HISTORY section of
@@ -784,6 +785,8 @@ This stores the private key in
(protocol 2 DSA),
.Pa ~/.ssh/id_ecdsa
(protocol 2 ECDSA),
+.Pa ~/.ssh/id_ed25519
+(protocol 2 ED25519),
or
.Pa ~/.ssh/id_rsa
(protocol 2 RSA)
@@ -794,6 +797,8 @@ and stores the public key in
(protocol 2 DSA),
.Pa ~/.ssh/id_ecdsa.pub
(protocol 2 ECDSA),
+.Pa ~/.ssh/id_ed25519.pub
+(protocol 2 ED25519),
or
.Pa ~/.ssh/id_rsa.pub
(protocol 2 RSA)
@@ -1333,8 +1338,8 @@ secret, but the recommended permissions are read/write/execute for the user,
and not accessible by others.
.Pp
.It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in as
-this user.
+Lists the public keys (DSA, ECDSA, ED25519, RSA)
+that can be used for logging in as this user.
The format of this file is described in the
.Xr sshd 8
manual page.
@@ -1356,6 +1361,7 @@ above.
.It Pa ~/.ssh/identity
.It Pa ~/.ssh/id_dsa
.It Pa ~/.ssh/id_ecdsa
+.It Pa ~/.ssh/id_ed25519
.It Pa ~/.ssh/id_rsa
Contains the private key for authentication.
These files
@@ -1370,6 +1376,7 @@ sensitive part of this file using 3DES.
.It Pa ~/.ssh/identity.pub
.It Pa ~/.ssh/id_dsa.pub
.It Pa ~/.ssh/id_ecdsa.pub
+.It Pa ~/.ssh/id_ed25519.pub
.It Pa ~/.ssh/id_rsa.pub
Contains the public key for authentication.
These files are not
@@ -1409,6 +1416,7 @@ The file format and configuration options are described in
.It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key
.It Pa /etc/ssh/ssh_host_ecdsa_key
+.It Pa /etc/ssh/ssh_host_ed25519_key
.It Pa /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys
and are used for host-based authentication.
diff --git a/ssh_config.5 b/ssh_config.5
index 43455342a..7b2fdacbb 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.182 2013/12/06 13:39:49 markus Exp $
-.Dd $Mdocdate: December 6 2013 $
+.\" $OpenBSD: ssh_config.5,v 1.183 2013/12/07 11:58:46 naddy Exp $
+.Dd $Mdocdate: December 7 2013 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -718,6 +718,7 @@ The default for this option is:
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,
+ssh-ed25519-cert-v01@openssh.com,
ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
@@ -763,13 +764,14 @@ offers many different identities.
The default is
.Dq no .
.It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA or RSA authentication
+Specifies a file from which the user's DSA, ECDSA, ED25519 or RSA authentication
identity is read.
The default is
.Pa ~/.ssh/identity
for protocol version 1, and
.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa
+.Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ed25519
and
.Pa ~/.ssh/id_rsa
for protocol version 2.
diff --git a/sshd.8 b/sshd.8
index 62615bf6d..e6a900b06 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.272 2013/12/06 15:29:07 jmc Exp $
-.Dd $Mdocdate: December 6 2013 $
+.\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
+.Dd $Mdocdate: December 7 2013 $
.Dt SSHD 8
.Os
.Sh NAME
@@ -175,7 +175,8 @@ The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
.Pa /etc/ssh/ssh_host_dsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key
+.Pa /etc/ssh/ssh_host_ecdsa_key .
+.Pa /etc/ssh/ssh_host_ed25519_key
and
.Pa /etc/ssh/ssh_host_rsa_key
for protocol version 2.
@@ -280,7 +281,7 @@ though this can be changed via the
.Cm Protocol
option in
.Xr sshd_config 5 .
-Protocol 2 supports DSA, ECDSA and RSA keys;
+Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
protocol 1 only supports RSA keys.
For both protocols,
each host has a host-specific key,
@@ -507,6 +508,7 @@ You don't want to type them in; instead, copy the
.Pa identity.pub ,
.Pa id_dsa.pub ,
.Pa id_ecdsa.pub ,
+.Pa id_ed25519.pub ,
or the
.Pa id_rsa.pub
file and edit it.
@@ -806,8 +808,8 @@ secret, but the recommended permissions are read/write/execute for the user,
and not accessible by others.
.Pp
.It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA/ECDSA/RSA) that can be used for logging in
-as this user.
+Lists the public keys (DSA, ECDSA, ED25519, RSA)
+that can be used for logging in as this user.
The format of this file is described above.
The content of the file is not highly sensitive, but the recommended
permissions are read/write for the user, and not accessible by others.
@@ -887,6 +889,7 @@ rlogin/rsh.
.It Pa /etc/ssh/ssh_host_key
.It Pa /etc/ssh/ssh_host_dsa_key
.It Pa /etc/ssh/ssh_host_ecdsa_key
+.It Pa /etc/ssh/ssh_host_ed25519_key
.It Pa /etc/ssh/ssh_host_rsa_key
These files contain the private parts of the host keys.
These files should only be owned by root, readable only by root, and not
@@ -898,6 +901,7 @@ does not start if these files are group/world-accessible.
.It Pa /etc/ssh/ssh_host_key.pub
.It Pa /etc/ssh/ssh_host_dsa_key.pub
.It Pa /etc/ssh/ssh_host_ecdsa_key.pub
+.It Pa /etc/ssh/ssh_host_ed25519_key.pub
.It Pa /etc/ssh/ssh_host_rsa_key.pub
These files contain the public parts of the host keys.
These files should be world-readable but writable only by
diff --git a/sshd_config.5 b/sshd_config.5
index 0418c86ed..0ae1740bb 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.168 2013/11/21 08:05:09 jmc Exp $
-.Dd $Mdocdate: November 21 2013 $
+.\" $OpenBSD: sshd_config.5,v 1.169 2013/12/07 11:58:46 naddy Exp $
+.Dd $Mdocdate: December 7 2013 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -540,7 +540,8 @@ The default is
.Pa /etc/ssh/ssh_host_key
for protocol version 1, and
.Pa /etc/ssh/ssh_host_dsa_key ,
-.Pa /etc/ssh/ssh_host_ecdsa_key
+.Pa /etc/ssh/ssh_host_ecdsa_key ,
+.Pa /etc/ssh/ssh_host_ed25519_key
and
.Pa /etc/ssh/ssh_host_rsa_key
for protocol version 2.
@@ -551,7 +552,8 @@ It is possible to have multiple host key files.
.Dq rsa1
keys are used for version 1 and
.Dq dsa ,
-.Dq ecdsa
+.Dq ecdsa ,
+.Dq ed25519
or
.Dq rsa
are used for version 2 of the SSH protocol.