summaryrefslogtreecommitdiffstats
path: root/ssh-keygen.1 (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* upstream: prepare for use of ssh-keygen -O flag beyond certsdjm@openbsd.org2019-12-301-95/+93
| | | | | | | | | | | | Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
* upstream: sort -Y internally in the options list, as is alreadyjmc@openbsd.org2019-12-301-17/+17
| | | | | | done in synopsis; OpenBSD-Commit-ID: 86d033c5764404057616690d7be992e445b42274
* upstream: in the options list, sort -Y and -y;jmc@openbsd.org2019-12-301-5/+5
| | | | OpenBSD-Commit-ID: 24c2e6a3aeab6e050a0271ffc73fdff91c10dcaa
* upstream: Replace the term "security key" with "(FIDO)naddy@openbsd.org2019-12-301-13/+12
| | | | | | | | | authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@ OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
* upstream: tweak the Nd lines for a bit of consistency; ok markusjmc@openbsd.org2019-12-111-3/+3
| | | | OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
* upstream: allow "ssh-keygen -x no-touch-required" when generating adjm@openbsd.org2019-11-251-1/+10
| | | | | | | | | security key keypair to request one that does not require a touch for each authentication attempt. The default remains to require touch. feedback deraadt; ok markus@ OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
* upstream: add a "no-touch-required" option for authorized_keys anddjm@openbsd.org2019-11-251-2/+10
| | | | | | | | | | a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
* upstream: more missing mentions of ed25519-sk; ok djm@naddy@openbsd.org2019-11-191-7/+10
| | | | OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
* upstream: mention ed25519-sk in places where it is accepted;djm@openbsd.org2019-11-181-5/+6
| | | | | | prompted by jmc@ OpenBSD-Commit-ID: 076d386739ebe7336c2137e583bc7a5c9538a442
* upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org2019-11-141-5/+4
| | | | | | | | linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
* upstream: Fill in missing man page bits for U2F security key support:naddy@openbsd.org2019-11-081-8/+28
| | | | | | | | | | | | | Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
* upstream: fixes from lucas;jmc@openbsd.org2019-10-291-4/+5
| | | | OpenBSD-Commit-ID: 4c4bfd2806c5bbc753788ffe19c5ee13aaf418b2
* upstream: use a more common options order in SYNOPSIS and syncjmc@openbsd.org2019-10-041-18/+16
| | | | | | | | usage(); while here, no need for Bk/Ek; ok dtucker OpenBSD-Commit-ID: 38715c3f10b166f599a2283eb7bc14860211bb90
* upstream: group and sort single letter options; ok deraadtjmc@openbsd.org2019-10-011-7/+5
| | | | OpenBSD-Commit-ID: e1480e760a2b582f79696cdcff70098e23fc603f
* upstream: fix the DH-GEX text in -a; because this required a comma,jmc@openbsd.org2019-10-011-5/+5
| | | | | | i added a comma to the first part, for balance... OpenBSD-Commit-ID: 2c3464e9e82a41e8cdfe8f0a16d94266e43dbb58
* upstream: new sentence, new line;jmc@openbsd.org2019-10-011-3/+4
| | | | OpenBSD-Commit-ID: c35ca5ec07be460e95e7406af12eee04a77b6698
* upstream: Allow testing signature syntax and validity without verifyingdjm@openbsd.org2019-09-161-3/+21
| | | | | | | | | | that a signature came from a trusted signer. To discourage accidental or unintentional use, this is invoked by the deliberately ugly option name "check-novalidate" from Sebastian Kinne OpenBSD-Commit-ID: cea42c36ab7d6b70890e2d8635c1b5b943adcc0b
* upstream: macro fix; ok djmjmc@openbsd.org2019-09-051-5/+5
| | | | OpenBSD-Commit-ID: e891dd6c7996114cb32f0924cb7898ab55efde6e
* upstream: tweak previous;jmc@openbsd.org2019-09-051-5/+5
| | | | OpenBSD-Commit-ID: 0abd728aef6b5b35f6db43176aa83b7e3bf3ce27
* upstream: sshsig tweaks and improvements from and suggested bydjm@openbsd.org2019-09-031-2/+2
| | | | | | | | Markus ok markus/me OpenBSD-Commit-ID: ea4f46ad5a16b27af96e08c4877423918c4253e9
* upstream: sshsig: lightweight signature and verification abilitydjm@openbsd.org2019-09-031-2/+121
| | | | | | | | | | | | | | | | | for OpenSSH This adds a simple manual signature scheme to OpenSSH. Signatures can be made and verified using ssh-keygen -Y sign|verify Signatures embed the key used to make them. At verification time, this is matched via principal name against an authorized_keys-like list of allowed signers. Mostly by Sebastian Kinne w/ some tweaks by me ok markus@ OpenBSD-Commit-ID: 2ab568e7114c933346616392579d72be65a4b8fb
* upstream: Accept the verbose flag when searching for host keys in knowndjm@openbsd.org2019-07-191-2/+3
| | | | | | | hosts (i.e. "ssh-keygen -vF host") to print the matching host's random- art signature too. bz#3003 "amusing, pretty" deraadt@ OpenBSD-Commit-ID: 686221a5447d6507f40a2ffba5393984d889891f
* upstream: support PKCS8 as an optional format for storage ofdjm@openbsd.org2019-07-151-4/+5
| | | | | | | | | | | | | | private keys, enabled via "ssh-keygen -m PKCS8" on operations that save private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less terrible KDF (IIRC PEM uses a single round of MD5 as a KDF). adapted from patch by Jakub Jelen via bz3013; ok markus OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
* upstream: tweak previous;jmc@openbsd.org2019-05-211-3/+4
| | | | OpenBSD-Commit-ID: 42f39f22f53cfcb913bce401ae0f1bb93e08dd6c
* upstream: When signing certificates with an RSA key, default todjm@openbsd.org2019-05-201-2/+11
| | | | | | | | | | | | | using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH < 7.2 unless the default is overridden. Document the ability of the ssh-keygen -t flag to override the signature algorithm when signing certificates, and the new default. ok deraadt@ OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
* upstream: Document new default RSA key size. Fromdtucker@openbsd.org2019-05-081-4/+4
| | | | | | sebastiaanlokhorst at gmail.com via bz#2997. OpenBSD-Commit-ID: bdd62ff5d4d649d2147904e91bf7cefa82fe11e1
* upstream: PKCS#11 support is no longer limited to RSA; ok benno@naddy@openbsd.org2019-03-081-3/+3
| | | | | | kn@ OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
* upstream: allow auto-incrementing certificate serial number for certsdjm@openbsd.org2019-01-231-2/+8
| | | | | | signed in a single commandline. OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
* upstream: Include -m in the synopsis for a few more commands thatdjm@openbsd.org2019-01-221-4/+10
| | | | | | | | | | support it Be more explicit in the description of -m about where it may be used Prompted by Jakub Jelen in bz2904 OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c
* upstream: clarify: ssh-keygen -e only writes public keys, neverdjm@openbsd.org2019-01-221-2/+2
| | | | | | private OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb
* upstream: mention the new vs. old key formats in the introductiondjm@openbsd.org2019-01-221-6/+18
| | | | | | | and give some hints on how keys may be converted or written in the old format. OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
* upstream: fix option letter pasto in previousdjm@openbsd.org2018-12-271-2/+2
| | | | OpenBSD-Commit-ID: e26c8bf2f2a808f3c47960e1e490d2990167ec39
* upstream: mention that the ssh-keygen -F (find host indjm@openbsd.org2018-12-271-5/+7
| | | | | | | authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935 OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780
* upstream: fix edit mistake; spotted by jmc@djm@openbsd.org2018-09-121-2/+2
| | | | OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
* upstream: allow key revocation by SHA256 hash and allow ssh-keygendjm@openbsd.org2018-09-121-3/+16
| | | | | | to create KRLs using SHA256/base64 key fingerprints; ok markus@ OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
* upstream: Use new private key format by default. This format isdjm@openbsd.org2018-08-081-16/+8
| | | | | | | | | | | | suported by OpenSSH >= 6.5 (released January 2014), so it should be supported by most OpenSSH versions in active use. It is possible to convert new-format private keys to the older format using "ssh-keygen -f /path/key -pm PEM". ok deraadt dtucker OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
* upstream: add valid-before="[time]" authorized_keys option. Adjm@openbsd.org2018-03-141-4/+4
| | | | | | simple way of giving a key an expiry date. ok markus@ OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
* upstream commitdjm@openbsd.org2018-02-061-5/+5
| | | | | | | | | certificate options are case-sensitive; fix case on one that had it wrong. move a badly-place sentence to a less bad place OpenBSD-Commit-ID: 231e516bba860699a1eece6d48532d825f5f747b
* upstream commitdjm@openbsd.org@openbsd.org2017-11-031-7/+16
| | | | | | | allow certificate validity intervals that specify only a start or stop time (we already support specifying both or neither) OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
* upstream commitjmc@openbsd.org2017-07-211-4/+4
| | | | | | slightly rework previous, to avoid an article issue; Upstream-ID: 15a315f0460ddd3d4e2ade1f16d6c640a8c41b30
* upstream commitdjm@openbsd.org2017-07-211-2/+7
| | | | | | | | | When generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed part way through generating them, so avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@ Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
* upstream commitdjm@openbsd.org2017-06-281-2/+20
| | | | | | | Allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 ok markus Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
* upstream commitnaddy@openbsd.org2017-05-081-5/+5
| | | | | | remove superfluous protocol 2 mentions; ok jmc@ Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
* upstream commitjmc@openbsd.org2017-05-081-32/+5
| | | | | | more protocol 1 stuff to go; ok djm Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
* upstream commitjmc@openbsd.org2017-05-081-8/+5
| | | | | | rsa1 is no longer valid; Upstream-ID: 9953d09ed9841c44b7dcf7019fa874783a709d89
* upstream commitjmc@openbsd.org2017-05-081-2/+3
| | | | | | more -O shuffle; ok djm Upstream-ID: c239991a3a025cdbb030b73e990188dd9bfbeceb
* upstream commitjmc@openbsd.org2017-05-081-27/+34
| | | | | | tidy up -O somewhat; ok djm Upstream-ID: 804405f716bf7ef15c1f36ab48581ca16aeb4d52
* upstream commitdjm@openbsd.org2017-05-011-5/+4
| | | | | | | | remove KEY_RSA1 ok markus@ Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
* upstream commitjmc@openbsd.org2017-05-011-6/+6
| | | | | | tweak previous; Upstream-ID: a3abc6857455299aa42a046d232b7984568bceb9
* upstream commitdjm@openbsd.org2017-05-011-3/+23
| | | | | | | allow ssh-keygen to include arbitrary string or flag certificate extensions and critical options. ok markus@ dtucker@ Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646