summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/ssh-keygen.1
AgeCommit message (Collapse)Author
2020-08-27tweak previous;Jason McIntyre
2020-08-27Request PIN ahead of time for certain FIDO actionsDamien Miller
When we know that a particular action will require a PIN, such as downloading resident keys or generating a verify-required key, request the PIN before attempting it. joint work with Pedro Martelletto; ok markus@
2020-08-27support for user-verified FIDO keysDamien Miller
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@
2020-07-15- Add [-a rounds] in ssh-keygen man page and usage()solene
- Reorder parameters list in the first usage() case - Sentence rewording ok dtucker@ jmc@ noticed usage() missed -a flag too
2020-07-15Add default for number of rounds (-a). ok djm@Darren Tucker
2020-04-03give ssh-keygen the ability to dump the contents of a binary keyDamien Miller
revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker
2020-02-24Fix typo. Patch from itoama at live.jp via github PR#173.Darren Tucker
2020-02-07sync the description of the $SSH_SK_PROVIDER environment variable withDamien Miller
that of the SecurityKeyProvider ssh/sshd_config(5) directive, as the latter was more descriptive.
2020-02-04require FIDO application strings to start with "ssh:"; ok markus@Damien Miller
2020-02-03use better markup for challenge and write-attestation,Jason McIntyre
and rejig the challenge text a little; ok djm
2020-02-02shuffle the challenge keyword to keep the -O list sorted;Jason McIntyre
2020-01-28changes to support FIDO attestationDamien Miller
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@
2020-01-23ssh-keygen -Y find-principals fixes based on feedback from Markus:Damien Miller
use "principals" instead of principal, as allowed_signers lines may list multiple. When the signing key is a certificate, emit only principals that match the certificate principal list. NB. the command -Y name changes: "find-principal" => "find-principals" ok markus@
2020-01-23new sentence, new line;Jason McIntyre
2020-01-23add a new signature operations "find-principal" to look up theDamien Miller
principal associated with a signature from an allowed-signers file. Work by Sebastian Kinne; ok dtucker@
2020-01-18one more replacement "(security) key" -> "(FIDO) authenticator"Christian Weisgerber
2020-01-18undo merge error and replace the term "security key" againChristian Weisgerber
2020-01-14sync ssh-keygen.1 and ssh-keygen's usage() with each other and realityChristian Weisgerber
ok markus@
2020-01-06put the fido options in a list, and tidy up the text a little;Jason McIntyre
ok djm
2020-01-06Extends the SK API to accept a set of key/value options for allDamien Miller
operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@
2020-01-03the download resident keys option is -K (upper) not -k (lower);Jason McIntyre
ok djm
2020-01-02ability to download FIDO2 resident keys from a token viaDamien Miller
"ssh-keygen -K". This will save public/private keys into the current directory. This is handy if you move a token between hosts. feedback & ok markus@
2019-12-30simplify the list for moduli options - no need for -compact;Jason McIntyre
2019-12-30Remove the -x option currently used for FIDO/U2F-specific key flags.Damien Miller
Instead these flags may be specified via -O. ok markus@
2019-12-30remove single-letter flags for moduli optionsDamien Miller
Move all moduli generation options to live under the -O flag. Frees up seven single-letter flags. NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately. feedback and ok markus@
2019-12-30prepare for use of ssh-keygen -O flag beyond certsDamien Miller
Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@
2019-12-27sort -Y internally in the options list, as is already done in synopsis;Jason McIntyre
2019-12-27in the options list, sort -Y and -y;Jason McIntyre
2019-12-21Replace the term "security key" with "(FIDO) authenticator".Christian Weisgerber
The polysemous use of "key" was too confusing. Input from markus@. ok jmc@
2019-11-30tweak the Nd lines for a bit of consistency;Jason McIntyre
ok markus
2019-11-25allow "ssh-keygen -x no-touch-required" when generating a security keyDamien Miller
keypair to request one that does not require a touch for each authentication attempt. The default remains to require touch. feedback deraadt; ok markus@
2019-11-25add a "no-touch-required" option for authorized_keys and a similarDamien Miller
extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus
2019-11-18more missing mentions of ed25519-sk; ok djm@Christian Weisgerber
2019-11-18mention ed25519-sk in places where it is accepted; prompted by jmc@Damien Miller
2019-11-14directly support U2F/FIDO2 security keys in OpenSSH by linkingDamien Miller
against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging.
2019-11-07Fill in missing man page bits for U2F security key support:Christian Weisgerber
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@
2019-10-22fixes from lucas;Jason McIntyre
2019-10-03use a more common options order in SYNOPSIS and sync usage();Jason McIntyre
while here, no need for Bk/Ek; ok dtucker
2019-09-29group and sort single letter options; ok deraadtJason McIntyre
2019-09-27fix the DH-GEX text in -a;Jason McIntyre
because this required a comma, i added a comma to the first part, for balance...
2019-09-20new sentence, new line;Jason McIntyre
2019-09-16Allow testing signature syntax and validity without verifying thatDamien Miller
a signature came from a trusted signer. To discourage accidental or unintentional use, this is invoked by the deliberately ugly option name "check-novalidate" from Sebastian Kinne
2019-09-05macro fix; ok djmJason McIntyre
2019-09-04tweak previous;Jason McIntyre
2019-09-03sshsig tweaks and improvements from and suggested by MarkusDamien Miller
ok markus/me
2019-09-03sshsig: lightweight signature and verification ability for OpenSSHDamien Miller
This adds a simple manual signature scheme to OpenSSH. Signatures can be made and verified using ssh-keygen -Y sign|verify Signatures embed the key used to make them. At verification time, this is matched via principal name against an authorized_keys-like list of allowed signers. Mostly by Sebastian Kinne w/ some tweaks by me ok markus@
2019-07-19Accept the verbose flag when searching for host keys in known hostsDamien Miller
(i.e. "ssh-keygen -vF host") to print the matching host's random- art signature too. bz#3003 "amusing, pretty" deraadt@
2019-07-15support PKCS8 as an optional format for storage of private keys,Damien Miller
enabled via "ssh-keygen -m PKCS8" on operations that save private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less terrible KDF (IIRC PEM uses a single round of MD5 as a KDF). adapted from patch by Jakub Jelen via bz3013; ok markus
2019-05-20tweak previous;Jason McIntyre
2019-05-20When signing certificates with an RSA key, default to using theDamien Miller
rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH < 7.2 unless the default is overridden. Document the ability of the ssh-keygen -t flag to override the signature algorithm when signing certificates, and the new default. ok deraadt@