| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@
|
|
stuff like html will render with broken links;
issue reported by Eric S. Raymond, via djm
|
|
|
|
instead of stderr or syslog. ok markus@, man page help jmc@
|
|
|
|
Steve.McClellan at radisys com.
|
|
to match. Feedback and ok djm@ markus@.
|
|
localhost:*". bz #1857, ok djm markus.
|
|
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
feedback and ok markus@
|
|
|
|
Bring back authorized_keys2 as a default search path (to avoid breaking
existing users of this file), but override this in sshd_config so it will
be no longer used on fresh installs. Maybe in 2015 we can remove it
entierly :)
feedback and ok markus@ dtucker@
|
|
|
|
host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
better performance than plain DH and DSA at the same equivalent symmetric
key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the
three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
ECDSA. Point compression (optional in RFC5656 is NOT implemented).
Certificate host and user keys using the new ECDSA key types are supported.
Note that this code has not been tested for interoperability and may be
subject to change.
feedback and ok markus@
|
|
have multiple items, and .Pa for path names;
|
|
addresses combinations. It hasn't worked for ages and we have supported
the more commen "[addr]:port" format for a long time. ok jmc@ markus@
|
|
in certificates. Currently, a certificate must include the a user's name
to be accepted for authentication. This change adds the ability to
specify a list of certificate principal names that are acceptable.
When authenticating using a CA trusted through ~/.ssh/authorized_keys,
this adds a new principals="name1[,name2,...]" key option.
For CAs listed through sshd_config's TrustedCAKeys option, a new config
option "AuthorizedPrincipalsFile" specifies a per-user file containing
the list of acceptable names.
If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply.
These options are useful for role accounts, disjoint account namespaces
and "user@realm"-style naming policies in certificates.
feedback and ok markus@
|
|
|
|
format section and rework it a bit; requested by jmc@
|
|
"from=cert-authority". spotted by imorgan AT nas.nasa.gov
|
|
|
|
OpenSSH certificate key types are not X.509 certificates, but a much
simpler format that encodes a public key, identity information and
some validity constraints and signs it with a CA key. CA keys are
regular SSH keys. This certificate style avoids the attack surface
of X.509 certificates and is very easy to deploy.
Certified host keys allow automatic acceptance of new host keys
when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
see VERIFYING HOST KEYS in ssh(1) for details.
Certified user keys allow authentication of users when the signing
CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
FILE FORMAT" in sshd(8) for details.
Certificates are minted using ssh-keygen(1), documentation is in
the "CERTIFICATES" section of that manpage.
Documentation on the format of certificates is in the file
PROTOCOL.certkeys
feedback and ok markus@
|
|
|
|
|
|
ok dtucker@, jmc@
|
|
knows that. removes an ambiguity in the permission of authorized_keys;
ok deraadt
|
|
bits; prodded by & ok dtucker@ ok deraadt@
|
|
|
|
ok and extensive testing dtucker@
|
|
- fix SYNOPSIS, and sort options
- some minor additional fixes
|
|
-T causes sshd to write its effective configuration to stdout and exit.
-C causes any relevant Match rules to be applied before output. The
combination allows tesing of the parser and config files. ok deraadt djm
|
|
|
|
|
|
of a typo in rcs.c;
|
|
ok jmc
|
|
specify umac-64@openssh.com). Provides about 20% end-to-end speedup
compared to hmac-md5. Represents a different approach to message
authentication to that of HMAC that may be beneficial if HMAC based on one
of its underlying hash algorithms is found to be vulnerable to a new attack.
http://www.ietf.org/rfc/rfc4418.txt
in conjunction with and OK djm@
|
|
|
|
- sort FILES
- +.Xr ssh-keyscan 1 ,
from Igor Sobrado
|
|
authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
|
|
key option, man page entry and example in sshd_config. Feedback & ok djm@,
man page corrections & ok jmc@
|
|
|
|
on a patch from Devin Nate in bz#910.
For any connection using the default port or using a HostKeyAlias the
format is unchanged, otherwise the host name or address is enclosed
within square brackets in the same format as sshd's ListenAddress.
Tested by many, ok markus@.
|
|
|
|
|
|
|
|
|
|
FILES is not a good place to document how stuff works;
|
|
|
|
|
