Commit Graph

153 Commits

Author SHA1 Message Date
naddy@openbsd.org
c13b74530f upstream: PKCS#11 support is no longer limited to RSA; ok benno@
kn@

OpenBSD-Commit-ID: 1a9bec64d530aed5f434a960e7515a3e80cbc826
2019-03-08 14:58:30 +11:00
djm@openbsd.org
be063945e4 upstream: allow auto-incrementing certificate serial number for certs
signed in a single commandline.

OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
2019-01-23 19:03:05 +11:00
djm@openbsd.org
ecd2f33cb7 upstream: Include -m in the synopsis for a few more commands that
support it

Be more explicit in the description of -m about where it may be used

Prompted by Jakub Jelen in bz2904

OpenBSD-Commit-ID: 3b398ac5e05d8a6356710d0ff114536c9d71046c
2019-01-22 22:42:02 +11:00
djm@openbsd.org
180b520e2b upstream: clarify: ssh-keygen -e only writes public keys, never
private

OpenBSD-Commit-ID: 7de7ff6d274d82febf9feb641e2415ffd6a30bfb
2019-01-22 22:42:01 +11:00
djm@openbsd.org
c45616a199 upstream: mention the new vs. old key formats in the introduction
and give some hints on how keys may be converted or written in the old
format.

OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
2019-01-22 22:42:01 +11:00
djm@openbsd.org
63bba57a32 upstream: fix option letter pasto in previous
OpenBSD-Commit-ID: e26c8bf2f2a808f3c47960e1e490d2990167ec39
2018-12-27 14:30:17 +11:00
djm@openbsd.org
737e4edd82 upstream: mention that the ssh-keygen -F (find host in
authorized_keys) and -R (remove host from authorized_keys) options may accept
either a bare hostname or a [hostname]:port combo. bz#2935

OpenBSD-Commit-ID: 5535cf4ce78375968b0d2cd7aa316fa3eb176780
2018-12-27 14:30:17 +11:00
djm@openbsd.org
f0fcd7e650 upstream: fix edit mistake; spotted by jmc@
OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6
2018-09-12 16:49:21 +10:00
djm@openbsd.org
9405c6214f upstream: allow key revocation by SHA256 hash and allow ssh-keygen
to create KRLs using SHA256/base64 key fingerprints; ok markus@

OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
2018-09-12 16:49:21 +10:00
djm@openbsd.org
ed7bd5d93f upstream: Use new private key format by default. This format is
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
by most OpenSSH versions in active use.

It is possible to convert new-format private keys to the older
format using "ssh-keygen -f /path/key -pm PEM".

ok deraadt dtucker

OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
2018-08-08 11:18:05 +10:00
djm@openbsd.org
bf0fbf2b11 upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@

OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
2018-03-14 18:55:32 +11:00
djm@openbsd.org
130283d5c2 upstream commit
certificate options are case-sensitive; fix case on one
that had it wrong.

move a badly-place sentence to a less bad place

OpenBSD-Commit-ID: 231e516bba860699a1eece6d48532d825f5f747b
2018-02-07 07:50:46 +11:00
djm@openbsd.org@openbsd.org
d52131a983 upstream commit
allow certificate validity intervals that specify only a
start or stop time (we already support specifying both or neither)

OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
2017-11-03 16:20:41 +11:00
jmc@openbsd.org
dc44dd3a9e upstream commit
slightly rework previous, to avoid an article issue;

Upstream-ID: 15a315f0460ddd3d4e2ade1f16d6c640a8c41b30
2017-07-21 14:17:33 +10:00
djm@openbsd.org
853edbe057 upstream commit
When generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. zero-length keys could
previously be made if ssh-keygen failed part way through generating them, so
avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@

Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
2017-07-21 14:17:32 +10:00
djm@openbsd.org
a98339edbc upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus

Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
2017-06-28 11:13:19 +10:00
naddy@openbsd.org
2e9c324b3a upstream commit
remove superfluous protocol 2 mentions; ok jmc@

Upstream-ID: 0aaf7567c9f2e50fac5906b6a500a39c33c4664d
2017-05-08 09:18:27 +10:00
jmc@openbsd.org
2b6f799e9b upstream commit
more protocol 1 stuff to go; ok djm

Upstream-ID: 307a30441d2edda480fd1661d998d36665671e47
2017-05-08 09:18:05 +10:00
jmc@openbsd.org
f10c0d32cd upstream commit
rsa1 is no longer valid;

Upstream-ID: 9953d09ed9841c44b7dcf7019fa874783a709d89
2017-05-08 09:18:05 +10:00
jmc@openbsd.org
8b60ce8d81 upstream commit
more -O shuffle; ok djm

Upstream-ID: c239991a3a025cdbb030b73e990188dd9bfbeceb
2017-05-08 09:18:04 +10:00
jmc@openbsd.org
6b84897f7f upstream commit
tidy up -O somewhat; ok djm

Upstream-ID: 804405f716bf7ef15c1f36ab48581ca16aeb4d52
2017-05-08 09:18:04 +10:00
djm@openbsd.org
873d3e7d9a upstream commit
remove KEY_RSA1

ok markus@

Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-05-01 10:05:01 +10:00
jmc@openbsd.org
d4084cd230 upstream commit
tweak previous;

Upstream-ID: a3abc6857455299aa42a046d232b7984568bceb9
2017-05-01 09:35:38 +10:00
djm@openbsd.org
249516e428 upstream commit
allow ssh-keygen to include arbitrary string or flag
certificate extensions and critical options. ok markus@ dtucker@

Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
2017-05-01 09:35:38 +10:00
jmc@openbsd.org
b6cf84b51b upstream commit
keys stored in openssh format can have comments too; diff
from yonas yanfa, tweaked a bit;

ok djm

Upstream-ID: 03d48536da6e51510d73ade6fcd44ace731ceb27
2016-06-24 13:35:28 +10:00
jmc@openbsd.org
9283884e64 upstream commit
correct article;

Upstream-ID: 1fbd5b7ab16d2d9834ec79c3cedd4738fa42a168
2016-05-05 00:01:49 +10:00
djm@openbsd.org
cdcd941994 upstream commit
make nethack^wrandomart fingerprint flag more readily
 searchable pointed out by Matt Johnston

Upstream-ID: cb40d0235dc153c478c1aad3bc60b195422a54fb
2016-05-04 01:58:46 +10:00
jmc@openbsd.org
a685ae8d1c upstream commit
since these pages now clearly tell folks to avoid v1,
 normalise the docs from a v2 perspective (i.e. stop pointing out which bits
 are v2 only);

ok/tweaks djm ok markus

Upstream-ID: eb474f8c36fb6a532dc05c282f7965e38dcfa129
2016-02-18 09:24:40 +11:00
djm@openbsd.org
94bc0b72c2 upstream commit
support multiple certificates (one per line) and
 reading from standard input (using "-f -") for "ssh-keygen -L"; ok dtucker@

Upstream-ID: ecbadeeef3926e5be6281689b7250a32a80e88db
2015-11-16 11:31:36 +11:00
jmc@openbsd.org
8b29008bbe upstream commit
"commandline" -> "command line", since there are so few
 examples of the former in the pages, so many of the latter, and in some of
 these pages we had multiple spellings;

prompted by tj

Upstream-ID: 78459d59bff74223f8139d9001ccd56fc4310659
2015-11-09 14:25:35 +11:00
naddy@openbsd.org
05291e5288 upstream commit
In the certificates section, be consistent about using
 "host_key" and "user_key" for the respective key types.  ok sthen@ deraadt@

Upstream-ID: 9e037ea3b15577b238604c5533e082a3947f13cb
2015-08-21 13:43:24 +10:00
djm@openbsd.org
933935ce8d upstream commit
refuse to generate or accept RSA keys smaller than 1024
 bits; feedback and ok dtucker@

Upstream-ID: 7ea3d31271366ba264f06e34a3539bf1ac30f0ba
2015-07-15 15:36:02 +10:00
naddy@openbsd.org
6288e3a935 upstream commit
add -v (show ASCII art) to -l's synopsis; ok djm@
2015-02-26 04:32:08 +11:00
djm@openbsd.org
56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
sobrado@openbsd.org
f70b22bcdd upstream commit
improve capitalization for the Ed25519 public-key
 signature system.

ok djm@
2014-10-13 11:37:32 +11:00
Damien Miller
43b156cf72 - jmc@cvs.openbsd.org 2014/03/31 13:39:34
[ssh-keygen.1]
     the text for the -K option was inserted in the wrong place in -r1.108;
     fix From: Matthew Clarke
2014-04-20 13:23:03 +10:00
Damien Miller
f0858de6e1 - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
[ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     Improve usage() and documentation towards the standard form.
     In particular, this line saves a lot of man page reading time.
       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                         [-N new_passphrase] [-C comment] [-f output_keyfile]
     ok schwarze jmc
2014-04-20 13:01:30 +10:00
Damien Miller
6ce35b6cc4 - naddy@cvs.openbsd.org 2014/02/05 20:13:25
[ssh-keygen.1 ssh-keygen.c]
     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
     while here, fix ordering in usage(); requested by jmc@
2014-02-07 09:24:14 +11:00
Damien Miller
137977180b - tedu@cvs.openbsd.org 2013/12/21 07:10:47
[ssh-keygen.1]
     small typo
2013-12-29 17:47:14 +11:00
Damien Miller
8ba0ead698 - naddy@cvs.openbsd.org 2013/12/07 11:58:46
[ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
     [ssh_config.5 sshd.8 sshd_config.5]
     add missing mentions of ed25519; ok djm@
2013-12-18 17:46:27 +11:00
Damien Miller
4f752cf71c - djm@cvs.openbsd.org 2013/12/07 08:08:26
[ssh-keygen.1]
     document -a and -o wrt new key format
2013-12-18 17:45:35 +11:00
Damien Miller
fecfd118d6 - jmc@cvs.openbsd.org 2013/06/27 14:05:37
[ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
     do not use Sx for sections outwith the man page - ingo informs me that
     stuff like html will render with broken links;

     issue reported by Eric S. Raymond, via djm
2013-07-18 16:11:50 +10:00
Damien Miller
a0a7ee8bf4 - jmc@cvs.openbsd.org 2013/01/19 07:13:25
[ssh-keygen.1]
     fix some formatting; ok djm
2013-01-20 22:35:06 +11:00
Damien Miller
881a7a2c5d - jmc@cvs.openbsd.org 2013/01/18 21:48:43
[ssh-keygen.1]
     command-line (adj.) -> command line (n.);
2013-01-20 22:34:46 +11:00
Damien Miller
072fdcd198 - jmc@cvs.openbsd.org 2013/01/18 08:39:04
[ssh-keygen.1]
     add -Q to the options list; ok djm
2013-01-20 22:34:04 +11:00
Damien Miller
ac5542b6b8 - jmc@cvs.openbsd.org 2013/01/18 07:57:47
[ssh-keygen.1]
     tweak previous;
2013-01-20 22:33:02 +11:00
Damien Miller
f3747bf401 - djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
     [krl.c krl.h PROTOCOL.krl]
     add support for Key Revocation Lists (KRLs). These are a compact way to
     represent lists of revoked keys and certificates, taking as little as
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@
2013-01-18 11:44:04 +11:00
Darren Tucker
3ee50c5d9f - jmc@cvs.openbsd.org 2012/08/15 18:25:50
[ssh-keygen.1]
     a little more info on certificate validity;
     requested by Ross L Richardson, and provided by djm
2012-09-06 21:18:11 +10:00
Damien Miller
dfceafe8b1 - dtucker@cvs.openbsd.org 2012/07/06 00:41:59
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add options to specify starting line number and number of lines to process
     when screening moduli candidates.  This allows processing of different
     parts of a candidate moduli file in parallel.  man page help jmc@, ok djm@
2012-07-06 13:44:19 +10:00
Damien Miller
390d0561fc - dtucker@cvs.openbsd.org 2011/10/16 11:02:46
[moduli.c ssh-keygen.1 ssh-keygen.c]
     Add optional checkpoints for moduli screening.  feedback & ok deraadt
2011-10-18 16:05:19 +11:00