diff options
-rw-r--r-- | ssh-add.1 | 21 | ||||
-rw-r--r-- | ssh-agent.1 | 8 | ||||
-rw-r--r-- | ssh-keygen.1 | 25 | ||||
-rw-r--r-- | ssh-sk-helper.8 | 8 | ||||
-rw-r--r-- | ssh.1 | 12 | ||||
-rw-r--r-- | ssh_config.5 | 12 | ||||
-rw-r--r-- | sshd.8 | 6 | ||||
-rw-r--r-- | sshd_config.5 | 18 |
8 files changed, 52 insertions, 58 deletions
@@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.76 2019/11/30 07:07:59 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.77 2019/12/21 20:22:34 naddy Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2019 $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -135,8 +135,8 @@ Lists fingerprints of all identities currently represented by the agent. .It Fl q Be quiet after a successful operation. .It Fl S Ar provider -Specifies a path to a security key provider library that will be used when -adding any security key-hosted keys, overriding the default of using the +Specifies a path to a library that will be used when adding +FIDO authenticator-hosted keys, overriding the default of using the internal USB HID support. .It Fl s Ar pkcs11 Add keys provided by the PKCS#11 shared library @@ -197,23 +197,18 @@ Identifies the path of a .Ux Ns -domain socket used to communicate with the agent. .It Ev SSH_SK_PROVIDER -Specifies the path to a security key provider library used to interact with -hardware security keys. +Specifies the path to a library used to interact with FIDO authenticators. .El .Sh FILES -.Bl -tag -width Ds +.Bl -tag -width Ds -compact .It Pa ~/.ssh/id_dsa -Contains the DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa -Contains the ECDSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa_sk -Contains the security key-hosted ECDSA authentication identity of the user. .It Pa ~/.ssh/id_ed25519 -Contains the Ed25519 authentication identity of the user. .It Pa ~/.ssh/id_ed25519_sk -Contains the security key-hosted Ed25519 authentication identity of the user. .It Pa ~/.ssh/id_rsa -Contains the RSA authentication identity of the user. +Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +authenticator-hosted Ed25519 or RSA authentication identity of the user. .El .Pp Identity files should not be readable by anyone but the user. diff --git a/ssh-agent.1 b/ssh-agent.1 index a3f63467..fff0db6b 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.69 2019/11/30 07:07:59 jmc Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.70 2019/12/21 20:22:34 naddy Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2019 $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -98,8 +98,8 @@ Kill the current agent (given by the .Ev SSH_AGENT_PID environment variable). .It Fl P Ar provider_whitelist -Specify a pattern-list of acceptable paths for PKCS#11 and security key shared -libraries that may be used with the +Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator +shared libraries that may be used with the .Fl S or .Fl s diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 1b77bdf6..e4859738 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.179 2019/11/30 07:07:59 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.180 2019/12/21 20:22:34 naddy Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2019 $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -537,7 +537,7 @@ Allows X11 forwarding. .It Ic no-touch-required Do not require signatures made using this key require demonstration of user presence (e.g. by having the user touch the key). -This option only makes sense for the Security Key algorithms +This option only makes sense for the FIDO authenticator algorithms .Cm ecdsa-sk and .Cm ed25519-sk . @@ -673,11 +673,11 @@ The maximum is 3. .It Fl W Ar generator Specify desired generator when testing candidate moduli for DH-GEX. .It Fl w Ar provider -Specifies a path to a security key provider library that will be used when -creating any security key-hosted keys, overriding the default of the -internal support for USB HID keys. +Specifies a path to a library that will be used when creating +FIDO authenticator-hosted keys, overriding the default of using +the internal USB HID support. .It Fl x Ar flags -Specifies the security key flags to use when enrolling a security key-hosted +Specifies the authenticator flags to use when enrolling an authenticator-hosted key. Flags may be specified by name or directly as a hexadecimal value. Only one named flag is supported at present: @@ -1053,8 +1053,7 @@ user2@example.com namespaces="file" ssh-ed25519 AAA41... .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev SSH_SK_PROVIDER -Specifies the path to a security key provider library used to interact with -hardware security keys. +Specifies the path to a library used to interact with FIDO authenticators. .El .Sh FILES .Bl -tag -width Ds -compact @@ -1064,8 +1063,8 @@ hardware security keys. .It Pa ~/.ssh/id_ed25519 .It Pa ~/.ssh/id_ed25519_sk .It Pa ~/.ssh/id_rsa -Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519, -security key-hosted Ed25519 or RSA authentication identity of the user. +Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +authenticator-hosted Ed25519 or RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -1082,8 +1081,8 @@ will read this file when a login attempt is made. .It Pa ~/.ssh/id_ed25519.pub .It Pa ~/.ssh/id_ed25519_sk.pub .It Pa ~/.ssh/id_rsa.pub -Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519, -security key-hosted Ed25519 or RSA public key for authentication. +Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, +authenticator-hosted Ed25519 or RSA public key for authentication. The contents of this file should be added to .Pa ~/.ssh/authorized_keys on all machines diff --git a/ssh-sk-helper.8 b/ssh-sk-helper.8 index 9a518fba..3c53da1e 100644 --- a/ssh-sk-helper.8 +++ b/ssh-sk-helper.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-sk-helper.8,v 1.2 2019/11/30 07:07:59 jmc Exp $ +.\" $OpenBSD: ssh-sk-helper.8,v 1.3 2019/12/21 20:22:34 naddy Exp $ .\" .\" Copyright (c) 2010 Markus Friedl. All rights reserved. .\" @@ -14,12 +14,12 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 30 2019 $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH-SK-HELPER 8 .Os .Sh NAME .Nm ssh-sk-helper -.Nd OpenSSH helper for security key support +.Nd OpenSSH helper for FIDO authenticator support .Sh SYNOPSIS .Nm .Op Fl v @@ -27,7 +27,7 @@ .Nm is used by .Xr ssh-agent 1 -to access keys provided by a security key. +to access keys provided by a FIDO authenticator. .Pp .Nm is not intended to be invoked by the user, but from @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.408 2019/11/30 07:07:59 jmc Exp $ -.Dd $Mdocdate: November 30 2019 $ +.\" $OpenBSD: ssh.1,v 1.409 2019/12/21 20:22:34 naddy Exp $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSH 1 .Os .Sh NAME @@ -903,11 +903,11 @@ This stores the private key in .Pa ~/.ssh/id_ecdsa (ECDSA), .Pa ~/.ssh/id_ecdsa_sk -(security key-hosted ECDSA), +(authenticator-hosted ECDSA), .Pa ~/.ssh/id_ed25519 (Ed25519), .Pa ~/.ssh/id_ed25519_sk -(security key-hosted Ed25519), +(authenticator-hosted Ed25519), or .Pa ~/.ssh/id_rsa (RSA) @@ -917,11 +917,11 @@ and stores the public key in .Pa ~/.ssh/id_ecdsa.pub (ECDSA), .Pa ~/.ssh/id_ecdsa_sk.pub -(security key-hosted ECDSA), +(authenticator-hosted ECDSA), .Pa ~/.ssh/id_ed25519.pub (Ed25519), .Pa ~/.ssh/id_ed25519_sk.pub -(security key-hosted Ed25519), +(authenticator-hosted Ed25519), or .Pa ~/.ssh/id_rsa.pub (RSA) diff --git a/ssh_config.5 b/ssh_config.5 index 186e0761..d3d45b53 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.312 2019/12/21 02:19:13 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.313 2019/12/21 20:22:34 naddy Exp $ .Dd $Mdocdate: December 21 2019 $ .Dt SSH_CONFIG 5 .Os @@ -936,8 +936,8 @@ or the tokens described in the .Sx TOKENS section. .It Cm IdentityFile -Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA, -Ed25519 or RSA authentication identity is read. +Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA, +Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read. The default is .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , @@ -1462,9 +1462,9 @@ an OpenSSH Key Revocation List (KRL) as generated by For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . .It Cm SecurityKeyProvider -Specifies a path to a security key provider library that will be used when -loading any security key-hosted keys, overriding the default of using -the built-in support for USB HID keys. +Specifies a path to a library that will be used when loading any +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. .Pp If the specified value begins with a .Sq $ @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.310 2019/12/19 03:50:01 dtucker Exp $ -.Dd $Mdocdate: December 19 2019 $ +.\" $OpenBSD: sshd.8,v 1.311 2019/12/21 20:22:34 naddy Exp $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSHD 8 .Os .Sh NAME @@ -627,7 +627,7 @@ option. .It Cm no-touch-required Do not require demonstration of user presence for signatures made using this key. -This option only makes sense for the Security Key algorithms +This option only makes sense for the FIDO authenticator algorithms .Cm ecdsa-sk and .Cm ed25519-sk . diff --git a/sshd_config.5 b/sshd_config.5 index 22219317..76ec69ba 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.296 2019/12/19 15:09:30 naddy Exp $ -.Dd $Mdocdate: December 19 2019 $ +.\" $OpenBSD: sshd_config.5,v 1.297 2019/12/21 20:22:34 naddy Exp $ +.Dd $Mdocdate: December 21 2019 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1462,20 +1462,20 @@ and .Pp The .Cm touch-required -option causes public key authentication using a security key algorithm +option causes public key authentication using a FIDO authenticator algorithm (i.e.\& .Cm ecdsa-sk or .Cm ed25519-sk ) to always require the signature to attest that a physically present user -explicitly confirmed the authentication (usually by touching the security key). +explicitly confirmed the authentication (usually by touching the authenticator). By default, .Xr sshd 8 -requires key touch unless overridden with an authorized_keys option. +requires user presence unless overridden with an authorized_keys option. The .Cm touch-required flag disables this override. -This option has no effect for other, non-security key, public key types. +This option has no effect for other, non-authenticator public key types. .It Cm PubkeyAuthentication Specifies whether public key authentication is allowed. The default is @@ -1527,9 +1527,9 @@ If the routing domain is set to .Cm \&%D , then the domain in which the incoming connection was received will be applied. .It Cm SecurityKeyProvider -Specifies a path to a security key provider library that will be used when -loading any security key-hosted keys, overriding the default of using -the built-in support for USB HID keys. +Specifies a path to a library that will be used when loading +FIDO authenticator-hosted keys, overriding the default of using +the built-in USB HID support. .It Cm SetEnv Specifies one or more environment variables to set in child sessions started by |