delta/openssh-git.git - anongit.mindrot.org: openssh.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	upstream: when writing an attestation blob for a FIDO key, record all	djm@openbsd.org	2020-09-09	1	-80/+18
\| \| \| \| \| \| \| \| \| \|	the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature. spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@ OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
*	upstream: Add RCS IDs to the few files that are missing them; from	djm@openbsd.org	2020-08-31	1	-0/+1
\| \| \| \| \| \|	Pedro Martelletto OpenBSD-Commit-ID: 39aa37a43d0c75ec87f1659f573d3b5867e4a3b3
*	upstream: Add support for FIDO webauthn (verification only).	djm@openbsd.org	2020-06-22	1	-0/+26
\| \| \| \| \| \| \| \|	webauthn is a standard for using FIDO keys in web browsers. webauthn signatures are a slightly different format to plain FIDO signatures - this support allows verification of these. Feedback and ok markus@ OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
*	upstream: fix non-ASCII quote that snuck in; spotted by Gabriel	djm@openbsd.org	2020-05-27	1	-1/+1
\| \| \| \| \| \|	Kihlman OpenBSD-Commit-ID: 04bcde311de2325d9e45730c744c8de079b49800
*	upstream: clarify role of FIDO tokens in multi-factor	djm@openbsd.org	2020-05-27	1	-0/+7
\| \| \| \| \| \|	authentictation; mostly from Pedro Martelletto OpenBSD-Commit-ID: fbe05685a1f99c74b1baca7130c5a03c2df7c0ac
*	upstream: when signing a challenge using a FIDO toke, perform the	djm@openbsd.org	2020-05-01	1	-1/+1
\| \| \| \| \| \| \| \|	hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@ OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
*	upstream: Fix some typos and an incorrect word in docs. Patch from	dtucker@openbsd.org	2020-02-21	1	-2/+2
\| \| \| \| \| \|	itoama at live.jp via github PR#172. OpenBSD-Commit-ID: 166ee8f93a7201fef431b9001725ab8b269d5874
*	upstream: changes to support FIDO attestation	djm@openbsd.org	2020-01-29	1	-9/+12
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
*	upstream: improve the error message for u2f enrollment errors by	djm@openbsd.org	2020-01-26	1	-0/+1
\| \| \| \| \| \| \| \| \| \| \| \| \|	making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
*	upstream: Extends the SK API to accept a set of key/value options	djm@openbsd.org	2020-01-06	1	-7/+40
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
*	upstream: document SK API changes in PROTOCOL.u2f	djm@openbsd.org	2019-12-30	1	-2/+20
\| \| \| \| \| \|	ok markus@ OpenBSD-Commit-ID: 52622363c103a3c4d3d546050480ffe978a32186
*	upstream: basic support for generating FIDO2 resident keys	djm@openbsd.org	2019-12-30	1	-0/+2
\| \| \| \| \| \| \| \| \|	"ssh-keygen -t ecdsa-sk\|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
*	upstream: SSH U2F keys can now be used as host keys. Fix a garden	naddy@openbsd.org	2019-12-21	1	-5/+1
\| \| \| \| \| \|	path sentence. ok markus@ OpenBSD-Commit-ID: 67d7971ca1a020acd6c151426c54bd29d784bd6b
*	upstream: add a note about the 'extensions' field in the signed	djm@openbsd.org	2019-12-14	1	-0/+4
\| \| \| \| \| \|	object OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
*	upstream: some more corrections for documentation problems spotted	djm@openbsd.org	2019-12-11	1	-2/+12
\| \| \| \| \| \| \| \| \|	by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
*	upstream: loading security keys into ssh-agent used the extension	djm@openbsd.org	2019-12-11	1	-1/+1
\| \| \| \| \| \| \|	constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
*	upstream: chop some unnecessary and confusing verbiage from the	djm@openbsd.org	2019-12-11	1	-10/+3
\| \| \| \| \| \|	security key protocol description; feedback from Ron Frederick OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
*	upstream: tweak wording	djm@openbsd.org	2019-11-28	1	-4/+4
\| \| \| \|	OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
*	upstream: adjust on-wire signature encoding for ecdsa-sk keys to	djm@openbsd.org	2019-11-20	1	-5/+8
\| \| \| \| \| \| \| \| \|	better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne NB. if you are depending on security keys (already?) then make sure you update both your clients and servers. OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
*	upstream: document ed25519-sk pubkey, private key and certificate	djm@openbsd.org	2019-11-18	1	-5/+40
\| \| \| \| \| \|	formats OpenBSD-Commit-ID: 795a7c1c80315412e701bef90e31e376ea2f3c88
*	upstream: correct order or ecdsa-sk private key fields	djm@openbsd.org	2019-11-18	1	-1/+1
\| \| \| \|	OpenBSD-Commit-ID: 4d4a0c13226a79f0080ce6cbe74f73b03ed8092e
*	upstream: correct description of fields in pub/private keys (was	djm@openbsd.org	2019-11-18	1	-0/+3
\| \| \| \| \| \|	missing curve name); spotted by Sebastian Kinne OpenBSD-Commit-ID: 2a11340dc7ed16200342d384fb45ecd4fcce26e7
*	upstream: remove extra layer for ed25519 signature; ok djm@	markus@openbsd.org	2019-11-13	1	-0/+8
\| \| \| \|	OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
*	upstream: update sk-api to version 2 for ed25519 support; ok djm	markus@openbsd.org	2019-11-13	1	-3/+7
\| \| \| \|	OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a
*	upstream: fix miscellaneous text problems; ok djm@	naddy@openbsd.org	2019-11-02	1	-8/+8
\| \| \| \|	OpenBSD-Commit-ID: 0cbf411a14d8fa0b269b69cbb1b4fc0ca699fe9f
*	upstream: Protocol documentation for U2F/FIDO keys in OpenSSH	djm@openbsd.org	2019-11-01	1	-0/+224
	OpenBSD-Commit-ID: 8f3247317c2909870593aeb306dff848bc427915