summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
Commit message (Collapse)AuthorAgeFilesLines
* upstream: space between macro and punctuation;jmc@openbsd.org2023-02-161-2/+2
| | | | OpenBSD-Commit-ID: abc95e550be9e6d9a7ff64b65c104c7be21ab19e
* upstream: let ssh-keygen and ssh-keyscan acceptdjm@openbsd.org2023-02-101-2/+17
| | | | | | | -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 ok dtucker@ OpenBSD-Commit-ID: e6e07fe21318a873bd877f333e189eb963a11b3d
* upstream: fix repeated words ok miod@ jmc@jsg@openbsd.org2022-09-141-3/+3
| | | | OpenBSD-Commit-ID: 6765daefe26a6b648cc15cadbbe337596af709b7
* upstream: use .Cm for "sign"; from josiah frentsosjmc@openbsd.org2022-08-171-3/+3
| | | | OpenBSD-Commit-ID: 7f80a53d54857ac6ae49ea6ad93c5bd12231d1e4
* upstream: allow certificate validity intervals, sshsig verificationdjm@openbsd.org2022-08-111-23/+65
| | | | | | | | | | | | | | | | times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 ok dtucker OpenBSD-Commit-ID: 454db1cdffa9fa346aea5211223a2ce0588dfe13
* upstream: ssh-keygen -A: do not generate DSA keys by default.dtucker@openbsd.org2022-06-031-5/+5
| | | | | | | Based on github PR#303 from jsegitz with man page text from jmc@, ok markus@ djm@ OpenBSD-Commit-ID: 5c4c57bdd7063ff03381cfb6696659dd3f9f5b9f
* upstream: Allow existing -U (use agent) flag to work with "-Y sign"djm@openbsd.org2022-05-091-3/+5
| | | | | | | operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429, suggested by Adam Szkoda; ok dtucker@ OpenBSD-Commit-ID: a7bc69873b99c32c42c7628ed9ea91565ba08c2f
* upstream: Add FIDO AUTHENTICATOR section and explain a bit how FIDOflorian@openbsd.org2022-05-051-52/+78
| | | | | | | | | | | | works. The wording came mostly from the 8.2 OpenSSH release notes, addapted to fit the man page. Then move the -O bits into the new section as is already done for CERTIFICATES and MODULI GENERATION. Finally we can explain the trade-offs of resident keys. While here, consistently refer to the FIDO thingies as "FIDO authenticators", not "FIDO tokens". input & OK jmc, naddy OpenBSD-Commit-ID: dd98748d7644df048f78dcf793b3b63db9ab1d25
* upstream: remove please from manual pages ok jmc@ sthen@ millert@jsg@openbsd.org2022-02-071-8/+8
| | | | OpenBSD-Commit-ID: 6543acb00f4f38a23472538e1685c013ca1a99aa
* upstream: allow selection of hash at sshsig signing time; codedjm@openbsd.org2022-01-051-2/+11
| | | | | | | already supported either sha512 (default) or sha256, but plumbing wasn't there mostly by Linus Nordberg OpenBSD-Commit-ID: 1b536404b9da74a84b3a1c8d0b05fd564cdc96cd
* upstream: ssh-keygen -Y match-principals doesn't accept any -Odjm@openbsd.org2021-11-281-3/+2
| | | | | | options at present, so don't say otherwise in SYNOPSIS; spotted jmc@ OpenBSD-Commit-ID: 9cc43a18f4091010741930b48b3db2f2e4f1d35c
* upstream: Add ssh-keygen -Y match-principals operation to performdjm@openbsd.org2021-11-271-2/+15
| | | | | | | | | | | matching of principals names against an allowed signers file. Requested by and mostly written by Fabian Stelzer, towards a TOFU model for SSH signatures in git. Some tweaks by me. "doesn't bother me" deraadt@ OpenBSD-Commit-ID: 8d1b71f5a4127bc5e10a880c8ea6053394465247
* upstream: when verifying sshsig signatures, support an optiondjm@openbsd.org2021-08-111-2/+4
| | | | | | | (-Oprint-pubkey) to dump the full public key to stdout; based on patch from Fabian Stelzer; ok markus@ OpenBSD-Commit-ID: 0598000e5b9adfb45d42afa76ff80daaa12fc3e2
* upstream: punctuation;jmc@openbsd.org2021-07-241-2/+2
| | | | OpenBSD-Commit-ID: 64be152e378c45975073ab1c07e0db7eddd15806
* upstream: Let allowed signers files used by ssh-keygen(1)djm@openbsd.org2021-07-231-3/+22
| | | | | | | | signatures support key lifetimes, and allow the verification mode to specify a signature time to check at. This is intended for use by git to support signing objects using ssh keys. ok dtucker@ OpenBSD-Commit-ID: 3e2c67b7dcd94f0610194d1e8e4907829a40cf31
* upstream: Clarify language about moduli. While both ends of thedtucker@openbsd.org2021-05-141-4/+3
| | | | | | | | connection do need to use the same parameters (ie groups), the DH-GEX protocol takes care of that and both ends do not need the same contents in the moduli file, which is what the previous text suggested. ok djm@ jmc@ OpenBSD-Commit-ID: f0c18cc8e79c2fbf537a432a9070ed94e96a622a
* upstream: Document ssh-keygen -Z, sanity check its argument earlier anddtucker@openbsd.org2020-11-271-2/+11
| | | | | | | provide a better error message if it's not correct. Prompted by bz#2879, ok djm@ jmc@ OpenBSD-Commit-ID: 484178a173e92230fb1803fb4f206d61f7b58005
* upstream: Specify that the KDF function is bcrypt. Based on githubdtucker@openbsd.org2020-11-171-3/+5
| | | | | | PR#214 from rafork, ok markus@, mdoc correction jmc@ OpenBSD-Commit-ID: d8f2853e7edbcd483f31b50da77ab80ffa18b4ef
* upstream: Minor man page fixes (capitalization, commas) identified bydtucker@openbsd.org2020-10-261-5/+5
| | | | | | the manpage-l10n project via bz#3223. feedback deraadt@, ok jmc@ OpenBSD-Commit-ID: ab83af0daf18369244a72daaec6c4a58a9eb7e2c
* upstream: when writing an attestation blob for a FIDO key, record alldjm@openbsd.org2020-09-091-4/+5
| | | | | | | | | | the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature. spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@ OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
* upstream: tweak previous;jmc@openbsd.org2020-08-271-2/+2
| | | | OpenBSD-Commit-ID: 92714b6531e244e4da401b2defaa376374e24be7
* upstream: Request PIN ahead of time for certain FIDO actionsdjm@openbsd.org2020-08-271-1/+3
| | | | | | | | | | When we know that a particular action will require a PIN, such as downloading resident keys or generating a verify-required key, request the PIN before attempting it. joint work with Pedro Martelletto; ok markus@ OpenBSD-Commit-ID: 863182d38ef075bad1f7d20ca485752a05edb727
* upstream: support for user-verified FIDO keysdjm@openbsd.org2020-08-271-3/+19
| | | | | | | | | | | | | | | | | FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@ OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
* upstream: - Add [-a rounds] in ssh-keygen man page and usage() -solene@openbsd.org2020-07-171-3/+10
| | | | | | | | | Reorder parameters list in the first usage() case - Sentence rewording ok dtucker@ jmc@ noticed usage() missed -a flag too OpenBSD-Commit-ID: f06b9afe91cc96f260b929a56e9930caecbde246
* upstream: Add default for number of rounds (-a). ok djm@dtucker@openbsd.org2020-07-151-2/+3
| | | | OpenBSD-Commit-ID: cb7e9aa04ace01a98e63e4bd77f34a42ab169b15
* upstream: give ssh-keygen the ability to dump the contents of adjm@openbsd.org2020-04-031-2/+6
| | | | | | binary key revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker OpenBSD-Commit-ID: b76afc4e3b74ab735dbde4e5f0cfa1f02356033b
* upstream: Fix typo. Patch from itoama at live.jp via github PR#173.dtucker@openbsd.org2020-02-241-3/+3
| | | | OpenBSD-Commit-ID: 5cdaafab38bbdea0d07e24777d00bfe6f972568a
* upstream: sync the description of the $SSH_SK_PROVIDER environmentdjm@openbsd.org2020-02-071-3/+5
| | | | | | | variable with that of the SecurityKeyProvider ssh/sshd_config(5) directive, as the latter was more descriptive. OpenBSD-Commit-ID: 0488f09530524a7e53afca6b6e1780598022552f
* upstream: require FIDO application strings to start with "ssh:"; okdjm@openbsd.org2020-02-041-2/+4
| | | | | | markus@ OpenBSD-Commit-ID: 94e9c1c066d42b76f035a3d58250a32b14000afb
* upstream: use better markup for challenge and write-attestation, andjmc@openbsd.org2020-02-041-9/+7
| | | | | | | | rejig the challenge text a little; ok djm OpenBSD-Commit-ID: 9f351e6da9edfdc907d5c3fdaf2e9ff3ab0a7a6f
* upstream: shuffle the challenge keyword to keep the -O list sorted;jmc@openbsd.org2020-02-021-10/+10
| | | | OpenBSD-Commit-ID: 08efad608b790949a9a048d65578fae9ed5845fe
* upstream: changes to support FIDO attestationdjm@openbsd.org2020-01-291-2/+14
| | | | | | | | | | | | | | | Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
* upstream: ssh-keygen -Y find-principals fixes based on feedbackdjm@openbsd.org2020-01-251-5/+6
| | | | | | | | | | | | | | | | from Markus: use "principals" instead of principal, as allowed_signers lines may list multiple. When the signing key is a certificate, emit only principals that match the certificate principal list. NB. the command -Y name changes: "find-principal" => "find-principals" ok markus@ OpenBSD-Commit-ID: ab575946ff9a55624cd4e811bfd338bf3b1d0faf
* upstream: new sentence, new line;jmc@openbsd.org2020-01-231-3/+3
| | | | OpenBSD-Commit-ID: b6c3f2f36ec77e99198619b38a9f146655281925
* upstream: add a new signature operations "find-principal" to lookdjm@openbsd.org2020-01-231-2/+17
| | | | | | | up the principal associated with a signature from an allowed-signers file. Work by Sebastian Kinne; ok dtucker@ OpenBSD-Commit-ID: 6f782cc7e18e38fcfafa62af53246a1dcfe74e5d
* upstream: one more replacement "(security) key" -> "(FIDO)naddy@openbsd.org2020-01-211-2/+2
| | | | | | authenticator" OpenBSD-Commit-ID: 031bca03c1d1f878ab929facd561911f1bc68dfd
* upstream: undo merge error and replace the term "security key"naddy@openbsd.org2020-01-211-3/+3
| | | | | | again OpenBSD-Commit-ID: 341749062c089cc360a7877e9ee3a887aecde395
* upstream: sync ssh-keygen.1 and ssh-keygen's usage() with eachnaddy@openbsd.org2020-01-211-6/+6
| | | | | | other and reality ok markus@ OpenBSD-Commit-ID: cdf64454f2c3604c25977c944e5b6262a3bcce92
* upstream: put the fido options in a list, and tidy up the text ajmc@openbsd.org2020-01-091-19/+17
| | | | | | little; ok djm OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb
* upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org2020-01-061-4/+19
| | | | | | | | | | | | | | | | | | | | for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
* upstream: the download resident keys option is -K (upper) not -kjmc@openbsd.org2020-01-041-3/+3
| | | | | | (lower); ok djm OpenBSD-Commit-ID: 71dc28a3e1fa7c553844abc508845bcf5766e091
* upstream: ability to download FIDO2 resident keys from a token viadjm@openbsd.org2020-01-031-2/+9
| | | | | | | | | | | "ssh-keygen -K". This will save public/private keys into the current directory. This is handy if you move a token between hosts. feedback & ok markus@ OpenBSD-Commit-ID: d57c1f9802f7850f00a117a1d36682a6c6d10da6
* upstream: simplify the list for moduli options - no need forjmc@openbsd.org2020-01-031-8/+2
| | | | | | -compact; OpenBSD-Commit-ID: 6492c72280482c6d072be46236b365cb359fc280
* upstream: Remove the -x option currently used fordjm@openbsd.org2019-12-301-15/+24
| | | | | | | | FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
* upstream: remove single-letter flags for moduli optionsdjm@openbsd.org2019-12-301-64/+78
| | | | | | | | | | | | | Move all moduli generation options to live under the -O flag. Frees up seven single-letter flags. NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately. feedback and ok markus@ OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935
* upstream: prepare for use of ssh-keygen -O flag beyond certsdjm@openbsd.org2019-12-301-95/+93
| | | | | | | | | | | | Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
* upstream: sort -Y internally in the options list, as is alreadyjmc@openbsd.org2019-12-301-17/+17
| | | | | | done in synopsis; OpenBSD-Commit-ID: 86d033c5764404057616690d7be992e445b42274
* upstream: in the options list, sort -Y and -y;jmc@openbsd.org2019-12-301-5/+5
| | | | OpenBSD-Commit-ID: 24c2e6a3aeab6e050a0271ffc73fdff91c10dcaa
* upstream: Replace the term "security key" with "(FIDO)naddy@openbsd.org2019-12-301-13/+12
| | | | | | | | | authenticator". The polysemous use of "key" was too confusing. Input from markus@. ok jmc@ OpenBSD-Commit-ID: 12eea973a44c8232af89f86e4269d71ae900ca8f
* upstream: tweak the Nd lines for a bit of consistency; ok markusjmc@openbsd.org2019-12-111-3/+3
| | | | OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
View Lorry Controller Status