en Copyright 2015 Java http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#581c1d79a7f24e9aa7f6eb57d67599269ce250e8 clarify encoding of options/extensions; bz2389 List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Fri, 06 Dec 2024 16:02:12 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#23ddd3790bfb865843fd8f0d3fb685d948410326 PROTOCOL.certkeys: update reference from IETF draft to RFCAlso fix some typos.ok djm@ List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Sat, 05 Jun 2021 13:47:00 +0000 naddy <naddy@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#caf9efcf29ac23221b82b736199914ea49fb2eae correct extension name "no-presence-required" => "no-touch-required"document "verify-required" option List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Fri, 04 Jun 2021 04:02:21 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#d70f219138aebb8b7af712aa42b3458c5fb7d049 document the "no-touch-required" certificate extension;ok markus, feedback deraadt List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Mon, 25 Nov 2019 00:57:51 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#9865609b141e041a97a40942dd5a246ee4fdb867 mention ssh-ed25519-cert-v01@openssh.com in list of cert key typeat start of doc List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Fri, 26 Oct 2018 01:23:03 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#38a44c4d07519b32af47a95012edb6d362e3efa3 Improve strictness and control over RSA-SHA2 signature types:In ssh, when an agent fails to return a RSA-SHA2 signature whenrequested and falls back to RSA-SHA1 instead, retry the signature toensure that the public key algorithm sent in the SSH_MSG_USERAUTHmatches the one in the signature itself.In sshd, strictly enforce that the public key algorithm sent in theSSH_MSG_USERAUTH message matches what appears in the signature.Make the sshd_config PubkeyAcceptedKeyTypes andHostbasedAcceptedKeyTypes options control accepted signature algorithms(previously they selected supported key types). This allows theseoptions to ban RSA-SHA1 in favour of RSA-SHA2.Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatureswith certificate keys.feedback and ok markus@ List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Tue, 03 Jul 2018 11:39:54 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#27a1722d34e0abcacc7464729dba1ebaf22341de lots of typos in comments/docs. Patch from Karsten Weiss after checkingwith codespell tool (https://github.com/lucasdemarchi/codespell) List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Tue, 10 Apr 2018 00:10:49 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#d755680660c475f6ee248c59a5b2b366e67e90d2 typos in ECDSA certificate names; bz#2787 reported by Mike Gerow List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Fri, 03 Nov 2017 02:32:19 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#b17a8a00a2aaec71bb67325c2ed6a22d1ff8ebcd spell out that custom options/extensions should follow the usual SSHnaming rules, e.g. "extension@example.com" List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Wed, 31 May 2017 04:29:44 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#9887a9752b9f19464ec4e285d69c1140a68eba61 mention that Ed25519 keys are valid as CA keys; spotted byJakub Jelen List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Tue, 16 May 2017 16:54:05 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#0a1a8905a65eb4fc5ed941b63f8e9b48f802ba96 correct some typos and remove a long-stale XXX note.add specification for ed25519 certificatesmention no host certificate options/extensions are currently definedpointed out by Simon Tatham List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Tue, 03 May 2016 10:27:59 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#5e9ce50715129c71aad93b30a6ad9447e93f7881 explain certificate extensions/crit split rationale. Mention requirementthat each appear at most once per cert. List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Wed, 28 Mar 2012 07:23:22 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#f6c050330e4dc3006a2e35a95631a28ac664b4a2 Implement Elliptic Curve Cryptography modes for key exchange (ECDH) andhost/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offerbetter performance than plain DH and DSA at the same equivalent symmetrickey length, as well as much shorter keys.Only the mandatory sections of RFC5656 are implemented, specifically thethree REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH andECDSA. Point compression (optional in RFC5656 is NOT implemented).Certificate host and user keys using the new ECDSA key types are supported.Note that this code has not been tested for interoperability and may besubject to change.feedback and ok markus@ List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Tue, 31 Aug 2010 11:54:45 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#e4e150855fb9b50356aafffa11c098a8dbfc0c67 tighten the rules for certificate encoding by requiring that optionsappear in lexical order and make our ssh-keygen comply. ok markus@ List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Wed, 04 Aug 2010 05:40:39 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#c2342e5a90f43b97ab1ede398193cf65a906f4fc Move the permit-* options to the non-critical "extensions" field for v01certificates. The logic is that if another implementation fails toimplement them then the connection just loses features rather than failsoutright.ok markus@ List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Thu, 20 May 2010 23:46:02 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#65ca33251e6c5d59576154a9e0bd86a9d9a3f4b6 typo; jmeltzer@ List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Sat, 01 May 2010 02:50:50 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#c3ded031a669caee89e4ee23e0ecd423f58e6370 revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with thefollowing changes:move the nonce field to the beginning of the certificate where it canbetter protect against chosen-prefix attacks on the signature hashRename "constraints" field to "critical options"Add a new non-critical "extensions" fieldAdd a serial numberThe older format is still support for authentication and cert generation(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)ok markus@ List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Fri, 16 Apr 2010 01:47:25 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#75d5613d021cda7d931a99367dd0c081b5c80aaf s/similar same/similar/; from imorgan AT nas.nasa.gov List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Wed, 03 Mar 2010 22:50:40 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#92fa7f917d67bb59f31c0506f7e0c023774e507d Add RCS Ident List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Tue, 02 Mar 2010 23:22:44 +0000 djm <djm@openbsd.org> http://src.rcs.uwaterloo.ca:8080/history/openbsd-src/usr.bin/ssh/PROTOCOL.certkeys#b94e498ee01728630740033222d91168419128b4 Add support for certificate key types for users and hosts.OpenSSH certificate key types are not X.509 certificates, but a muchsimpler format that encodes a public key, identity information andsome validity constraints and signs it with a CA key. CA keys areregular SSH keys. This certificate style avoids the attack surfaceof X.509 certificates and is very easy to deploy.Certified host keys allow automatic acceptance of new host keyswhen a CA certificate is marked as trusted in ~/.ssh/known_hosts.see VERIFYING HOST KEYS in ssh(1) for details.Certified user keys allow authentication of users when the signingCA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYSFILE FORMAT" in sshd(8) for details.Certificates are minted using ssh-keygen(1), documentation is inthe "CERTIFICATES" section of that manpage.Documentation on the format of certificates is in the filePROTOCOL.certkeysfeedback and ok markus@ List of files: /openbsd-src/usr.bin/ssh/PROTOCOL.certkeys Fri, 26 Feb 2010 20:29:54 +0000 djm <djm@openbsd.org>