src/usr.bin/ssh/PROTOCOL.certkeys - diff

Return to PROTOCOL.certkeys CVS log

Up to [local] / src / usr.bin / ssh

version 1.13, 2017/11/03 02:32:19

version 1.15, 2018/07/03 11:39:54

Line 25

acceptance of certified host keys, by adding a similar ability to

specify CA keys in ~/.ssh/known_hosts.

All certificate types include certification information along with the

public key that is used to sign challenges. In OpenSSH, ssh-keygen

performs the CA signing operation.

Certified keys are represented using new key types:

Line 33

Line 37

ecdsa-sha2-nistp384-cert-v01@openssh.com

These include certification information along with the public key

Two additional types exist for RSA certificates to force use of

that is used to sign challenges. ssh-keygen performs the CA signing

SHA-2 signatures (SHA-256 and SHA-512 respectively):

operation.

These RSA/SHA-2 types should not appear in keys at rest or transmitted

on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms

field or in the "public key algorithm name" field of a "publickey"

SSH_USERAUTH_REQUEST to indicate that the signature will use the

specified algorithm.

Protocol extensions

-------------------

Line 174

Line 186

valid after <= current time < valid before

criticial options is a set of zero or more key options encoded as

critical options is a set of zero or more key options encoded as

below. All such options are "critical" in the sense that an implementation

must refuse to authorise a key that has an unrecognised option.