| version 1.14, 2018/04/10 00:10:49 |
version 1.15, 2018/07/03 11:39:54 |
|
|
| acceptance of certified host keys, by adding a similar ability to |
acceptance of certified host keys, by adding a similar ability to |
| specify CA keys in ~/.ssh/known_hosts. |
specify CA keys in ~/.ssh/known_hosts. |
| |
|
| |
All certificate types include certification information along with the |
| |
public key that is used to sign challenges. In OpenSSH, ssh-keygen |
| |
performs the CA signing operation. |
| |
|
| Certified keys are represented using new key types: |
Certified keys are represented using new key types: |
| |
|
| ssh-rsa-cert-v01@openssh.com |
ssh-rsa-cert-v01@openssh.com |
|
|
| ecdsa-sha2-nistp384-cert-v01@openssh.com |
ecdsa-sha2-nistp384-cert-v01@openssh.com |
| ecdsa-sha2-nistp521-cert-v01@openssh.com |
ecdsa-sha2-nistp521-cert-v01@openssh.com |
| |
|
| These include certification information along with the public key |
Two additional types exist for RSA certificates to force use of |
| that is used to sign challenges. ssh-keygen performs the CA signing |
SHA-2 signatures (SHA-256 and SHA-512 respectively): |
| operation. |
|
| |
rsa-sha2-256-cert-v01@openssh.com |
| |
rsa-sha2-512-cert-v01@openssh.com |
| |
|
| |
These RSA/SHA-2 types should not appear in keys at rest or transmitted |
| |
on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms |
| |
field or in the "public key algorithm name" field of a "publickey" |
| |
SSH_USERAUTH_REQUEST to indicate that the signature will use the |
| |
specified algorithm. |
| |
|
| Protocol extensions |
Protocol extensions |
| ------------------- |
------------------- |
![[BACK]](/icons/back.gif){kind=icon}
Return to PROTOCOL.certkeys CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh