src/usr.bin/ssh/PROTOCOL.certkeys - diff

Return to PROTOCOL.certkeys CVS log

Up to [local] / src / usr.bin / ssh

version 1.14, 2018/04/10 00:10:49

version 1.17, 2019/11/25 00:57:51

Line 25

acceptance of certified host keys, by adding a similar ability to

specify CA keys in ~/.ssh/known_hosts.

All certificate types include certification information along with the

public key that is used to sign challenges. In OpenSSH, ssh-keygen

performs the CA signing operation.

Certified keys are represented using new key types:

Line 32

Line 36

ecdsa-sha2-nistp256-cert-v01@openssh.com

These include certification information along with the public key

Two additional types exist for RSA certificates to force use of

that is used to sign challenges. ssh-keygen performs the CA signing

SHA-2 signatures (SHA-256 and SHA-512 respectively):

operation.

These RSA/SHA-2 types should not appear in keys at rest or transmitted

on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms

field or in the "public key algorithm name" field of a "publickey"

SSH_USERAUTH_REQUEST to indicate that the signature will use the

specified algorithm.

Protocol extensions

-------------------

Line 267

Line 280

Name Format Description

-----------------------------------------------------------------------------

no-presence-required empty Flag indicating that signatures made

with this certificate need not assert

user presence. This option only make

sense for the U2F/FIDO security key

types that support this feature in

their signature formats.

permit-X11-forwarding empty Flag indicating that X11 forwarding

should be permitted. X11 forwarding will

be refused if this option is absent.