Return to PROTOCOL.certkeys CVS log | Up to [local] / src / usr.bin / ssh |
version 1.12, 2017/05/31 04:29:44 | version 1.16, 2018/10/26 01:23:03 | ||
---|---|---|---|
|
|
||
acceptance of certified host keys, by adding a similar ability to | acceptance of certified host keys, by adding a similar ability to | ||
specify CA keys in ~/.ssh/known_hosts. | specify CA keys in ~/.ssh/known_hosts. | ||
All certificate types include certification information along with the | |||
public key that is used to sign challenges. In OpenSSH, ssh-keygen | |||
performs the CA signing operation. | |||
Certified keys are represented using new key types: | Certified keys are represented using new key types: | ||
ssh-rsa-cert-v01@openssh.com | ssh-rsa-cert-v01@openssh.com | ||
|
|
||
ecdsa-sha2-nistp256-cert-v01@openssh.com | ecdsa-sha2-nistp256-cert-v01@openssh.com | ||
ecdsa-sha2-nistp384-cert-v01@openssh.com | ecdsa-sha2-nistp384-cert-v01@openssh.com | ||
ecdsa-sha2-nistp521-cert-v01@openssh.com | ecdsa-sha2-nistp521-cert-v01@openssh.com | ||
ssh-ed25519-cert-v01@openssh.com | |||
These include certification information along with the public key | Two additional types exist for RSA certificates to force use of | ||
that is used to sign challenges. ssh-keygen performs the CA signing | SHA-2 signatures (SHA-256 and SHA-512 respectively): | ||
operation. | |||
rsa-sha2-256-cert-v01@openssh.com | |||
rsa-sha2-512-cert-v01@openssh.com | |||
These RSA/SHA-2 types should not appear in keys at rest or transmitted | |||
on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms | |||
field or in the "public key algorithm name" field of a "publickey" | |||
SSH_USERAUTH_REQUEST to indicate that the signature will use the | |||
specified algorithm. | |||
Protocol extensions | Protocol extensions | ||
------------------- | ------------------- | ||
|
|
||
ECDSA certificate | ECDSA certificate | ||
string "ecdsa-sha2-nistp256-v01@openssh.com" | | string "ecdsa-sha2-nistp256-cert-v01@openssh.com" | | ||
"ecdsa-sha2-nistp384-v01@openssh.com" | | "ecdsa-sha2-nistp384-cert-v01@openssh.com" | | ||
"ecdsa-sha2-nistp521-v01@openssh.com" | "ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
string nonce | string nonce | ||
string curve | string curve | ||
string public_key | string public_key | ||
|
|
||
valid after <= current time < valid before | valid after <= current time < valid before | ||
criticial options is a set of zero or more key options encoded as | critical options is a set of zero or more key options encoded as | ||
below. All such options are "critical" in the sense that an implementation | below. All such options are "critical" in the sense that an implementation | ||
must refuse to authorise a key that has an unrecognised option. | must refuse to authorise a key that has an unrecognised option. | ||