| version 1.11, 2017/05/16 16:54:05 |
version 1.18, 2021/06/04 04:02:21 |
|
|
| acceptance of certified host keys, by adding a similar ability to |
acceptance of certified host keys, by adding a similar ability to |
| specify CA keys in ~/.ssh/known_hosts. |
specify CA keys in ~/.ssh/known_hosts. |
| |
|
| |
All certificate types include certification information along with the |
| |
public key that is used to sign challenges. In OpenSSH, ssh-keygen |
| |
performs the CA signing operation. |
| |
|
| Certified keys are represented using new key types: |
Certified keys are represented using new key types: |
| |
|
| ssh-rsa-cert-v01@openssh.com |
ssh-rsa-cert-v01@openssh.com |
|
|
| ecdsa-sha2-nistp256-cert-v01@openssh.com |
ecdsa-sha2-nistp256-cert-v01@openssh.com |
| ecdsa-sha2-nistp384-cert-v01@openssh.com |
ecdsa-sha2-nistp384-cert-v01@openssh.com |
| ecdsa-sha2-nistp521-cert-v01@openssh.com |
ecdsa-sha2-nistp521-cert-v01@openssh.com |
| |
ssh-ed25519-cert-v01@openssh.com |
| |
|
| These include certification information along with the public key |
Two additional types exist for RSA certificates to force use of |
| that is used to sign challenges. ssh-keygen performs the CA signing |
SHA-2 signatures (SHA-256 and SHA-512 respectively): |
| operation. |
|
| |
|
| |
rsa-sha2-256-cert-v01@openssh.com |
| |
rsa-sha2-512-cert-v01@openssh.com |
| |
|
| |
These RSA/SHA-2 types should not appear in keys at rest or transmitted |
| |
on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms |
| |
field or in the "public key algorithm name" field of a "publickey" |
| |
SSH_USERAUTH_REQUEST to indicate that the signature will use the |
| |
specified algorithm. |
| |
|
| Protocol extensions |
Protocol extensions |
| ------------------- |
------------------- |
| |
|
|
|
| |
|
| ECDSA certificate |
ECDSA certificate |
| |
|
| string "ecdsa-sha2-nistp256-v01@openssh.com" | |
string "ecdsa-sha2-nistp256-cert-v01@openssh.com" | |
| "ecdsa-sha2-nistp384-v01@openssh.com" | |
"ecdsa-sha2-nistp384-cert-v01@openssh.com" | |
| "ecdsa-sha2-nistp521-v01@openssh.com" |
"ecdsa-sha2-nistp521-cert-v01@openssh.com" |
| string nonce |
string nonce |
| string curve |
string curve |
| string public_key |
string public_key |
|
|
| |
|
| valid after <= current time < valid before |
valid after <= current time < valid before |
| |
|
| criticial options is a set of zero or more key options encoded as |
critical options is a set of zero or more key options encoded as |
| below. All such options are "critical" in the sense that an implementation |
below. All such options are "critical" in the sense that an implementation |
| must refuse to authorise a key that has an unrecognised option. |
must refuse to authorise a key that has an unrecognised option. |
| |
|
|
|
| "critical", if an implementation does not recognise a option |
"critical", if an implementation does not recognise a option |
| then the validating party should refuse to accept the certificate. |
then the validating party should refuse to accept the certificate. |
| |
|
| |
Custom options should append the originating author or organisation's |
| |
domain name to the option name, e.g. "my-option@example.com". |
| |
|
| No critical options are defined for host certificates at present. The |
No critical options are defined for host certificates at present. The |
| supported user certificate options and the contents and structure of |
supported user certificate options and the contents and structure of |
| their data fields are: |
their data fields are: |
|
|
| certificates may be presented from any |
certificates may be presented from any |
| source address. |
source address. |
| |
|
| |
verify-required empty Flag indicating that signatures made |
| |
with this certificate must assert FIDO |
| |
user verification (e.g. PIN or |
| |
biometric). This option only make sense |
| |
for the U2F/FIDO security key types that |
| |
support this feature in their signature |
| |
formats. |
| |
|
| Extensions |
Extensions |
| ---------- |
---------- |
| |
|
|
|
| If an implementation does not recognise an extension, then it should |
If an implementation does not recognise an extension, then it should |
| ignore it. |
ignore it. |
| |
|
| |
Custom options should append the originating author or organisation's |
| |
domain name to the option name, e.g. "my-option@example.com". |
| |
|
| No extensions are defined for host certificates at present. The |
No extensions are defined for host certificates at present. The |
| supported user certificate extensions and the contents and structure of |
supported user certificate extensions and the contents and structure of |
| their data fields are: |
their data fields are: |
| |
|
| Name Format Description |
Name Format Description |
| ----------------------------------------------------------------------------- |
----------------------------------------------------------------------------- |
| |
no-touch-required empty Flag indicating that signatures made |
| |
with this certificate need not assert |
| |
FIDO user presence. This option only |
| |
make sense for the U2F/FIDO security |
| |
key types that support this feature in |
| |
their signature formats. |
| |
|
| permit-X11-forwarding empty Flag indicating that X11 forwarding |
permit-X11-forwarding empty Flag indicating that X11 forwarding |
| should be permitted. X11 forwarding will |
should be permitted. X11 forwarding will |
| be refused if this option is absent. |
be refused if this option is absent. |
![[BACK]](/icons/back.gif){kind=icon}
Return to PROTOCOL.certkeys CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh