| version 1.18, 2021/06/04 04:02:21 |
version 1.19, 2021/06/05 13:47:00 |
|
|
| rsa-sha2-512-cert-v01@openssh.com |
rsa-sha2-512-cert-v01@openssh.com |
| |
|
| These RSA/SHA-2 types should not appear in keys at rest or transmitted |
These RSA/SHA-2 types should not appear in keys at rest or transmitted |
| on their wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms |
on the wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms |
| field or in the "public key algorithm name" field of a "publickey" |
field or in the "public key algorithm name" field of a "publickey" |
| SSH_USERAUTH_REQUEST to indicate that the signature will use the |
SSH_USERAUTH_REQUEST to indicate that the signature will use the |
| specified algorithm. |
specified algorithm. |
|
|
| curve and public key are respectively the ECDSA "[identifier]" and "Q" |
curve and public key are respectively the ECDSA "[identifier]" and "Q" |
| defined in section 3.1 of RFC5656. |
defined in section 3.1 of RFC5656. |
| |
|
| pk is the encoded Ed25519 public key as defined by |
pk is the encoded Ed25519 public key as defined by RFC8032. |
| draft-josefsson-eddsa-ed25519-03. |
|
| |
|
| serial is an optional certificate serial number set by the CA to |
serial is an optional certificate serial number set by the CA to |
| provide an abbreviated way to refer to certificates from that CA. |
provide an abbreviated way to refer to certificates from that CA. |
| If a CA does not wish to number its certificates it must set this |
If a CA does not wish to number its certificates, it must set this |
| field to zero. |
field to zero. |
| |
|
| type specifies whether this certificate is for identification of a user |
type specifies whether this certificate is for identification of a user |
|
|
| up to, and including the signature key. Signatures are computed and |
up to, and including the signature key. Signatures are computed and |
| encoded according to the rules defined for the CA's public key algorithm |
encoded according to the rules defined for the CA's public key algorithm |
| (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA |
(RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA |
| types), and draft-josefsson-eddsa-ed25519-03 for Ed25519. |
types, and RFC8032 for Ed25519). |
| |
|
| Critical options |
Critical options |
| ---------------- |
---------------- |
| |
|
| The critical options section of the certificate specifies zero or more |
The critical options section of the certificate specifies zero or more |
| options on the certificates validity. The format of this field |
options on the certificate's validity. The format of this field |
| is a sequence of zero or more tuples: |
is a sequence of zero or more tuples: |
| |
|
| string name |
string name |
|
|
| |
|
| The name field identifies the option and the data field encodes |
The name field identifies the option and the data field encodes |
| option-specific information (see below). All options are |
option-specific information (see below). All options are |
| "critical", if an implementation does not recognise a option |
"critical"; if an implementation does not recognise a option, |
| then the validating party should refuse to accept the certificate. |
then the validating party should refuse to accept the certificate. |
| |
|
| Custom options should append the originating author or organisation's |
Custom options should append the originating author or organisation's |
|
|
| for authentication. Addresses are |
for authentication. Addresses are |
| specified in CIDR format (nn.nn.nn.nn/nn |
specified in CIDR format (nn.nn.nn.nn/nn |
| or hhhh::hhhh/nn). |
or hhhh::hhhh/nn). |
| If this option is not present then |
If this option is not present, then |
| certificates may be presented from any |
certificates may be presented from any |
| source address. |
source address. |
| |
|
| verify-required empty Flag indicating that signatures made |
verify-required empty Flag indicating that signatures made |
| with this certificate must assert FIDO |
with this certificate must assert FIDO |
| user verification (e.g. PIN or |
user verification (e.g. PIN or |
| biometric). This option only make sense |
biometric). This option only makes sense |
| for the U2F/FIDO security key types that |
for the U2F/FIDO security key types that |
| support this feature in their signature |
support this feature in their signature |
| formats. |
formats. |
|
|
| no-touch-required empty Flag indicating that signatures made |
no-touch-required empty Flag indicating that signatures made |
| with this certificate need not assert |
with this certificate need not assert |
| FIDO user presence. This option only |
FIDO user presence. This option only |
| make sense for the U2F/FIDO security |
makes sense for the U2F/FIDO security |
| key types that support this feature in |
key types that support this feature in |
| their signature formats. |
their signature formats. |
| |
|
|
|
| |
|
| permit-port-forwarding empty Flag indicating that port-forwarding |
permit-port-forwarding empty Flag indicating that port-forwarding |
| should be allowed. If this option is |
should be allowed. If this option is |
| not present then no port forwarding will |
not present, then no port forwarding will |
| be allowed. |
be allowed. |
| |
|
| permit-pty empty Flag indicating that PTY allocation |
permit-pty empty Flag indicating that PTY allocation |
![[BACK]](/icons/back.gif){kind=icon}
Return to PROTOCOL.certkeys CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh