Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.11 / (download) - annotate - [select for diffs], Sat Nov 27 07:14:46 2021 UTC (2 years, 5 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
HEAD
Changes since 1.10: +5 -1 lines
Diff to previous 1.10 (colored)
Add ssh-keygen -Y match-principals operation to perform matching of principals names against an allowed signers file. Requested by and mostly written by Fabian Stelzer, towards a TOFU model for SSH signatures in git. Some tweaks by me. "doesn't bother me" deraadt@
Revision 1.10 / (download) - annotate - [select for diffs], Fri Jul 23 03:37:52 2021 UTC (2 years, 9 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.9: +3 -3 lines
Diff to previous 1.9 (colored)
Let allowed signers files used by ssh-keygen(1) signatures support key lifetimes, and allow the verification mode to specify a signature time to check at. This is intended for use by git to support signing objects using ssh keys. ok dtucker@
Revision 1.9 / (download) - annotate - [select for diffs], Mon Aug 31 00:17:41 2020 UTC (3 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.8: +1 -0 lines
Diff to previous 1.8 (colored)
Add RCS IDs to the few files that are missing them; from Pedro Martelletto
Revision 1.8 / (download) - annotate - [select for diffs], Thu Aug 27 01:06:19 2020 UTC (3 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.7: +5 -3 lines
Diff to previous 1.7 (colored)
support for user-verified FIDO keys FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@
Revision 1.7 / (download) - annotate - [select for diffs], Thu Jan 23 23:31:52 2020 UTC (4 years, 3 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.6: +2 -3 lines
Diff to previous 1.6 (colored)
ssh-keygen -Y find-principals fixes based on feedback from Markus: use "principals" instead of principal, as allowed_signers lines may list multiple. When the signing key is a certificate, emit only principals that match the certificate principal list. NB. the command -Y name changes: "find-principal" => "find-principals" ok markus@
Revision 1.6 / (download) - annotate - [select for diffs], Thu Jan 23 04:54:34 2020 UTC (4 years, 3 months ago) by djm
Branch: MAIN
Changes since 1.5: +10 -0 lines
Diff to previous 1.5 (colored)
missing header change from previous; spotted by dtucker@
Revision 1.5 / (download) - annotate - [select for diffs], Mon Nov 25 00:51:37 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.4: +4 -2 lines
Diff to previous 1.4 (colored)
Add new structure for signature options This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@
Revision 1.4 / (download) - annotate - [select for diffs], Thu Oct 31 21:23:19 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.3: +6 -5 lines
Diff to previous 1.3 (colored)
Refactor signing - use sshkey_sign for everything, including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@
Revision 1.3 / (download) - annotate - [select for diffs], Thu Sep 5 04:55:32 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.2: +8 -0 lines
Diff to previous 1.2 (colored)
expose allowed_signers options parsing code in header for fuzzing rename to make more consistent with philosophically-similar auth options parsing API.
Revision 1.2 / (download) - annotate - [select for diffs], Tue Sep 3 08:35:27 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
Changes since 1.1: +17 -11 lines
Diff to previous 1.1 (colored)
sshsig tweaks and improvements from and suggested by Markus ok markus/me
Revision 1.1 / (download) - annotate - [select for diffs], Tue Sep 3 08:34:20 2019 UTC (4 years, 8 months ago) by djm
Branch: MAIN
sshsig: lightweight signature and verification ability for OpenSSH This adds a simple manual signature scheme to OpenSSH. Signatures can be made and verified using ssh-keygen -Y sign|verify Signatures embed the key used to make them. At verification time, this is matched via principal name against an authorized_keys-like list of allowed signers. Mostly by Sebastian Kinne w/ some tweaks by me ok markus@