Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.26 / (download) - annotate - [select for diffs], Wed Sep 9 03:08:01 2020 UTC (3 years, 9 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
HEAD
Changes since 1.25: +18 -80 lines
Diff to previous 1.25 (colored)
when writing an attestation blob for a FIDO key, record all the data needed to verify the attestation. Previously we were missing the "authenticator data" that is included in the signature. spotted by Ian Haken feedback Pedro Martelletto and Ian Haken; ok markus@
Revision 1.25 / (download) - annotate - [select for diffs], Mon Aug 31 00:17:41 2020 UTC (3 years, 9 months ago) by djm
Branch: MAIN
Changes since 1.24: +1 -0 lines
Diff to previous 1.24 (colored)
Add RCS IDs to the few files that are missing them; from Pedro Martelletto
Revision 1.24 / (download) - annotate - [select for diffs], Mon Jun 22 05:58:35 2020 UTC (3 years, 11 months ago) by djm
Branch: MAIN
Changes since 1.23: +26 -0 lines
Diff to previous 1.23 (colored)
Add support for FIDO webauthn (verification only). webauthn is a standard for using FIDO keys in web browsers. webauthn signatures are a slightly different format to plain FIDO signatures - this support allows verification of these. Feedback and ok markus@
Revision 1.23 / (download) - annotate - [select for diffs], Tue May 12 01:41:32 2020 UTC (4 years ago) by djm
Branch: MAIN
Changes since 1.22: +1 -1 lines
Diff to previous 1.22 (colored)
fix non-ASCII quote that snuck in; spotted by Gabriel Kihlman
Revision 1.22 / (download) - annotate - [select for diffs], Mon May 11 02:11:29 2020 UTC (4 years, 1 month ago) by djm
Branch: MAIN
Changes since 1.21: +7 -0 lines
Diff to previous 1.21 (colored)
clarify role of FIDO tokens in multi-factor authentictation; mostly from Pedro Martelletto
Revision 1.21 / (download) - annotate - [select for diffs], Tue Apr 28 04:02:29 2020 UTC (4 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.20: +1 -1 lines
Diff to previous 1.20 (colored)
when signing a challenge using a FIDO toke, perform the hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@
Revision 1.20 / (download) - annotate - [select for diffs], Fri Feb 21 00:04:43 2020 UTC (4 years, 3 months ago) by dtucker
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)
Fix some typos and an incorrect word in docs. Patch from itoama at live.jp via github PR#172.
Revision 1.19 / (download) - annotate - [select for diffs], Tue Jan 28 08:01:34 2020 UTC (4 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.18: +11 -8 lines
Diff to previous 1.18 (colored)
changes to support FIDO attestation Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@
Revision 1.18 / (download) - annotate - [select for diffs], Sat Jan 25 23:13:09 2020 UTC (4 years, 4 months ago) by djm
Branch: MAIN
Changes since 1.17: +1 -0 lines
Diff to previous 1.17 (colored)
improve the error message for u2f enrollment errors by making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@
Revision 1.17 / (download) - annotate - [select for diffs], Mon Jan 6 02:00:46 2020 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.16: +40 -7 lines
Diff to previous 1.16 (colored)
Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@
Revision 1.16 / (download) - annotate - [select for diffs], Mon Dec 30 09:25:29 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.15: +20 -2 lines
Diff to previous 1.15 (colored)
document SK API changes in PROTOCOL.u2f ok markus@
Revision 1.15 / (download) - annotate - [select for diffs], Mon Dec 30 09:19:52 2019 UTC (4 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.14: +2 -0 lines
Diff to previous 1.14 (colored)
basic support for generating FIDO2 resident keys "ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@
Revision 1.14 / (download) - annotate - [select for diffs], Fri Dec 20 20:28:55 2019 UTC (4 years, 5 months ago) by naddy
Branch: MAIN
Changes since 1.13: +1 -5 lines
Diff to previous 1.13 (colored)
SSH U2F keys can now be used as host keys. Fix a garden path sentence. ok markus@
Revision 1.13 / (download) - annotate - [select for diffs], Wed Dec 11 22:19:47 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.12: +4 -0 lines
Diff to previous 1.12 (colored)
add a note about the 'extensions' field in the signed object
Revision 1.12 / (download) - annotate - [select for diffs], Tue Dec 10 23:37:31 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.11: +12 -2 lines
Diff to previous 1.11 (colored)
some more corrections for documentation problems spotted by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys
Revision 1.11 / (download) - annotate - [select for diffs], Tue Dec 10 23:21:56 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.10: +1 -1 lines
Diff to previous 1.10 (colored)
loading security keys into ssh-agent used the extension constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick
Revision 1.10 / (download) - annotate - [select for diffs], Tue Dec 10 22:36:08 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.9: +3 -10 lines
Diff to previous 1.9 (colored)
chop some unnecessary and confusing verbiage from the security key protocol description; feedback from Ron Frederick
Revision 1.9 / (download) - annotate - [select for diffs], Thu Nov 28 05:20:54 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.8: +4 -4 lines
Diff to previous 1.8 (colored)
tweak wording
Revision 1.8 / (download) - annotate - [select for diffs], Tue Nov 19 22:23:19 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.7: +8 -5 lines
Diff to previous 1.7 (colored)
adjust on-wire signature encoding for ecdsa-sk keys to better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne NB. if you are depending on security keys (already?) then make sure you update both your clients and servers.
Revision 1.7 / (download) - annotate - [select for diffs], Mon Nov 18 04:34:47 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.6: +40 -5 lines
Diff to previous 1.6 (colored)
document ed25519-sk pubkey, private key and certificate formats
Revision 1.6 / (download) - annotate - [select for diffs], Mon Nov 18 04:29:50 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.5: +1 -1 lines
Diff to previous 1.5 (colored)
correct order or ecdsa-sk private key fields
Revision 1.5 / (download) - annotate - [select for diffs], Mon Nov 18 04:16:53 2019 UTC (4 years, 6 months ago) by djm
Branch: MAIN
Changes since 1.4: +3 -0 lines
Diff to previous 1.4 (colored)
correct description of fields in pub/private keys (was missing curve name); spotted by Sebastian Kinne
Revision 1.4 / (download) - annotate - [select for diffs], Tue Nov 12 19:34:40 2019 UTC (4 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.3: +8 -0 lines
Diff to previous 1.3 (colored)
remove extra layer for ed25519 signature; ok djm@
Revision 1.3 / (download) - annotate - [select for diffs], Tue Nov 12 19:32:30 2019 UTC (4 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.2: +7 -3 lines
Diff to previous 1.2 (colored)
update sk-api to version 2 for ed25519 support; ok djm
Revision 1.2 / (download) - annotate - [select for diffs], Fri Nov 1 12:10:43 2019 UTC (4 years, 7 months ago) by naddy
Branch: MAIN
Changes since 1.1: +8 -8 lines
Diff to previous 1.1 (colored)
fix miscellaneous text problems; ok djm@
Revision 1.1 / (download) - annotate - [select for diffs], Thu Oct 31 21:14:17 2019 UTC (4 years, 7 months ago) by djm
Branch: MAIN
Protocol documentation for U2F/FIDO keys in OpenSSH