aboutsummaryrefslogtreecommitdiff
path: root/crypto/openssh/ssh-keygen.1
Commit message (Collapse)AuthorAgeFilesLines
* ssh: Update to OpenSSH 9.3p1Ed Maste2023-03-161-2/+17
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation
* | ssh: update to OpenSSH 9.1p1Ed Maste2022-10-191-77/+147
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
* | ssh: update to OpenSSH v8.9p1Ed Maste2022-04-131-8/+29
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes are available at https://www.openssh.com/txt/release-8.9 Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar. Future deprecation notice ========================= A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
* | openssh: update to OpenSSH v8.7p1Ed Maste2021-09-081-189/+528
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
* | Upgrade to OpenSSH 7.9p1.Ed Maste2020-02-141-3/+16
|\| | | | | | | | | | | | | | | MFC after: 2 months Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=357926
* | Upgrade to OpenSSH 7.8p1.Dag-Erling Smørgrav2018-09-101-16/+8
|\| | | | | | | | | | | | | Approved by: re (kib@) Notes: svn path=/head/; revision=338561
* | Upgrade to OpenSSH 7.7p1.Dag-Erling Smørgrav2018-05-111-10/+19
|\| | | | | | | Notes: svn path=/head/; revision=333490
* | Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.Dag-Erling Smørgrav2018-05-081-50/+70
|\| | | | | | | | | | | | | | | | | This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11. Notes: svn path=/head/; revision=333389
* | Upgrade to OpenSSH 7.3p1.Dag-Erling Smørgrav2017-03-021-5/+7
|\| | | | | | | Notes: svn path=/head/; revision=314527
* | Upgrade to OpenSSH 7.2p2.Dag-Erling Smørgrav2016-03-111-7/+11
|\| | | | | | | Notes: svn path=/head/; revision=296633
* | Upgrade to OpenSSH 7.1p2.Dag-Erling Smørgrav2016-01-211-4/+4
|\| | | | | | | Notes: svn path=/head/; revision=294496
* | Upgrade to OpenSSH 7.0p1.Dag-Erling Smørgrav2016-01-201-3/+3
|\| | | | | | | Notes: svn path=/head/; revision=294464
* | Upgrade to OpenSSH 6.8p1.Dag-Erling Smørgrav2016-01-191-6/+16
|\| | | | | | | Notes: svn path=/head/; revision=294332
* | Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removedDag-Erling Smørgrav2016-01-191-8/+8
|\| | | | | | | | | | | | | | | | | upstream) and a number of security fixes which we had already backported. MFC after: 1 week Notes: svn path=/head/; revision=294328
* | Now that we have mandoc, we can leave $Mdocdate$ tags as-is. Unfortunately,Dag-Erling Smørgrav2015-11-111-2/+1
| | | | | | | | | | | | | | | | there is (currently) no way to make Subversion generate correct $Mdocdate$ tags, but perhas we can teach mandoc to read Subversion's %d format. Notes: svn path=/head/; revision=290671
* | Upgrade to OpenSSH 6.6p1.Dag-Erling Smørgrav2014-03-251-3/+3
|\| | | | | | | Notes: svn path=/head/; revision=263712
* | Upgrade to OpenSSH 6.5p1.Dag-Erling Smørgrav2014-01-311-15/+42
|\| | | | | | | Notes: svn path=/head/; revision=261320
* | Upgrade to 6.3p1.Dag-Erling Smørgrav2013-09-211-4/+3
|\| | | | | | | | | | | | | Approved by: re (gjb) Notes: svn path=/head/; revision=255767
* | Upgrade to OpenSSH 6.2p1. The most important new features are supportDag-Erling Smørgrav2013-03-221-3/+122
|\| | | | | | | | | | | | | for a key revocation list and more fine-grained authentication control. Notes: svn path=/head/; revision=248619
* | Upgrade OpenSSH to 6.1p1.Dag-Erling Smørgrav2012-09-031-4/+25
|\| | | | | | | Notes: svn path=/head/; revision=240075
* | Upgrade to OpenSSH 5.9p1.Dag-Erling Smørgrav2011-10-051-8/+19
|\| | | | | | | | | | | | | MFC after: 3 months Notes: svn path=/head/; revision=226046
* | Upgrade to OpenSSH 5.8p2.Dag-Erling Smørgrav2011-05-041-29/+19
|\| | | | | | | Notes: svn path=/head/; revision=221420
* | Upgrade to OpenSSH 5.6p1.Dag-Erling Smørgrav2010-11-111-24/+65
|\| | | | | | | Notes: svn path=/head/; revision=215116
* | Missing commasDag-Erling Smørgrav2010-06-011-1/+1
| | | | | | | | Notes: svn path=/head/; revision=208709
* | Upgrade to OpenSSH 5.5p1.Dag-Erling Smørgrav2010-04-281-22/+21
|\| | | | | | | Notes: svn path=/head/; revision=207319
* | Upgrade to OpenSSH 5.4p1.Dag-Erling Smørgrav2010-03-091-16/+194
|\| | | | | | | | | | | | | MFC after: 1 month Notes: svn path=/head/; revision=204917
* | Upgrade to OpenSSH 5.2p1.Dag-Erling Smørgrav2009-05-221-2/+4
|\| | | | | | | | | | | | | MFC after: 3 months Notes: svn path=/head/; revision=192595
* | Our groff doesn't understand $Mdocdate$, so replace them with bare dates.Dag-Erling Smørgrav2008-09-291-1/+1
| | | | | | | | | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=183458
* | Upgrade to OpenSSH 5.1p1.Dag-Erling Smørgrav2008-08-011-11/+11
|\| | | | | | | | | | | | | | | | | | | | | | | | | I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks Notes: svn path=/head/; revision=181111
| * Properly flatten openssh/dist.Dag-Erling Smørgrav2008-07-221-468/+0
|/ | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=180720
* Vendor import of OpenSSH 4.3p1.Dag-Erling Smørgrav2006-03-221-3/+6
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=157016
* Vendor import of OpenSSH 4.2p1.Dag-Erling Smørgrav2005-09-031-15/+15
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=149749
* Vendor import of OpenSSH 4.1p1.Dag-Erling Smørgrav2005-06-051-3/+5
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=147001
* Vendor import of OpenSSH 4.0p1.Dag-Erling Smørgrav2005-06-051-42/+83
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=146998
* Vendor import of OpenSSH 3.9p1.Dag-Erling Smørgrav2004-10-281-4/+7
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=137015
* Vendor import of OpenSSH 3.8p1.Dag-Erling Smørgrav2004-02-261-1/+13
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=126274
* Vendor import of OpenSSH 3.7.1p2.Dag-Erling Smørgrav2004-01-071-12/+119
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=124208
* Vendor import of OpenSSH-portable 3.6.1p1.Dag-Erling Smørgrav2003-04-231-3/+4
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=113908
* Vendor import of OpenSSH 3.3.Dag-Erling Smørgrav2002-06-231-2/+2
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=98675
* Vendor import of OpenSSH 3.1Dag-Erling Smørgrav2002-03-181-22/+41
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=92555
* Say "hi" to the latest in the OpenSSH series, version 2.9!Brian Feldman2001-05-041-63/+95
| | | | | | | Happy birthday to: rwatson Notes: svn path=/vendor-crypto/openssh/dist/; revision=76259
* Import of OpenSSH 2.3.0 (virgin OpenBSD source release).Brian Feldman2000-12-051-2/+3
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=69587
* Initial import of OpenSSH post-2.2.0 snapshot dated 2000-09-09Kris Kennaway2000-09-101-14/+35
| | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=65668
* Initial import of OpenSSH v2.1.vendor/openssh/2.1Kris Kennaway2000-05-151-9/+66
| | | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=60573 svn path=/vendor-crypto/openssh/2.1/; revision=60575; tag=vendor/openssh/2.1
* Virgin import of OpenSSH sources dated 2000/03/25vendor/openssh/1.2.3-2000-03-25Kris Kennaway2000-03-261-27/+35
| | | | | Notes: svn path=/vendor-crypto/openssh/dist/; revision=58582 svn path=/vendor-crypto/openssh/1.2.3-2000-03-25/; revision=58584; tag=vendor/openssh/1.2.3-2000-03-25
* Vendor import of OpenSSH.vendor/openssh/1.2-2000-02-24Mark Murray2000-02-241-0/+161
Notes: svn path=/vendor-crypto/openssh/dist/; revision=57429 svn path=/vendor-crypto/openssh/1.2-2000-02-24/; revision=57431; tag=vendor/openssh/1.2-2000-02-24
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-30 01:08:18 +0000