diff -ruN openssh-3.8p1+x509g3/LICENCE openssh-3.8p1+x509g4/LICENCE --- openssh-3.8p1+x509g3/LICENCE 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/LICENCE 2004-03-09 09:06:00.000000000 +0200 @@ -330,4 +330,4 @@ ------ -$OpenBSD: LICENCE,v 1.18 2003/11/21 11:57:02 djm Exp $ +$OpenBSD$ diff -ruN openssh-3.8p1+x509g3/README.x509v3 openssh-3.8p1+x509g4/README.x509v3 --- openssh-3.8p1+x509g3/README.x509v3 2004-02-15 15:26:24.000000000 +0200 +++ openssh-3.8p1+x509g4/README.x509v3 2004-03-07 13:10:20.000000000 +0200 @@ -1,12 +1,12 @@ Roumen Petrov Sofia, Bulgaria - Tue Jun 11 2003 + Sat Mar 6 2004 How to use X.509 certificates with OpenSSH? Identity or hostkey file for protocol version 2 can contain private key -plus x509 certificate in PEM format. Note that protocol version 2 keys +plus X.509 certificate in PEM format. Note that protocol version 2 keys are in PEM format. To use X.509 certificate as identity or hostkey user should convert certificate in PEM format and append to file. After this with "ssh-keygen -y ..." user must update "pub" file. @@ -22,31 +22,34 @@ 1.) server configuration: + 1.1.) .../sshd_config -1.1.1.) -AllowedCertPurpose sslclient + +1.1.1.) AllowedCertPurpose sslclient The intended use off the X.509 client certificate. -1.1.2.) "X509 store". Server use "X509 store" to verify client keys. -CACertificateFile /etc/ssh/ca/ca-bundle.crt +1.1.2.) "X509 store". + Server use "X509 store" to verify and validate client keys. + +1.1.2.1.) CACertificateFile /etc/ssh/ca/ca-bundle.crt This file contain multiple certificates of certificate signers in PEM format concatenated together. You can get a copy from openssl, apache, KDE, mutt, etc. packages. Original file might is exported from Netscape certificate database and one download URL is: http://www.modssl.org/contrib/ca-bundle.crt.tar.gz -CACertificatePath /etc/ssh/ca/crt +1.1.2.2.) CACertificatePath /etc/ssh/ca/crt "Hash dir" with certificates of certificate signers. Each certificate should be stored in separate file with name [HASH].[NUMBER], where [HASH] is certificate hash value and [NUMBER] is an integer starting from zero. Hash is result from command like this: $ openssl x509 -in certificate_file_name -noout -hash -CARevocationFile /etc/ssh/ca/ca-bundle.crl +1.1.2.3.) CARevocationFile /etc/ssh/ca/ca-bundle.crl This file contain multiple "Certificate Revocation List" (CRL) of certificate signers in PEM format concatenated together. -CARevocationPath /etc/ssh/ca/crl +1.1.2.4.) CARevocationPath /etc/ssh/ca/crl "Hash dir" with "Certificate Revocation List" (CRL) of certificate signers. Each CRL should be stored in separate file with name [HASH].r[NUMBER], where [HASH] is CRL hash value and [NUMBER] is an @@ -54,11 +57,10 @@ $ openssl crl -in crl_file_name -noout -hash 1.1.3.) HostKey files... - Host key for protocol version 2 can contain private key plus x509 + Host key for protocol version 2 can contain private key plus X.509 certificate in PEM format. -1.1.4.) -X509rsaSigType=md5 +1.1.4.) X509rsaSigType=md5 Specifies prefered signature digest type for "x509v3-sign-rsa" keys. The possible values are "md5" and "sha1". When X.509 certificate signature blob fail with specified value, server try other and print @@ -69,8 +71,8 @@ When you see this PLEASE send a EMAIL with "X509COMPAT" lines from log files. - -1.2.) append in USER_HOME/.ssh/authorized_keys a record with following +1.2.) user files on the server + Append in USER_HOME/.ssh/authorized_keys a record with following format: {|CertBlob} where: @@ -114,10 +116,11 @@ NOTES: - adjust user authorized_keys file ownership - user must have at least read access. -- SecSH x509v3 key type is "x509v3-sign-rsa" or "x509v3-sign-dss". +- SecSH X.509 key type is "x509v3-sign-rsa" or "x509v3-sign-dss". - When OpenSSH is build with "--disable-x509store" YOU CANNOT USE "Distinguished Name" format. You shold use ONLY "blob" format. + 2.) client settings: 2.1.) IdentityFile Depends from client. To use X.509 certificate "OpenSSH id-file" must @@ -128,24 +131,22 @@ 2.2.) global ssh_config, $HOME/.ssh/config or command line -2.2.1.) -AllowedCertPurpose sslserver - The intended use off the X.509 server certificate. +2.2.1.) AllowedCertPurpose sslserver + The intended use of the X.509 server certificate. -2.2.2.) "X509 store". Client use "x509 store" to verify server hostkey. - Check options: +2.2.2.) "X509 store". + Client use "X509 store" to verify and validate server hostkey. + See p. 1.1.2.) and check the options: - [User]CACertificatePath; - [User]CACertificateFile; - [User]CARevocationFile; - [User]CARevocationPath. - See p. 1.1.2.). Note: When we use own CA we must import CA certificate[s] to -"x509 store". More info on: +"X509 store". More info on: http://roumenpetrov.info/domino_CA/#dca2bundle -2.2.3.) -X509rsaSigType=md5 +2.2.3.) X509rsaSigType=md5 Temporary option. Specifies signature digest type for 'x509v3-sign-rsa' keys. The possible values are "md5" and "sha1". Use this option only in session with other SecSH servers with X.509 @@ -159,14 +160,21 @@ Note: ssh-agent use only md5 digest for X.509 certificates. -3.) test x509 certificates. +3.) test X.509 certificates. -3.1.) In openssh build dir run "make check". -If x509 test scripts fail edit file OPENSSH_SOURCE_PATH/tests/CA/config -or set some environment variables. -Output from make check is in color and when is redirected to file later -we can see content best with command "less -r ...". -When script run a test command print star '*' followed by simple +3.1.) In openssh build dir run "make check" or "make test". + Both commands are equivalent and run regression tests. + If you lake to test only X.509 certificates you can run +$ make check-certs + + If certificate test scripts fail might you should setup test +configuration in the file OPENSSH_SOURCE_PATH/tests/CA/config or +use some environment variables. Used variables are described +later in the document. + + Output from "make check-certs" is in color and when is redirected to +file later we can see content best with command "less -r ...". + When script run a test command print star '*' followed by simple information about command. When command succeed script print at right "done" in GREEN(!) otherwise "failed" in RED(!). After failed command script show on next lines in RED(!) response, skip execution of next @@ -175,8 +183,8 @@ Testing OpenSSH client with certificates finished. status: failed .... -Note that failed is in RED(!) and exit code is NONZERO(!). -Some command in a test script must fail. Part of "simple information" + Note that failed is in RED(!) and exit code is NONZERO(!). + Some command in a test script must fail. Part of "simple information" about command expected to fail is in RED(!). When command fail script print "done" (THIS IS CORRECT - COMMAND MUST FAIL) and on next lines print in GREEN(!) response. Usually this occur when server reject logon. @@ -185,15 +193,14 @@ Testing OpenSSH client with certificates finished. status: done .... -Note that "done" is in GREEN(!) and exit code is ZERO(!). - - + Note that "done" is in GREEN(!) and exit code is ZERO(!). 3.1.1.) Description of variables in Makefile file: - SHELL Used shell to run tests. Supported shell are bash, ksh, zsh and ash. + Script might run without porblems on standard unix sh. Example: - $ make check SHELL=/bin/zsh + $ make check-certs SHELL=/bin/zsh 3.1.2.) Description of variables in config file: @@ -248,28 +255,28 @@ (only in config) 3.1.3.) Sample commands to run tests: -$ OPENSSL=/usr/local/ssl/bin/openssl make check -$ SSHD_PORT=1122 SSH_X509TESTS="agent blob_auth" make check -$ RSA_DIGEST_LIST="md5 sha1" make check -$ make check SHELL=/bin/ksh +$ OPENSSL=/usr/local/ssl/bin/openssl make check-certs +$ SSHD_PORT=1122 SSH_X509TESTS="agent blob_auth" make check-certs +$ RSA_DIGEST_LIST="md5 sha1" make check-certs +$ make check-certs SHELL=/bin/ksh When check fail see "Troubleshooting" later in document. 3.2.) Current test scripts uses only rsa as server hostkey. - To test sshd with x509 certificate please find in file + To test sshd with X.509 certificate please find in file openssh_tests.sh variable TEST_SSHD_HOSTKEY and change it. Sample: TEST_SSH_HOSTKEY="${CWD}/testhostkey_rsa-rsa_md5" -3.3.) Test SecSH from "Microsoft Windows OSes". +3.3.) Test SecSH from "Microsoft Windows OS-es". This is not part of document. -Tips: use created after make check files: +Tips: use created after "make check-certs" files: - convert OPENSSH_BUILD_PATH/tests/CA/ca-test/crt/*crt.pem CA certificates from PEM to DER format and import in - "Windows keystore" -- import OPENSSH_BUILD_PATH/tests/CA/testid_*.p12 in - "Windows keystore" + "Windows keystore"; +- import OPENSSH_BUILD_PATH/tests/CA/testid_*.p12 files in + "Windows keystore"; - setup your client to use certificate[s](see SecSH client manuals). DON'T FORGET TO REMOVE entries from "Windows keystore" after test! @@ -279,42 +286,48 @@ 3.5.) files in OPENSSH_SOURCE_PATH/tests/CA directory: -config : configuration file +config: + Configuration file. + +shell.rc: + Shell settings. 1-cre_cadb.sh: - create "Test CA" directories and files. + Create "Test CA" directories and files. 2-cre_cakeys.sh: - create "Test CA" private keys and certificates. + Create "Test CA" private keys and certificates. 3-cre_certs.sh: - create client/server certificates. - this command create files with mask + Create client/server certificates. + This command create files with mask "PATH_TO_KEYFILEn-[.]" - , where is in format "rsa_" or "dsa". + , where is in format "rsa_" or "dsa". DIGEST are form variable "RSA_DIGEST_LIST" specified in "config" file. Files without extention are openssh identity or hostkey files. File with .pub extention contain openssh public key (BLOB format). File with .crt extention contain openssl "text output" for identity files. Files with .p12 extention are for "Microsoft Windows keystore". Note: .p12 = .pfx for Windows. +4-cre_crls.sh: + Revoke part of client certificates. verify.sh: - to check certificates against "Test CA". Note: check only + To check certificates against "Test CA". Note: check only testid_*.crt and testhostkey_*.crt files in current directory. functions: - common usefull functions + Common usefull functions. openssh_tests.sh: - main test script - call other testscripts. + Main test script - call other testscripts. test-blob_auth.sh.inc, test-dn_auth_file.sh.inc, test-dn_auth_path.sh.inc, test-agent.sh.inc, test-crl.sh.inc: - see DESCRIPTION in each file. + Test shell scripts. See DESCRIPTION in each file. Note that hostbased authentication we cannot test without to install. Generated testhostkey_* certificates are with sslserver and sslclient @@ -322,40 +335,80 @@ 4.) Troubleshooting -make check fails on: - -4.1.) "... 1-cre_cadb.sh: local: not found" -try other shell: [ENVSETTINGS] make check SHELL=/bin/ksh +"make check-certs" fails on: -4.2.) "generating a new ... private key for the TEST CA ..." +4.1.) "generating a new ... private key for the TEST CA ..." Usually this happen on system without /dev/{u}random. In file [BUILDDIR]/tests/CA/openssh_ca-2.log we can see a message: "... PRNG not seeded ...". Read again WARNING.RNG from OpenSSH sourcedir and/or http://www.openssl.org/support/faq.html -4.2.1.) reconfigure your system and/or openssl -4.2.2.) or do next -4.2.2.1.) install OpenSSH :-( otherwise later "make check" +4.1.1.) reconfigure your system and/or openssl +4.1.2.) or do next +4.1.2.1.) install OpenSSH :-( otherwise later "make check-certs" (ssh-keygen) fail with message: "couldn't exec '.../libexec/ssh-rand-helper': ..." and second ./ssh-rand-helper fail with message: "couldn't read entropy commands file ../ssh_prng_cmds: ..." Tip: configure OpenSSH with prefix for example $HOME/test -4.2.2.2.) run: +4.1.2.2.) run: ssh-rand-helper rm -f $HOME/.rnd ln -s .ssh/prng_seed $HOME/.rnd -4.2.2.3.) test openssl with command: +4.1.2.3.) test openssl with command: /usr/local/ssl/bin/openssl genrsa -des3 -passout pass:change_it Tip: before to create every key with OpenSSL run ssh-rand-helper ! -4.2.2.4.) run again "... make check ..." +4.1.2.4.) run again "... make check-certs ..." -4.3.) fail on first check: "* rsa_md5 valid blob failed" -Usually SUDO command is not set. See p. 3.1.2.1. +4.2.) fail on first check: "* rsa_md5 valid blob failed" +- Usually SUDO command is not set. See p. 3.1.2.1. +- When you build with tcpwrappers your hosts.allow must permit +connections from localhost, otherwise you can see in failed message +text like this: "... connection closed by remote host ..." + + +5.) FAQ + +Q.) How to convert a certificate from DER to PEM format? +A.) Run command "openssl x509 ..." with command line options +-inform/-outform - you can select one of formats: DER, NET or PEM. +The default is PEM. + +Q.) How to convert pfx to p12 file? +A.) Just change file extension ;-). + +Q.) How to use my p12 file in OpenSSH as identity? +A.) Run commands: +$ openssl pkcs12 -in FILE.p12 -clcerts > id_x509 +$ ssh-keygen -f id_x509 -y > id_x509.pub + Don't forget to set properly permition on file id_x509, as +example "chmod 600 id_x509". + Note name of identity file can be one of defaults: + 'id_rsa' or 'id_dsa'. + Configure client. + +Q.) How to use p12 file in OpenSSH as hostkey? +A.) Note that host keys are password less! + It is similar to client identity. + Remember umask settings. + Run as root commands: +# umask 0077 +# openssl pkcs12 -in FILE.p12 -clcerts > ssh_host_x509 + Note: you must enter export password! +# ssh-keygen -p -f ssh_host_x509 -N '' + Now hostkey file is password less ! +# ssh-keygen -f ssh_host_x509 -y > ssh_host_x509.pub + Restore umask settings. + Note name of hostkey file can be one of defaults: + 'ssh_host_dsa_key' or 'ssh_host_rsa_key'. + Configure server, test configuration with command +# sshd -t ..../sshd_config + and start/restart the server. Don't forget to inform users + that hostkey is changed! Enjoy ;-) diff -ruN openssh-3.8p1+x509g3/scp.0 openssh-3.8p1+x509g4/scp.0 --- openssh-3.8p1+x509g3/scp.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/scp.0 2004-03-09 09:06:00.000000000 +0200 @@ -54,50 +54,7 @@ Can be used to pass options to ssh in the format used in ssh_config(5). This is useful for specifying options for which there is no separate scp command-line flag. For full details of - the options listed below, and their possible values, see - ssh_config(5). - - AddressFamily - BatchMode - BindAddress - ChallengeResponseAuthentication - CheckHostIP - Cipher - Ciphers - Compression - CompressionLevel - ConnectionAttempts - ConnectionTimeout - GlobalKnownHostsFile - GSSAPIAuthentication - GSSAPIDelegateCredentials - Host - HostbasedAuthentication - HostKeyAlgorithms - HostKeyAlias - HostName - IdentityFile - LogLevel - MACs - NoHostAuthenticationForLocalhost - NumberOfPasswordPrompts - PasswordAuthentication - Port - PreferredAuthentications - Protocol - ProxyCommand - PubkeyAuthentication - RhostsRSAAuthentication - RSAAuthentication - ServerAliveInterval - ServerAliveCountMax - SmartcardDevice - StrictHostKeyChecking - TCPKeepAlive - UsePrivilegedPort - User - UserKnownHostsFile - VerifyHostKeyDNS + the options and their possible values, see ssh_config(5). -P port Specifies the port to connect to on the remote host. Note that diff -ruN openssh-3.8p1+x509g3/scp.1 openssh-3.8p1+x509g4/scp.1 --- openssh-3.8p1+x509g3/scp.1 2003-12-17 07:33:11.000000000 +0200 +++ openssh-3.8p1+x509g4/scp.1 2004-03-09 09:06:00.000000000 +0200 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.32 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD$ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -113,52 +113,8 @@ for which there is no separate .Nm scp command-line flag. -For full details of the options listed below, and their possible values, see +For full details of the options and their possible values, see .Xr ssh_config 5 . -.Pp -.Bl -tag -width Ds -offset indent -compact -.It AddressFamily -.It BatchMode -.It BindAddress -.It ChallengeResponseAuthentication -.It CheckHostIP -.It Cipher -.It Ciphers -.It Compression -.It CompressionLevel -.It ConnectionAttempts -.It ConnectionTimeout -.It GlobalKnownHostsFile -.It GSSAPIAuthentication -.It GSSAPIDelegateCredentials -.It Host -.It HostbasedAuthentication -.It HostKeyAlgorithms -.It HostKeyAlias -.It HostName -.It IdentityFile -.It LogLevel -.It MACs -.It NoHostAuthenticationForLocalhost -.It NumberOfPasswordPrompts -.It PasswordAuthentication -.It Port -.It PreferredAuthentications -.It Protocol -.It ProxyCommand -.It PubkeyAuthentication -.It RhostsRSAAuthentication -.It RSAAuthentication -.It ServerAliveInterval -.It ServerAliveCountMax -.It SmartcardDevice -.It StrictHostKeyChecking -.It TCPKeepAlive -.It UsePrivilegedPort -.It User -.It UserKnownHostsFile -.It VerifyHostKeyDNS -.El .It Fl P Ar port Specifies the port to connect to on the remote host. Note that this option is written with a capital diff -ruN openssh-3.8p1+x509g3/servconf.c openssh-3.8p1+x509g4/servconf.c --- openssh-3.8p1+x509g3/servconf.c 2004-02-25 09:06:01.000000000 +0200 +++ openssh-3.8p1+x509g4/servconf.c 2004-03-09 09:06:01.000000000 +0200 @@ -1015,6 +1015,12 @@ arg = strdelim(&cp); break; +#ifdef SSH_X509STORE_DISABLED + case sCACertificateFile: + case sCACertificatePath: + case sCARevocationFile: + case sCARevocationPath: +#endif /*def SSH_X509STORE_DISABLED*/ case sUnsupported: logit("%s line %d: Unsupported option %s", filename, linenum, arg); diff -ruN openssh-3.8p1+x509g3/sftp.0 openssh-3.8p1+x509g4/sftp.0 --- openssh-3.8p1+x509g3/sftp.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/sftp.0 2004-03-09 09:06:00.000000000 +0200 @@ -59,50 +59,7 @@ ssh_config(5). This is useful for specifying options for which there is no separate sftp command-line flag. For example, to specify an alternate port use: sftp -oPort=24. For full details - of the options listed below, and their possible values, see - ssh_config(5). - - AddressFamily - BatchMode - BindAddress - ChallengeResponseAuthentication - CheckHostIP - Cipher - Ciphers - Compression - CompressionLevel - ConnectionAttempts - ConnectionTimeout - GlobalKnownHostsFile - GSSAPIAuthentication - GSSAPIDelegateCredentials - Host - HostbasedAuthentication - HostKeyAlgorithms - HostKeyAlias - HostName - IdentityFile - LogLevel - MACs - NoHostAuthenticationForLocalhost - NumberOfPasswordPrompts - PasswordAuthentication - Port - PreferredAuthentications - Protocol - ProxyCommand - PubkeyAuthentication - RhostsRSAAuthentication - RSAAuthentication - ServerAliveInterval - ServerAliveCountMax - SmartcardDevice - StrictHostKeyChecking - TCPKeepAlive - UsePrivilegedPort - User - UserKnownHostsFile - VerifyHostKeyDNS + of the options and their possible values, see ssh_config(5). -P sftp_server_path Connect directly to a local sftp server (rather than via ssh(1)) diff -ruN openssh-3.8p1+x509g3/sftp.1 openssh-3.8p1+x509g4/sftp.1 --- openssh-3.8p1+x509g3/sftp.1 2004-01-21 02:00:05.000000000 +0200 +++ openssh-3.8p1+x509g4/sftp.1 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.51 2004/01/13 12:17:33 jmc Exp $ +.\" $OpenBSD$ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -139,52 +139,8 @@ command-line flag. For example, to specify an alternate port use: .Ic sftp -oPort=24 . -For full details of the options listed below, and their possible values, see +For full details of the options and their possible values, see .Xr ssh_config 5 . -.Pp -.Bl -tag -width Ds -offset indent -compact -.It AddressFamily -.It BatchMode -.It BindAddress -.It ChallengeResponseAuthentication -.It CheckHostIP -.It Cipher -.It Ciphers -.It Compression -.It CompressionLevel -.It ConnectionAttempts -.It ConnectionTimeout -.It GlobalKnownHostsFile -.It GSSAPIAuthentication -.It GSSAPIDelegateCredentials -.It Host -.It HostbasedAuthentication -.It HostKeyAlgorithms -.It HostKeyAlias -.It HostName -.It IdentityFile -.It LogLevel -.It MACs -.It NoHostAuthenticationForLocalhost -.It NumberOfPasswordPrompts -.It PasswordAuthentication -.It Port -.It PreferredAuthentications -.It Protocol -.It ProxyCommand -.It PubkeyAuthentication -.It RhostsRSAAuthentication -.It RSAAuthentication -.It ServerAliveInterval -.It ServerAliveCountMax -.It SmartcardDevice -.It StrictHostKeyChecking -.It TCPKeepAlive -.It UsePrivilegedPort -.It User -.It UserKnownHostsFile -.It VerifyHostKeyDNS -.El .It Fl P Ar sftp_server_path Connect directly to a local sftp server (rather than via diff -ruN openssh-3.8p1+x509g3/ssh.0 openssh-3.8p1+x509g4/ssh.0 --- openssh-3.8p1+x509g3/ssh.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh.0 2004-03-09 09:06:00.000000000 +0200 @@ -92,15 +92,15 @@ The public key method is similar to RSA authentication described in the previous section and allows the RSA or DSA algorithm to be used: The client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, - which can contain a x509 certificate in addition to key to sign the ses- + which can contain a X.509 certificate in addition to key to sign the ses- sion identifier and sends the result to the server. The server checks whether the matching public key or certificate is listed in $HOME/.ssh/authorized_keys and grants access if both the key is found and - the signature is correct. In case with x509 certificate server perform - additional verification of that certificate through database with cer- - tificates and CRLs of certificate signers. The session identifier is - derived from a shared Diffie-Hellman value and is only known to the - client and the server. + the signature is correct. In case with X.509 certificate server perform + additional verification and validation of that certificate through + database with certificates and CRLs of certificate signers. The session + identifier is derived from a shared Diffie-Hellman value and is only + known to the client and the server. If public key authentication fails or is not available, a password can be sent encrypted to the remote host to prove the user's identity. @@ -305,7 +305,7 @@ DSA authentication is read. The default is $HOME/.ssh/identity for protocol version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protocol version 2. For protocol version 2 - is possible identity to contain in addition a x509 certificate. + is possible identity to contain in addition a X.509 certificate. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple identities specified in configuration files). @@ -350,60 +350,7 @@ Can be used to give options in the format used in the configura- tion file. This is useful for specifying options for which there is no separate command-line flag. For full details of the - options listed below, and their possible values, see - ssh_config(5). - - AddressFamily - BatchMode - BindAddress - ChallengeResponseAuthentication - CheckHostIP - Cipher - Ciphers - ClearAllForwardings - Compression - CompressionLevel - ConnectionAttempts - ConnectionTimeout - DynamicForward - EscapeChar - ForwardAgent - ForwardX11 - ForwardX11Trusted - GatewayPorts - GlobalKnownHostsFile - GSSAPIAuthentication - GSSAPIDelegateCredentials - Host - HostbasedAuthentication - HostKeyAlgorithms - HostKeyAlias - HostName - IdentityFile - LocalForward - LogLevel - MACs - NoHostAuthenticationForLocalhost - NumberOfPasswordPrompts - PasswordAuthentication - Port - PreferredAuthentications - Protocol - ProxyCommand - PubkeyAuthentication - RemoteForward - RhostsRSAAuthentication - RSAAuthentication - ServerAliveInterval - ServerAliveCountMax - SmartcardDevice - StrictHostKeyChecking - TCPKeepAlive - UsePrivilegedPort - User - UserKnownHostsFile - VerifyHostKeyDNS - XAuthLocation + options and their possible values, see ssh_config(5). -p port Port to connect to on the remote host. This can be specified on @@ -525,14 +472,15 @@ FILES $HOME/.ssh/known_hosts - Records host keys for all hosts the user has logged into that are - not in /etc/ssh/ssh_known_hosts. See sshd(8). + Records host keys or certificates for all hosts the user has + logged into that are not in /etc/ssh/ssh_known_hosts. See + sshd(8). $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa Contains the authentication identity of the user. They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. It is possible protocol version 2 identity to contain identity - plus x509 certificate. These files contain sensitive data and + plus X.509 certificate. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). Note that ssh ignores a private key file if it is accessible by others. It is possible to specify a @@ -542,7 +490,7 @@ $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub Contains the public key for authentication (public part of the identity file in human-readable form). Note that protocol ver- - sion 2 while a identity contain private key and x509 certificate + sion 2 while a identity contain private key and X.509 certificate this file must contain that certificate. The contents of the $HOME/.ssh/identity.pub file should be added to the file $HOME/.ssh/authorized_keys on all machines where the user wishes @@ -550,7 +498,7 @@ tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file should be added to $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 2 DSA/RSA - authentication. In case with x509 certificates user can use + authentication. In case with X.509 certificates user can use ``new style''. Instead to add content of file to authorized_keys user can write certificate ``Distinguished Name''. See sshd(8) manual page. These files are not sensitive and can (but need @@ -571,17 +519,17 @@ for the user, and not accessible by others. /etc/ssh/ssh_known_hosts - Systemwide list of known host keys. This file should be prepared - by the system administrator to contain the public host keys of - all machines in the organization. This file should be world- - readable. This file contains public keys, one per line, in the - following format (fields separated by spaces): system name, pub- - lic key and optional comment field. When a x509 certificate is - used as host key instead of public key line contain certificate - (old style) or certificate ``Distinguished Name''. When differ- - ent names are used for the same machine, all such names should be - listed, separated by commas. The format is described in the - sshd(8) manual page. + Systemwide list of known host keys or certificates. This file + should be prepared by the system administrator to contain the + public host keys or certificates of all machines in the organiza- + tion. This file should be world-readable. This file contains + public keys, one per line, in the following format (fields sepa- + rated by spaces): system name, public key and optional comment + field. When a X.509 certificate is used as host key instead of + public key line contain certificate (old style) or certificate + ``Distinguished Name''. When different names are used for the + same machine, all such names should be listed, separated by com- + mas. The format is described in the sshd(8) manual page. The canonical system name (as returned by name servers) is used by sshd(8) to verify the client host when logging in; other names @@ -598,7 +546,7 @@ /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys and are used for RhostsRSAAuthentication and HostbasedAuthentication. - It is possible files to contain private part plus x509 certifi- + It is possible files to contain private part plus X.509 certifi- cate for protocol version 2 keys. If the protocol version 1 RhostsRSAAuthentication method is used, ssh must be setuid root, since the host key is readable only by root. For protocol ver- @@ -609,27 +557,29 @@ host key for hostbased authentication that certificate must have client purpose too or server configuration must permit connection without client purpose. For allowed client certificate purposes - see sshd_config(5). + see ssh_config(5). /etc/ssh/ca/ca-bundle.crt and /etc/ssh/ca/ca-bundle.crl - Part of systemwide ``X509 store''. The first file contain multi- - ple certificates and the second ``Certificate Revocation List'' + Part of systemwide ``X.509 store''. The first file contain mul- + tiple certificates and the second ``Certificate Revocation List'' (CRLs) of certificate signers in PEM format concatenated - together. Used in verification of server host key certificate. + together. Used in verification and validation of server host + certificate. /etc/ssh/ca/crt and /etc/ssh/ca/crl - Part of systemwide ``X509 store''. ``Hash dirs'' with certifi- + Part of systemwide ``X.509 store''. ``Hash dirs'' with certifi- cates, the first file or CLRs, the second of certificate signers. Each certificate should be stored in separate file with name [HASH].[NUMBER] or [HASH].r[NUMBER] for the CRL, where [HASH] is certificate or CRL hash value and [NUMBER] is an integer starting - from zero. Used in verification of server host key certificate. + from zero. Used in verification and validation of server host + certificate. ~/.ssh/ca/ca-bundle.crt and ~/.ssh/ca/ca-bundle.crl - Part of user ``X509 store''. Same as above systemwide files. + Part of user ``X.509 store''. Same as above systemwide files. ~/.ssh/ca/crt and ~/.ssh/ca/crl - Part of user ``X509 store''. Same as above systemwide directo- + Part of user ``X.509 store''. Same as above systemwide directo- ries. $HOME/.rhosts diff -ruN openssh-3.8p1+x509g3/ssh.1 openssh-3.8p1+x509g4/ssh.1 --- openssh-3.8p1+x509g3/ssh.1 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh.1 2004-03-09 09:06:00.000000000 +0200 @@ -227,15 +227,15 @@ .Pa $HOME/.ssh/id_dsa or .Pa $HOME/.ssh/id_rsa , -which can contain a x509 certificate in addition to key +which can contain a X.509 certificate in addition to key to sign the session identifier and sends the result to the server. The server checks whether the matching public key or certificate is listed in .Pa $HOME/.ssh/authorized_keys and grants access if both the key is found and the signature is correct. -In case with x509 certificate server perform additional verification of -that certificate through database with certificates and CRLs of certificate -signers. +In case with X.509 certificate server perform additional verification +and validation of that certificate through database with certificates +and CRLs of certificate signers. The session identifier is derived from a shared Diffie-Hellman value and is only known to the client and the server. .Pp @@ -539,7 +539,7 @@ .Pa $HOME/.ssh/id_dsa for protocol version 2. For protocol version 2 is possible identity to contain in addition -a x509 certificate. +a X.509 certificate. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple @@ -611,62 +611,8 @@ Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. -For full details of the options listed below, and their possible values, see +For full details of the options and their possible values, see .Xr ssh_config 5 . -.Pp -.Bl -tag -width Ds -offset indent -compact -.It AddressFamily -.It BatchMode -.It BindAddress -.It ChallengeResponseAuthentication -.It CheckHostIP -.It Cipher -.It Ciphers -.It ClearAllForwardings -.It Compression -.It CompressionLevel -.It ConnectionAttempts -.It ConnectionTimeout -.It DynamicForward -.It EscapeChar -.It ForwardAgent -.It ForwardX11 -.It ForwardX11Trusted -.It GatewayPorts -.It GlobalKnownHostsFile -.It GSSAPIAuthentication -.It GSSAPIDelegateCredentials -.It Host -.It HostbasedAuthentication -.It HostKeyAlgorithms -.It HostKeyAlias -.It HostName -.It IdentityFile -.It LocalForward -.It LogLevel -.It MACs -.It NoHostAuthenticationForLocalhost -.It NumberOfPasswordPrompts -.It PasswordAuthentication -.It Port -.It PreferredAuthentications -.It Protocol -.It ProxyCommand -.It PubkeyAuthentication -.It RemoteForward -.It RhostsRSAAuthentication -.It RSAAuthentication -.It ServerAliveInterval -.It ServerAliveCountMax -.It SmartcardDevice -.It StrictHostKeyChecking -.It TCPKeepAlive -.It UsePrivilegedPort -.It User -.It UserKnownHostsFile -.It VerifyHostKeyDNS -.It XAuthLocation -.El .It Fl p Ar port Port to connect to on the remote host. This can be specified on a @@ -849,8 +795,8 @@ .Sh FILES .Bl -tag -width Ds .It Pa $HOME/.ssh/known_hosts -Records host keys for all hosts the user has logged into that are not -in +Records host keys or certificates for all hosts the user has logged +into that are not in .Pa /etc/ssh/ssh_known_hosts . See .Xr sshd 8 . @@ -858,7 +804,7 @@ Contains the authentication identity of the user. They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. It is possible protocol version 2 identity to contain identity plus -x509 certificate. +X.509 certificate. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). @@ -872,7 +818,7 @@ Contains the public key for authentication (public part of the identity file in human-readable form). Note that protocol version 2 while a identity contain private key and -x509 certificate this file must contain that certificate. +X.509 certificate this file must contain that certificate. The contents of the .Pa $HOME/.ssh/identity.pub file should be added to the file @@ -887,7 +833,7 @@ .Pa $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 2 DSA/RSA authentication. -In case with x509 certificates user can use +In case with X.509 certificates user can use .Dq "new style" . Instead to add content of file to authorized_keys user can write certificate @@ -916,15 +862,15 @@ This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa /etc/ssh/ssh_known_hosts -Systemwide list of known host keys. +Systemwide list of known host keys or certificates. This file should be prepared by the -system administrator to contain the public host keys of all machines in the -organization. +system administrator to contain the public host keys or certificates +of all machines in the organization. This file should be world-readable. This file contains public keys, one per line, in the following format (fields separated by spaces): system name, public key and optional comment field. -When a x509 certificate is used as host key instead of public key line +When a X.509 certificate is used as host key instead of public key line contain certificate (old style) or certificate .Dq "Distinguished Name" . When different names are used @@ -951,7 +897,7 @@ .Cm RhostsRSAAuthentication and .Cm HostbasedAuthentication . -It is possible files to contain private part plus x509 certificate for +It is possible files to contain private part plus X.509 certificate for protocol version 2 keys. If the protocol version 1 .Cm RhostsRSAAuthentication @@ -974,17 +920,17 @@ that certificate must have client purpose too or server configuration must permit connection without client purpose. For allowed client certificate purposes see -.Xr sshd_config 5 . +.Xr ssh_config 5 . .It Pa "/etc/ssh/ca/ca-bundle.crt" and "/etc/ssh/ca/ca-bundle.crl" Part of systemwide -.Dq "X509 store" . +.Dq "X.509 store" . The first file contain multiple certificates and the second .Dq "Certificate Revocation List" (CRLs) of certificate signers in PEM format concatenated together. -Used in verification of server host key certificate. +Used in verification and validation of server host certificate. .It Pa "/etc/ssh/ca/crt" and Pa "/etc/ssh/ca/crl" Part of systemwide -.Dq "X509 store" . +.Dq "X.509 store" . .Dq "Hash dirs" with certificates, the first file or CLRs, the second of certificate signers. @@ -992,14 +938,14 @@ [HASH].[NUMBER] or [HASH].r[NUMBER] for the CRL, where [HASH] is certificate or CRL hash value and [NUMBER] is an integer starting from zero. -Used in verification of server host key certificate. +Used in verification and validation of server host certificate. .It Pa "~/.ssh/ca/ca-bundle.crt" and "~/.ssh/ca/ca-bundle.crl" Part of user -.Dq "X509 store" . +.Dq "X.509 store" . Same as above systemwide files. .It Pa "~/.ssh/ca/crt" and Pa "~/.ssh/ca/crl" Part of user -.Dq "X509 store" . +.Dq "X.509 store" . Same as above systemwide directories. .It Pa $HOME/.rhosts This file is used in diff -ruN openssh-3.8p1+x509g3/ssh-add.0 openssh-3.8p1+x509g4/ssh-add.0 --- openssh-3.8p1+x509g3/ssh-add.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-add.0 2004-03-09 09:06:00.000000000 +0200 @@ -10,7 +10,8 @@ DESCRIPTION ssh-add adds RSA or DSA identities to the authentication agent, - ssh-agent(1). When run without arguments, it adds the files + ssh-agent(1). It is possible identity to contain in addition correspond- + ing X.509 certificate. When run without arguments, it adds the files $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. Alterna- tive file names can be given on the command line. If any file requires a passphrase, ssh-add asks for the passphrase from the user. The @@ -25,8 +26,8 @@ -l Lists fingerprints of all identities currently represented by the agent. - -L Lists public key parameters of all identities currently repre- - sented by the agent. + -L Lists public key or certificate parameters of all identities cur- + rently represented by the agent. -d Instead of adding the identity, removes the identity from the agent. @@ -76,12 +77,12 @@ $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of - the user. It is possible to contain identity plus x509 certifi- + the user. It is possible to contain identity plus X.509 certifi- cate. $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of - the user. It is possible to contain identity plus x509 certifi- + the user. It is possible to contain identity plus X.509 certifi- cate. Identity files should not be readable by anyone but the user. Note that @@ -99,7 +100,7 @@ Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol - versions 1.5 and 2.0. Roumen Petrov contributed support for x509 cer- + versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. BSD September 25, 1999 BSD diff -ruN openssh-3.8p1+x509g3/ssh-add.1 openssh-3.8p1+x509g4/ssh-add.1 --- openssh-3.8p1+x509g3/ssh-add.1 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-add.1 2004-03-09 09:06:00.000000000 +0200 @@ -57,6 +57,8 @@ .Nm adds RSA or DSA identities to the authentication agent, .Xr ssh-agent 1 . +It is possible identity to contain in addition +corresponding X.509 certificate. When run without arguments, it adds the files .Pa $HOME/.ssh/id_rsa , .Pa $HOME/.ssh/id_dsa @@ -81,7 +83,8 @@ .It Fl l Lists fingerprints of all identities currently represented by the agent. .It Fl L -Lists public key parameters of all identities currently represented by the agent. +Lists public key or certificate parameters of +all identities currently represented by the agent. .It Fl d Instead of adding the identity, removes the identity from the agent. .It Fl D @@ -146,10 +149,10 @@ Contains the protocol version 1 RSA authentication identity of the user. .It Pa $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. -It is possible to contain identity plus x509 certificate. +It is possible to contain identity plus X.509 certificate. .It Pa $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. -It is possible to contain identity plus x509 certificate. +It is possible to contain identity plus X.509 certificate. .El .Pp Identity files should not be readable by anyone but the user. @@ -175,4 +178,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -Roumen Petrov contributed support for x509 certificates. +Roumen Petrov contributed support for X.509 certificates. diff -ruN openssh-3.8p1+x509g3/ssh-agent.0 openssh-3.8p1+x509g4/ssh-agent.0 --- openssh-3.8p1+x509g3/ssh-agent.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-agent.0 2004-03-09 09:06:00.000000000 +0200 @@ -9,7 +9,8 @@ DESCRIPTION ssh-agent is a program to hold private keys used for public key authenti- - cation (RSA, DSA). The idea is that ssh-agent is started in the begin- + cation (RSA, DSA). It is possible to contain in addition corresponding + X.509 certificate. The idea is that ssh-agent is started in the begin- ning of an X-session or a login session, and all other windows or pro- grams are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for @@ -19,7 +20,7 @@ -a bind_address Bind the agent to the unix-domain socket bind_address. The - default is /tmp/ssh-XXXXXXXX/agent.. + default is /tmp/ssh-XXXXXXXXXX/agent.. -c Generate C-shell commands on stdout. This is the default if SHELL looks like it's a csh style of shell. @@ -48,10 +49,10 @@ $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for the passphrase (using a small X11 application if running under X11, or from the terminal if run- - ning without X). It then sends the identity to the agent. Several iden- - tities can be stored in the agent; the agent can automatically use any of - these identities. ssh-add -l displays the identities currently held by - the agent. + ning without X). It then sends the identity to the agent. Identity can + contain in addition a X.509 certificate. Several identities can be + stored in the agent; the agent can automatically use any of these identi- + ties. ssh-add -l displays the identities currently held by the agent. The idea is that the agent is run in the user's local PC, laptop, or ter- minal. Authentication data need not be stored on any other machine, and @@ -97,7 +98,7 @@ the user. It is possible to contain identity plus x509 certifi- cate. - /tmp/ssh-XXXXXXXX/agent. + /tmp/ssh-XXXXXXXXXX/agent. Unix-domain sockets used to contain the connection to the authen- tication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the diff -ruN openssh-3.8p1+x509g3/ssh-agent.1 openssh-3.8p1+x509g4/ssh-agent.1 --- openssh-3.8p1+x509g3/ssh-agent.1 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-agent.1 2004-03-09 09:06:00.000000000 +0200 @@ -55,6 +55,7 @@ .Nm is a program to hold private keys used for public key authentication (RSA, DSA). +It is possible to contain in addition corresponding X.509 certificate. The idea is that .Nm is started in the beginning of an X-session or a login session, and @@ -71,7 +72,7 @@ Bind the agent to the unix-domain socket .Ar bind_address . The default is -.Pa /tmp/ssh-XXXXXXXX/agent. . +.Pa /tmp/ssh-XXXXXXXXXX/agent. . .It Fl c Generate C-shell commands on .Dv stdout . @@ -121,6 +122,7 @@ asks for the passphrase (using a small X11 application if running under X11, or from the terminal if running without X). It then sends the identity to the agent. +Identity can contain in addition a X.509 certificate. Several identities can be stored in the agent; the agent can automatically use any of these identities. .Ic ssh-add -l @@ -176,7 +178,7 @@ .It Pa $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. It is possible to contain identity plus x509 certificate. -.It Pa /tmp/ssh-XXXXXXXX/agent. +.It Pa /tmp/ssh-XXXXXXXXXX/agent. Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. diff -ruN openssh-3.8p1+x509g3/ssh_config.0 openssh-3.8p1+x509g4/ssh_config.0 --- openssh-3.8p1+x509g3/ssh_config.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh_config.0 2004-03-09 09:06:00.000000000 +0200 @@ -54,10 +54,9 @@ The intended use for the X509 server certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: - - `sslserver' , `SSL server' , `SSL_server' or `server' ; - - `any' , `Any Purpose' , `Any_Purpose' or `AnyPurpose' ; - - `skip' or `' (empty): do not check purpose. - + o `sslserver' , `SSL server' , `SSL_server' or `server' ; + o `any' , `Any Purpose' , `Any_Purpose' or `AnyPurpose' ; + o `skip' or `' (empty): do not check purpose. The default is ``sslserver''. BatchMode @@ -74,25 +73,25 @@ CACertificateFile This file contain multiple certificates of certificate signers in PEM format concatenated together. The default is - /etc/ssh/ca/ca-bundle.crt + /etc/ssh/ca/ca-bundle.crt. CACertificatePath ``Hash dir'' with certificates of certificate signers. Each cer- tificate should be stored in separate file with name [HASH].[NUM- BER], where [HASH] is certificate hash value and [NUMBER] is an - integer starting from zero. The default is /etc/ssh/ca/crt + integer starting from zero. The default is /etc/ssh/ca/crt. CARevocationFile This file contain multiple ``Certificate Revocation List'' (CRL) of certificate signers in PEM format concatenated together. The - default is /etc/ssh/ca/ca-bundle.crl + default is /etc/ssh/ca/ca-bundle.crl. CARevocationPath ``Hash dir'' with ``Certificate Revocation List'' (CRL) of cer- tificate signers. Each CRL should be stored in separate file with name [HASH].r[NUMBER], where [HASH] is CRL hash value and [NUM- BER] is an integer starting from zero. The default is - /etc/ssh/ca/crl + /etc/ssh/ca/crl. ChallengeResponseAuthentication Specifies whether to use challenge response authentication. The @@ -266,7 +265,7 @@ identity is read. The default is $HOME/.ssh/identity for proto- col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protocol version 2. For version 2 is possible identity file to - contain key plus x509 certificate. Additionally, any identities + contain key plus X.509 certificate. Additionally, any identities represented by the authentication agent will be used for authen- tication. The file name may use the tilde syntax to refer to a user's home directory. It is possible to have multiple identity @@ -446,16 +445,16 @@ mand line. UserCACertificateFile - User CACertificateFile , the default is ~/.ssh/ca-bundle.crt + User CACertificateFile , the default is ~/.ssh/ca-bundle.crt. UserCACertificatePath - User CACertificatePath , the default is ~/.ssh/crt + User CACertificatePath , the default is ~/.ssh/crt. UserCARevocationFile - User CARevocationFile , the default is ~/.ssh/ca-bundle.crl + User CARevocationFile , the default is ~/.ssh/ca-bundle.crl. UserCARevocationPath - User CARevocationPath , the default is ~/.ssh/crl + User CARevocationPath , the default is ~/.ssh/crl. UserKnownHostsFile Specifies a file to use for the user host key database instead of @@ -479,7 +478,7 @@ X509rsaSigType Temporary option. Specifies signature digest type for - `x509v3-sign-rsa keys'. The possible values are ``md5'' and + `x509v3-sign-rsa' identities. The possible values are ``md5'' and ``sha1''. Use this option only in session with other SecSH servers with X.509 certificates as identity or host key. The default is ``md5''. @@ -506,7 +505,7 @@ Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol - versions 1.5 and 2.0. Roumen Petrov contributed support for x509 cer- + versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- tificates. BSD September 25, 1999 BSD diff -ruN openssh-3.8p1+x509g3/ssh_config.5 openssh-3.8p1+x509g4/ssh_config.5 --- openssh-3.8p1+x509g3/ssh_config.5 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh_config.5 2004-03-09 09:06:00.000000000 +0200 @@ -128,7 +128,7 @@ The intended use for the X509 server certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: -.Bl -hyphen -compact +.Bl -bullet -compact .It .Sq sslserver , @@ -154,7 +154,6 @@ .. (empty): do not check purpose. .El -.Pp The default is .Dq sslserver . .It Cm BatchMode @@ -180,7 +179,7 @@ .It Cm CACertificateFile This file contain multiple certificates of certificate signers in PEM format concatenated together. The default is -.Pa /etc/ssh/ca/ca-bundle.crt +.Pa /etc/ssh/ca/ca-bundle.crt . .Pp .It Cm CACertificatePath .Dq "Hash dir" @@ -188,14 +187,14 @@ stored in separate file with name [HASH].[NUMBER], where [HASH] is certificate hash value and [NUMBER] is an integer starting from zero. The default is -.Pa /etc/ssh/ca/crt +.Pa /etc/ssh/ca/crt . .Pp .It Cm CARevocationFile This file contain multiple .Dq "Certificate Revocation List" (CRL) of certificate signers in PEM format concatenated together. The default is -.Pa /etc/ssh/ca/ca-bundle.crl +.Pa /etc/ssh/ca/ca-bundle.crl . .Pp .It Cm CARevocationPath .Dq "Hash dir" @@ -204,7 +203,7 @@ (CRL) of certificate signers. Each CRL should be stored in separate file with name [HASH].r[NUMBER], where [HASH] is CRL hash value and [NUMBER] is an integer starting from zero. The default is -.Pa /etc/ssh/ca/crl +.Pa /etc/ssh/ca/crl . .It Cm ChallengeResponseAuthentication Specifies whether to use challenge response authentication. The argument to this keyword must be @@ -462,7 +461,7 @@ and .Pa $HOME/.ssh/id_dsa for protocol version 2. -For version 2 is possible identity file to contain key plus x509 certificate. +For version 2 is possible identity file to contain key plus X.509 certificate. Additionally, any identities represented by the authentication agent will be used for authentication. The file name may use the tilde @@ -738,25 +737,25 @@ User .Cm CACertificateFile , the default is -.Pa ~/.ssh/ca-bundle.crt +.Pa ~/.ssh/ca-bundle.crt . .Pp .It Cm UserCACertificatePath User .Cm CACertificatePath , the default is -.Pa ~/.ssh/crt +.Pa ~/.ssh/crt . .Pp .It Cm UserCARevocationFile User .Cm CARevocationFile , the default is -.Pa ~/.ssh/ca-bundle.crl +.Pa ~/.ssh/ca-bundle.crl . .Pp .It Cm UserCARevocationPath User .Cm CARevocationPath , the default is -.Pa ~/.ssh/crl +.Pa ~/.ssh/crl . .It Cm UserKnownHostsFile Specifies a file to use for the user host key database instead of @@ -793,8 +792,8 @@ .It Cm X509rsaSigType Temporary option. Specifies signature digest type for -.Sq x509v3-sign-rsa keys . -The possible values are +.Sq x509v3-sign-rsa +identities. The possible values are .Dq md5 and .Dq sha1 . @@ -832,4 +831,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. -Roumen Petrov contributed support for x509 certificates. +Roumen Petrov contributed support for X.509 certificates. diff -ruN openssh-3.8p1+x509g3/sshd.0 openssh-3.8p1+x509g4/sshd.0 --- openssh-3.8p1+x509g3/sshd.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/sshd.0 2004-03-09 09:06:00.000000000 +0200 @@ -61,7 +61,7 @@ SSH protocol version 2 Version 2 works similarly: Each host has a host-specific key (RSA or DSA) used to identify the host. It is possible host key to contain key plus - x509 certificate. However, when the daemon starts, it does not generate + X.509 certificate. However, when the daemon starts, it does not generate a server key. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. @@ -143,7 +143,7 @@ tocol version 2. It is possible to have multiple host key files for the different protocol versions and host key algorithms. It is possible host key for protocol version 2 to contain key plus - x509 certificate. + X.509 certificate. -i Specifies that sshd is being run from inetd(8). sshd is normally not run from inetd because it needs to generate the server key @@ -234,9 +234,9 @@ $HOME/.ssh/authorized_keys is the default file that lists the public keys that are permitted for RSA authentication in protocol version 1 and for public key authentication (PubkeyAuthentication) in protocol version 2. - It is posible for protocol version 2 to contain x509 certificate or cer- - tificate ``Distinguished Name''. AuthorizedKeysFile may be used to spec- - ify an alternative file. + It is posible for protocol version 2 to contain X.509 certificates or + certificates ``Distinguished Name''. AuthorizedKeysFile may be used to + specify an alternative file. Each line of the file contains one key (empty lines and lines starting with a `#' are ignored as comments). Each RSA public key consists of the @@ -248,7 +248,7 @@ ulus and comment fields give the RSA key for protocol version 1; the com- ment field is not used for anything (but may be convenient for the user to identify the key). For protocol version 2 the keytype is ``ssh-dss'' - or ``ssh-rsa''. In addition for protocol version 2 user can use x509 + or ``ssh-rsa''. In addition for protocol version 2 user can use X.509 certificates. In that case keytype is ``x509v3-sign-rsa'' or ``x509v3-sign-dss''. Instead of ``base64 encoded key'' line must contain base64 encoded certicate (old style) or a keyword (new style), optional @@ -347,11 +347,11 @@ SSH_KNOWN_HOSTS FILE FORMAT The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain - host public keys, certificates (old style) or certificate ``Distinguished - Name'' for all known hosts. The global file should be prepared by the - administrator (optional), and the per-user file is maintained automati- - cally: whenever the user connects from an unknown host its key is added - to the per-user file. + host public keys, certificates (old style) or certificates + ``Distinguished Name'' for all known hosts. The global file should be + prepared by the administrator (optional), and the per-user file is main- + tained automatically: whenever the user connects from an unknown host its + key is added to the per-user file. Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment. The fields are separated by spaces. @@ -396,7 +396,7 @@ /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys. It - is possible to contain private part plus x509 certificate for + is possible to contain private part plus X.509 certificate for protocol version 2 keys. These files should only be owned by root, readable only by root, and not accessible to others. Note that sshd does not start if this file is group/world-accessible. @@ -430,7 +430,7 @@ able. $HOME/.ssh/authorized_keys - Lists the public keys (RSA or DSA), certificates or certificate + Lists the public keys (RSA or DSA), certificates or certificates ``Distinguished Names'' (recommendet) that can be used to log into the user's account. This file must be readable by root (which may on some machines imply it being world-readable if the @@ -453,16 +453,16 @@ /etc/ssh/ca/ca-bundle.crt and /etc/ssh/ca/ca-bundle.crl The first file contain multiple certificates and the second ``Certificate Revocation List'' (CRLs) of certificate signers in - PEM format concatenated together. Used to verify client certifi- - cate. + PEM format concatenated together. Used to verify and validate + client certificate. /etc/ssh/ca/crt and /etc/ssh/ca/crl ``Hash dirs'' with certificates, the first directory or CLRs, the second of certificate signers. Each certificate should be stored in separate file with name [HASH].[NUMBER] or [HASH].r[NUMBER] for the CRL, where [HASH] is certificate or CRL hash value and - [NUMBER] is an integer starting from zero. Used to verify client - certificate. + [NUMBER] is an integer starting from zero. Used to verify and + validate client certificate. /etc/nologin If this file exists, sshd refuses to let anyone except root log @@ -587,7 +587,7 @@ de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support - for privilege separation. Roumen Petrov contributed support for x509 + for privilege separation. Roumen Petrov contributed support for X.509 certificates. BSD September 25, 1999 BSD diff -ruN openssh-3.8p1+x509g3/sshd.8 openssh-3.8p1+x509g4/sshd.8 --- openssh-3.8p1+x509g3/sshd.8 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/sshd.8 2004-03-09 09:06:00.000000000 +0200 @@ -153,7 +153,7 @@ .Ss SSH protocol version 2 Version 2 works similarly: Each host has a host-specific key (RSA or DSA) used to identify the host. -It is possible host key to contain key plus x509 certificate. +It is possible host key to contain key plus X.509 certificate. However, when the daemon starts, it does not generate a server key. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. @@ -261,7 +261,7 @@ for protocol version 2. It is possible to have multiple host key files for the different protocol versions and host key algorithms. -It is possible host key for protocol version 2 to contain key plus x509 +It is possible host key for protocol version 2 to contain key plus X.509 certificate. .It Fl i Specifies that @@ -406,8 +406,8 @@ permitted for RSA authentication in protocol version 1 and for public key authentication (PubkeyAuthentication) in protocol version 2. -It is posible for protocol version 2 to contain x509 certificate -or certificate +It is posible for protocol version 2 to contain X.509 certificates +or certificates .Dq "Distinguished Name" . .Cm AuthorizedKeysFile may be used to specify an alternative file. @@ -432,7 +432,7 @@ .Dq ssh-dss or .Dq ssh-rsa . -In addition for protocol version 2 user can use x509 certificates. +In addition for protocol version 2 user can use X.509 certificates. In that case keytype is .Dq x509v3-sign-rsa or @@ -441,9 +441,9 @@ .Dq "base64 encoded key" line must contain base64 encoded certicate (old style) or a keyword (new style), optional followed by symbol -.Ql = +.Sq = (equal) or -.Ql \&: +.Sq \&: (colon), zero or more spaces and certificate .Dq "Distinguished Name" (Subject). Keyword is case insensitive and can be one of @@ -459,9 +459,9 @@ or .Sq DN . Separator of Subject items can be -.Ql / +.Sq / (slash), -.Ql \&, +.Sq \&, (comma) or mixed and order is not important. .Pp Note that lines in this file are usually several hundred bytes long @@ -568,13 +568,13 @@ .Pp permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 .Pp -x509v3-sign-dss subject= /C=XX/ST=World/O=OpenSSH Test Team.\|.\|.\| +x509v3-sign-dss subject= /C=XX/ST=World/O=OpenSSH Test Team... .Sh SSH_KNOWN_HOSTS FILE FORMAT The .Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts -files contain host public keys, certificates (old style) or certificate +files contain host public keys, certificates (old style) or certificates .Dq "Distinguished Name" for all known hosts. The global file should @@ -641,7 +641,7 @@ .Xr sshd_config 5 . .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys. -It is possible to contain private part plus x509 certificate for +It is possible to contain private part plus X.509 certificate for protocol version 2 keys. These files should only be owned by root, readable only by root, and not accessible to others. @@ -679,7 +679,7 @@ started last). The content of this file is not sensitive; it can be world-readable. .It Pa $HOME/.ssh/authorized_keys -Lists the public keys (RSA or DSA), certificates or certificate +Lists the public keys (RSA or DSA), certificates or certificates .Dq "Distinguished Names" (recommendet) that can be used to log into the user's account. @@ -711,7 +711,7 @@ The first file contain multiple certificates and the second .Dq "Certificate Revocation List" (CRLs) of certificate signers in PEM format concatenated together. -Used to verify client certificate. +Used to verify and validate client certificate. .It Pa "/etc/ssh/ca/crt" and Pa "/etc/ssh/ca/crl" .Dq "Hash dirs" with certificates, the first directory or CLRs, the second of @@ -720,7 +720,7 @@ [HASH].[NUMBER] or [HASH].r[NUMBER] for the CRL, where [HASH] is certificate or CRL hash value and [NUMBER] is an integer starting from zero. -Used to verify client certificate. +Used to verify and validate client certificate. .It Pa /etc/nologin If this file exists, .Nm @@ -900,4 +900,4 @@ protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -Roumen Petrov contributed support for x509 certificates. +Roumen Petrov contributed support for X.509 certificates. diff -ruN openssh-3.8p1+x509g3/sshd_config.0 openssh-3.8p1+x509g4/sshd_config.0 --- openssh-3.8p1+x509g3/sshd_config.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/sshd_config.0 2004-03-09 09:06:00.000000000 +0200 @@ -19,9 +19,9 @@ The intended use for the X509 client certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: - - `sslclient' , `SSL client' , `SSL_client' or `client' ; - - `any' , `Any Purpose' , `Any_Purpose' or `AnyPurpose' ; - - `skip' or `' (empty): do not check purpose. + o `sslclient' , `SSL client' , `SSL_client' or `client' ; + o `any' , `Any Purpose' , `Any_Purpose' or `AnyPurpose' ; + o `skip' or `' (empty): do not check purpose. The default is ``sslclient''. @@ -69,25 +69,25 @@ CACertificateFile This file contain multiple certificates of certificate signers in PEM format concatenated together. The default is - /etc/ssh/ca/ca-bundle.crt + /etc/ssh/ca/ca-bundle.crt. CACertificatePath ``Hash dir'' with certificates of certificate signers. Each cer- tificate should be stored in separate file with name [HASH].[NUM- BER], where [HASH] is certificate hash value and [NUMBER] is an - integer starting from zero. The default is /etc/ssh/ca/crt + integer starting from zero. The default is /etc/ssh/ca/crt. CARevocationFile This file contain multiple ``Certificate Revocation List'' (CRL) of certificate signers in PEM format concatenated together. The - default is /etc/ssh/ca/ca-bundle.crl + default is /etc/ssh/ca/ca-bundle.crl. CARevocationPath ``Hash dir'' with ``Certificate Revocation List'' (CRL) of cer- tificate signers. Each CRL should be stored in separate file with name [HASH].r[NUMBER], where [HASH] is CRL hash value and [NUM- BER] is an integer starting from zero. The default is - /etc/ssh/ca/crl + /etc/ssh/ca/crl. ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. @@ -182,7 +182,7 @@ is group/world-accessible. It is possible to have multiple host key files. ``rsa1'' keys are used for version 1 and ``dsa'' or ``rsa'' are used for version 2 of the SSH protocol. It is possi- - ble host key to contain key plus x509 certificate for version 2. + ble host key to contain key plus X.509 certificate for version 2. IgnoreRhosts Specifies that .rhosts and .shosts files will not be used in @@ -500,7 +500,7 @@ de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support - for privilege separation. Roumen Petrov contributed support for x509 + for privilege separation. Roumen Petrov contributed support for X.509 certificates. BSD September 25, 1999 BSD diff -ruN openssh-3.8p1+x509g3/sshd_config.5 openssh-3.8p1+x509g4/sshd_config.5 --- openssh-3.8p1+x509g3/sshd_config.5 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/sshd_config.5 2004-03-09 09:06:00.000000000 +0200 @@ -66,7 +66,7 @@ The intended use for the X509 client certificate. Without this option no chain verification will be done. Currently accepted uses are case insensitive: -.Bl -hyphen -compact +.Bl -bullet -compact .It .Sq sslclient , @@ -159,7 +159,7 @@ .It Cm CACertificateFile This file contain multiple certificates of certificate signers in PEM format concatenated together. The default is -.Pa /etc/ssh/ca/ca-bundle.crt +.Pa /etc/ssh/ca/ca-bundle.crt . .Pp .It Cm CACertificatePath .Dq "Hash dir" @@ -167,14 +167,14 @@ stored in separate file with name [HASH].[NUMBER], where [HASH] is certificate hash value and [NUMBER] is an integer starting from zero. The default is -.Pa /etc/ssh/ca/crt +.Pa /etc/ssh/ca/crt . .Pp .It Cm CARevocationFile This file contain multiple .Dq "Certificate Revocation List" (CRL) of certificate signers in PEM format concatenated together. The default is -.Pa /etc/ssh/ca/ca-bundle.crl +.Pa /etc/ssh/ca/ca-bundle.crl . .Pp .It Cm CARevocationPath .Dq "Hash dir" @@ -183,7 +183,7 @@ (CRL) of certificate signers. Each CRL should be stored in separate file with name [HASH].r[NUMBER], where [HASH] is CRL hash value and [NUMBER] is an integer starting from zero. The default is -.Pa /etc/ssh/ca/crl +.Pa /etc/ssh/ca/crl . .Pp .It Cm ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. @@ -329,7 +329,7 @@ or .Dq rsa are used for version 2 of the SSH protocol. -It is possible host key to contain key plus x509 certificate +It is possible host key to contain key plus X.509 certificate for version 2. .It Cm IgnoreRhosts Specifies that @@ -842,4 +842,4 @@ protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. -Roumen Petrov contributed support for x509 certificates. +Roumen Petrov contributed support for X.509 certificates. diff -ruN openssh-3.8p1+x509g3/ssh-keygen.0 openssh-3.8p1+x509g4/ssh-keygen.0 --- openssh-3.8p1+x509g3/ssh-keygen.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-keygen.0 2004-03-09 09:06:00.000000000 +0200 @@ -96,6 +96,8 @@ -l Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint. + When identity contain X.509 certificate its prints certificate + fingerprint. -p Requests changing the passphrase of a private key file instead of creating a new private key. The program will prompt for the file @@ -210,7 +212,7 @@ $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of - the user. It is possible to contain identity plus x509 certifi- + the user. It is possible to contain identity plus X.509 certifi- cate. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this @@ -224,16 +226,16 @@ $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. When file - $HOME/.ssh/id_dsa contain DSA identity plus X509 certificate this - file must contain user certificate! Use ssh-keygen(1) with option - -y to regenerate its content. Note in case with X509 certificate - you can append content to $HOME/.ssh/authorized_keys or to add - certificate ``Distinguished Name'' / ``Subject'' in corresponding - format to ``authorized keys'' file. See sshd(8). + $HOME/.ssh/id_dsa contain DSA identity plus X.509 certificate + this file must contain that certificate! Use ssh-keygen with + option -y to regenerate its content. Note in case with X.509 + certificate you can append content to $HOME/.ssh/authorized_keys + or to add certificate ``Distinguished Name'' / ``Subject'' in + corresponding format to ``authorized keys'' file. See sshd(8). $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of - the user. It is possible to contain identity plus x509 certifi- + the user. It is possible to contain identity plus X.509 certifi- cate. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this @@ -247,12 +249,12 @@ $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. When file - $HOME/.ssh/id_rsa contain RSA identity plus X509 certificate this - file must contain user certificate! Use ssh-keygen(1) with option - -y to regenerate its content. Note in case with X509 certificate - you can append content to $HOME/.ssh/authorized_keys or to add - certificate ``Distinguished Name'' / ``Subject'' in corresponding - format to ``authorized keys'' file. See sshd(8). + $HOME/.ssh/id_rsa contain RSA identity plus X.509 certificate + this file must contain that certificate! Use ssh-keygen with + option -y to regenerate its content. Note in case with X.509 + certificate you can append content to $HOME/.ssh/authorized_keys + or to add certificate ``Distinguished Name'' / ``Subject'' in + corresponding format to ``authorized keys'' file. See sshd(8). /etc/moduli Contains Diffie-Hellman groups used for DH-GEX. The file format diff -ruN openssh-3.8p1+x509g3/ssh-keygen.1 openssh-3.8p1+x509g4/ssh-keygen.1 --- openssh-3.8p1+x509g3/ssh-keygen.1 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-keygen.1 2004-03-09 09:06:00.000000000 +0200 @@ -211,6 +211,7 @@ For RSA and DSA keys .Nm tries to find the matching public key file and prints its fingerprint. +When identity contain X.509 certificate its prints certificate fingerprint. .It Fl p Requests changing the passphrase of a private key file instead of creating a new private key. @@ -356,7 +357,7 @@ There is no need to keep the contents of this file secret. .It Pa $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. -It is possible to contain identity plus x509 certificate. +It is possible to contain identity plus X.509 certificate. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -375,11 +376,11 @@ There is no need to keep the contents of this file secret. When file .Pa $HOME/.ssh/id_dsa -contain DSA identity plus X509 certificate this file must contain -user certificate! Use -.Xr ssh-keygen 1 +contain DSA identity plus X.509 certificate this file must contain +that certificate! Use +.Nm with option -y to regenerate its content. -Note in case with X509 certificate you can append content to +Note in case with X.509 certificate you can append content to .Pa $HOME/.ssh/authorized_keys or to add certificate .Dq Distinguished Name @@ -391,7 +392,7 @@ .Xr sshd 8 . .It Pa $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. -It is possible to contain identity plus x509 certificate. +It is possible to contain identity plus X.509 certificate. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -410,11 +411,11 @@ There is no need to keep the contents of this file secret. When file .Pa $HOME/.ssh/id_rsa -contain RSA identity plus X509 certificate this file must contain -user certificate! Use -.Xr ssh-keygen 1 +contain RSA identity plus X.509 certificate this file must contain +that certificate! Use +.Nm with option -y to regenerate its content. -Note in case with X509 certificate you can append content to +Note in case with X.509 certificate you can append content to .Pa $HOME/.ssh/authorized_keys or to add certificate .Dq Distinguished Name diff -ruN openssh-3.8p1+x509g3/ssh-keyscan.0 openssh-3.8p1+x509g4/ssh-keyscan.0 --- openssh-3.8p1+x509g3/ssh-keyscan.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-keyscan.0 2004-03-09 09:06:00.000000000 +0200 @@ -74,7 +74,7 @@ Where keytype is either ``ssh-rsa'' or ``ssh-dss''. - Output format for rsa and dsa keys with x509 certificates: + Output format for rsa and dsa keys with X.509 certificates: host-or-namelist keytype distinguished-name @@ -99,7 +99,7 @@ AUTHORS David Mazieres wrote the initial version, and Wayne Davison added support for protocol - version 2. Roumen Petrov contributed support for x509 certificates. + version 2. Roumen Petrov contributed support for X.509 certificates. BUGS It generates "Connection closed by remote host" messages on the consoles diff -ruN openssh-3.8p1+x509g3/ssh-keyscan.1 openssh-3.8p1+x509g4/ssh-keyscan.1 --- openssh-3.8p1+x509g3/ssh-keyscan.1 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-keyscan.1 2004-03-09 09:06:00.000000000 +0200 @@ -157,7 +157,7 @@ or .Dq ssh-dss . .Pp -.Pa Output format for rsa and dsa keys with x509 certificates: +.Pa Output format for rsa and dsa keys with X.509 certificates: .Bd -literal host-or-namelist keytype distinguished-name .Ed @@ -195,7 +195,7 @@ wrote the initial version, and .An Wayne Davison Aq wayned@users.sourceforge.net added support for protocol version 2. -Roumen Petrov contributed support for x509 certificates. +Roumen Petrov contributed support for X.509 certificates. .Sh BUGS It generates "Connection closed by remote host" messages on the consoles of all the machines it scans if the server is older than version 2.9. diff -ruN openssh-3.8p1+x509g3/ssh-keysign.0 openssh-3.8p1+x509g4/ssh-keysign.0 --- openssh-3.8p1+x509g3/ssh-keysign.0 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-keysign.0 2004-03-09 09:06:00.000000000 +0200 @@ -29,7 +29,7 @@ readable only by root, and not accessible to others. Since they are readable only by root, ssh-keysign must be set-uid root if hostbased authentication is used. It is possible host key to - contain private parts plus x509 certificate. + contain private parts plus X.509 certificate. SEE ALSO ssh(1), ssh-keygen(1), ssh_config(5), sshd(8) diff -ruN openssh-3.8p1+x509g3/ssh-keysign.8 openssh-3.8p1+x509g4/ssh-keysign.8 --- openssh-3.8p1+x509g3/ssh-keysign.8 2004-02-25 09:06:00.000000000 +0200 +++ openssh-3.8p1+x509g4/ssh-keysign.8 2004-03-09 09:06:00.000000000 +0200 @@ -68,7 +68,7 @@ Since they are readable only by root, .Nm must be set-uid root if hostbased authentication is used. -It is possible host key to contain private parts plus x509 certificate. +It is possible host key to contain private parts plus X.509 certificate. .El .Sh SEE ALSO .Xr ssh 1 , diff -ruN openssh-3.8p1+x509g3/tests/CA/1-cre_cadb.sh openssh-3.8p1+x509g4/tests/CA/1-cre_cadb.sh --- openssh-3.8p1+x509g3/tests/CA/1-cre_cadb.sh 2004-02-16 20:59:15.000000000 +0200 +++ openssh-3.8p1+x509g4/tests/CA/1-cre_cadb.sh 2004-03-03 16:42:59.000000000 +0200 @@ -31,7 +31,7 @@ # === # args: -# $1 type +# $1 - type echo_CA_common_options () { cat <> "${SSH_CFG}" <> "$SSHD_CFG" <> "$SSHD_CFG" < /dev/null FILE="${SSH_CACRLDIR}/${CAKEY_PREFIX}-${crltype}.crl.pem" HASH=`${OPENSSL} crl -out /dev/null -in "${FILE}" -hash`; retval=$? - if test $retval -eq 0; then + if test ${retval} -eq 0; then hashfile="${CRL_TEST_DIR}/${HASH}.r0" ln -s "${FILE}" "${hashfile}" #link might never fail :-( test -h "${hashfile}"; retval=$? fi #printf "${norm}" - show_status $retval || return $? + show_status ${retval} || return $? ( for type in ${SSH_SIGN_TYPES}; do @@ -156,12 +156,12 @@ exit 0 ); retval=$? - if test $retval -eq 0; then + if test ${retval} -eq 0; then rm -f "${hashfile}"; retval=$? else rm -f "${hashfile}" fi - return $retval + return ${retval} } @@ -193,18 +193,22 @@ killSSHdaemon rm -f "${CRL_TEST_DIR}"/* 2> /dev/null - if test $retval -eq 0; then + if test ${retval} -eq 0; then rmdir "${CRL_TEST_DIR}"; retval=$? else rmdir "${CRL_TEST_DIR}" fi - return $retval + return ${retval} } #=== do_test () { + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + echo "* ${extd}X.509 store${norm} is ${attn}disabled${norm}" + return 1 + fi echo "* ${extd}against ${attn}CA CRL${norm} file and/or hash-dir:" test_nocrl && diff -ruN openssh-3.8p1+x509g3/tests/CA/test-dn_auth_file.sh.inc openssh-3.8p1+x509g4/tests/CA/test-dn_auth_file.sh.inc --- openssh-3.8p1+x509g3/tests/CA/test-dn_auth_file.sh.inc 2004-02-22 16:03:08.000000000 +0200 +++ openssh-3.8p1+x509g4/tests/CA/test-dn_auth_file.sh.inc 2004-03-09 08:51:13.000000000 +0200 @@ -89,6 +89,10 @@ # === do_test () { + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + echo "* ${extd}X.509 store${norm} is ${attn}disabled${norm}" + return 1 + fi echo "* ${extd}against ${attn}CACertificateFile${norm} and autorization by x509 ${attn}'Distinguished Name'${norm}:" creTestSSHDcfgFile @@ -100,17 +104,16 @@ EOF runSSHdaemon || return $? + ( for SSH_CLIENTKEY in ${TEST_SSH_CLIENTKEYS}; do printSeparator echo "Begin test with base key_file ${attn}${SSH_CLIENTKEY}${norm} ..." for type in ${SSH_SIGN_TYPES}; do - testDNautorizations1; retval=$? - if test $retval -ne 0; then - break - fi + testDNautorizations1 || exit $? done done + ); retval=$? killSSHdaemon return $retval } diff -ruN openssh-3.8p1+x509g3/tests/CA/test-dn_auth_path.sh.inc openssh-3.8p1+x509g4/tests/CA/test-dn_auth_path.sh.inc --- openssh-3.8p1+x509g3/tests/CA/test-dn_auth_path.sh.inc 2004-02-16 21:38:44.000000000 +0200 +++ openssh-3.8p1+x509g4/tests/CA/test-dn_auth_path.sh.inc 2004-03-09 08:50:54.000000000 +0200 @@ -63,6 +63,10 @@ # === do_test () { + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + echo "* ${extd}X.509 store${norm} is ${attn}disabled${norm}" + return 1 + fi echo "* ${extd}against ${attn}CACertificatePath${norm}:" CRT_TEST_DIR="${SSH_CAROOT}/crt-test" @@ -76,7 +80,7 @@ EOF - runSSHdaemon && + runSSHdaemon || return $? ( for SSH_CLIENTKEY in ${TEST_SSH_CLIENTKEYS}; do printSeparator diff -ruN openssh-3.8p1+x509g3/x509store.c openssh-3.8p1+x509g4/x509store.c --- openssh-3.8p1+x509g3/x509store.c 2004-02-21 22:06:27.000000000 +0200 +++ openssh-3.8p1+x509g4/x509store.c 2004-03-03 16:56:30.000000000 +0200 @@ -274,7 +274,7 @@ return(0); /* ;-) */ } if (X509_LOOKUP_add_dir(lookup, _locations->certificate_path, X509_FILETYPE_PEM)) { - debug2( "hash dir '%.400s' added to x509 store", _locations->certificate_path); + debug2("hash dir '%.400s' added to x509 store", _locations->certificate_path); flag = 1; } ERR_clear_error(); @@ -286,7 +286,7 @@ return(0); /* ;-) */ } if (X509_LOOKUP_load_file(lookup, _locations->certificate_file, X509_FILETYPE_PEM)) { - debug2( "file '%.400s' added to x509 store", _locations->certificate_file); + debug2("file '%.400s' added to x509 store", _locations->certificate_file); flag = 1; } ERR_clear_error(); @@ -299,7 +299,7 @@ return(0); /* ;-) */ } if (X509_LOOKUP_add_dir(lookup, _locations->revocation_path, X509_FILETYPE_PEM)) { - debug2( "hash dir '%.400s' added to x509 revocation store", _locations->revocation_path); + debug2("hash dir '%.400s' added to x509 revocation store", _locations->revocation_path); flag2 = 1; } ERR_clear_error(); @@ -311,7 +311,7 @@ return(0); /* ;-) */ } if (X509_LOOKUP_load_file(lookup, _locations->revocation_file, X509_FILETYPE_PEM)) { - debug2( "file '%.400s' added to x509 revocation store", _locations->revocation_file); + debug2("file '%.400s' added to x509 revocation store", _locations->revocation_file); flag2 = 1; } ERR_clear_error();