Lines Matching +full:- +full:- +full:valid +full:- +full:-
1 This document describes a simple public-key certificate authentication
5 ----------
11 surface, but it does not support the important use-cases of centrally
15 system already in SSH to allow certificate-based authentication. The
29 public key that is used to sign challenges. In OpenSSH, ssh-keygen
34 ssh-rsa-cert-v01@openssh.com
35 ssh-dss-cert-v01@openssh.com
36 ecdsa-sha2-nistp256-cert-v01@openssh.com
37 ecdsa-sha2-nistp384-cert-v01@openssh.com
38 ecdsa-sha2-nistp521-cert-v01@openssh.com
39 ssh-ed25519-cert-v01@openssh.com
42 SHA-2 signatures (SHA-256 and SHA-512 respectively):
44 rsa-sha2-256-cert-v01@openssh.com
45 rsa-sha2-512-cert-v01@openssh.com
47 These RSA/SHA-2 types should not appear in keys at rest or transmitted
48 on the wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
54 -------------------
59 breaking the protocol - implementations that do not support the
67 ----------------------
69 The certificate key types take a similar high-level format (note: data
78 string "ssh-rsa-cert-v01@openssh.com"
85 string valid principals
86 uint64 valid after
87 uint64 valid before
96 string "ssh-dss-cert-v01@openssh.com"
105 string valid principals
106 uint64 valid after
107 uint64 valid before
116 string "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
117 "ecdsa-sha2-nistp384-cert-v01@openssh.com" |
118 "ecdsa-sha2-nistp521-cert-v01@openssh.com"
125 string valid principals
126 uint64 valid after
127 uint64 valid before
136 string "ssh-ed25519-cert-v01@openssh.com"
142 string valid principals
143 uint64 valid after
144 uint64 valid before
151 The nonce field is a CA-provided random bitstring of arbitrary length
157 p, q, g, y are the DSA parameters as described in FIPS-186-2.
172 key id is a free-form text field that is filled in by the CA at the time
176 "valid principals" is a string containing zero or more principals as
178 certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
180 zero-length "valid principals" field means the certificate is valid for
183 "valid after" and "valid before" specify a validity period for the
184 certificate. Each represents a time in seconds since 1970-01-01
185 00:00:00. A certificate is considered valid if:
187 valid after <= current time < valid before
208 certificate. The valid key types for CA keys are ssh-rsa,
209 ssh-dss, ssh-ed25519 and the ECDSA types ecdsa-sha2-nistp256,
210 ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained" certificates, where
213 Ed25519 or ECDSA CA key and vice-versa.
218 (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
222 ----------------
235 option-specific information (see below). All options are
240 domain name to the option name, e.g. "my-option@example.com".
247 -----------------------------------------------------------------------------
248 force-command string Specifies a command that is executed
250 ssh command-line) whenever this key is
253 source-address string Comma-separated list of source addresses
262 verify-required empty Flag indicating that signatures made
271 ----------
274 non-critical certificate extensions. The encoding and ordering of
282 domain name to the option name, e.g. "my-option@example.com".
289 -----------------------------------------------------------------------------
290 no-touch-required empty Flag indicating that signatures made
297 permit-X11-forwarding empty Flag indicating that X11 forwarding
301 permit-agent-forwarding empty Flag indicating that agent forwarding
306 permit-port-forwarding empty Flag indicating that port-forwarding
311 permit-pty empty Flag indicating that PTY allocation
316 permit-user-rc empty Flag indicating that execution of