PROTOCOL.certkeys - OpenGrok cross reference for /freebsd/crypto/openssh/PROTOCOL.certkeys

Lines Matching +full:string +full:- +full:support
1 This document describes a simple public-key certificate authentication
5 ----------
11 surface, but it does not support the important use-cases of centrally
15 system already in SSH to allow certificate-based authentication. The
24 raw user keys. The ssh client will support automatic verification of
29 public key that is used to sign challenges. In OpenSSH, ssh-keygen
34     ssh-rsa-cert-v01@openssh.com
35     ssh-dss-cert-v01@openssh.com
36     ecdsa-sha2-nistp256-cert-v01@openssh.com
37     ecdsa-sha2-nistp384-cert-v01@openssh.com
38     ecdsa-sha2-nistp521-cert-v01@openssh.com
39     ssh-ed25519-cert-v01@openssh.com
42 SHA-2 signatures (SHA-256 and SHA-512 respectively):
44     rsa-sha2-256-cert-v01@openssh.com
45     rsa-sha2-512-cert-v01@openssh.com
47 These RSA/SHA-2 types should not appear in keys at rest or transmitted
48 on the wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
54 -------------------
58 algorithm names to add support for certificate authentication without
59 breaking the protocol - implementations that do not support the
67 ----------------------
69 The certificate key types take a similar high-level format (note: data
78     string    "ssh-rsa-cert-v01@openssh.com"
79     string    nonce
84     string    key id
85     string    valid principals
88     string    critical options
89     string    extensions
90     string    reserved
91     string    signature key
92     string    signature
96     string    "ssh-dss-cert-v01@openssh.com"
97     string    nonce
104     string    key id
105     string    valid principals
108     string    critical options
109     string    extensions
110     string    reserved
111     string    signature key
112     string    signature
116     string    "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
117               "ecdsa-sha2-nistp384-cert-v01@openssh.com" |
118               "ecdsa-sha2-nistp521-cert-v01@openssh.com"
119     string    nonce
120     string    curve
121     string    public_key
124     string    key id
125     string    valid principals
128     string    critical options
129     string    extensions
130     string    reserved
131     string    signature key
132     string    signature
136     string    "ssh-ed25519-cert-v01@openssh.com"
137     string    nonce
138     string    pk
141     string    key id
142     string    valid principals
145     string    critical options
146     string    extensions
147     string    reserved
148     string    signature key
149     string    signature
151 The nonce field is a CA-provided random bitstring of arbitrary length
157 p, q, g, y are the DSA parameters as described in FIPS-186-2.
172 key id is a free-form text field that is filled in by the CA at the time
176 "valid principals" is a string containing zero or more principals as
180 zero-length "valid principals" field means the certificate is valid for
184 certificate. Each represents a time in seconds since 1970-01-01
208 certificate. The valid key types for CA keys are ssh-rsa,
209 ssh-dss, ssh-ed25519 and the ECDSA types ecdsa-sha2-nistp256,
210 ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained" certificates, where
213 Ed25519 or ECDSA CA key and vice-versa.
215 signature is computed over all preceding fields from the initial string
218 (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
222 ----------------
228     string       name
229     string       data
235 option-specific information (see below). All options are
240 domain name to the option name, e.g. "my-option@example.com".
247 -----------------------------------------------------------------------------
248 force-command           string        Specifies a command that is executed
250                                       ssh command-line) whenever this key is
253 source-address          string        Comma-separated list of source addresses
262 verify-required         empty         Flag indicating that signatures made
267                                       support this feature in their signature
271 ----------
274 non-critical certificate extensions. The encoding and ordering of
282 domain name to the option name, e.g. "my-option@example.com".
289 -----------------------------------------------------------------------------
290 no-touch-required       empty         Flag indicating that signatures made
294                                       key types that support this feature in
297 permit-X11-forwarding   empty         Flag indicating that X11 forwarding
301 permit-agent-forwarding empty         Flag indicating that agent forwarding
306 permit-port-forwarding  empty         Flag indicating that port-forwarding
311 permit-pty              empty         Flag indicating that PTY allocation
316 permit-user-rc          empty         Flag indicating that execution of