Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / d0e4a8e2e0bc6fcee6cd8486fbcdffaf7d037aed^! / . / PROTOCOL.certkeys
commitd0e4a8e2e0bc6fcee6cd8486fbcdffaf7d037aed[log] [tgz]
authorDamien Miller <djm@mindrot.org>Fri May 21 14:58:32 2010 +1000
committerDamien Miller <djm@mindrot.org>Fri May 21 14:58:32 2010 +1000
treea5e02fcbb2a55a16b877e960edd2b8f1adde8389
parent84399555f0a3c78b96c3e5a56ce9c83eaa814228 [diff] [blame]
   - djm@cvs.openbsd.org 2010/05/20 23:46:02
     [PROTOCOL.certkeys auth-options.c ssh-keygen.c]
     Move the permit-* options to the non-critical "extensions" field for v01
     certificates. The logic is that if another implementation fails to
     implement them then the connection just loses features rather than fails
     outright.

     ok markus@

diff --git a/PROTOCOL.certkeys b/PROTOCOL.certkeys
index 0fa5748..81b02a0 100644
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys

@@ -131,7 +131,7 @@
 
 extensions is a set of zero or more optional extensions. These extensions
 are not critical, and an implementation that encounters one that it does
-not recognise may safely ignore it. No extensions are defined at present.
+not recognise may safely ignore it.
 
 The reserved field is currently unused and is ignored in this version of
 the protocol.
@@ -172,6 +172,28 @@
                                       ssh command-line) whenever this key is
                                       used for authentication.
 
+source-address          string        Comma-separated list of source addresses
+                                      from which this certificate is accepted
+                                      for authentication. Addresses are
+                                      specified in CIDR format (nn.nn.nn.nn/nn
+                                      or hhhh::hhhh/nn).
+                                      If this option is not present then
+                                      certificates may be presented from any
+                                      source address.
+
+Extensions
+----------
+
+The extensions section of the certificate specifies zero or more
+non-critical certificate extensions. The encoding of extensions in this
+field is identical to that of the critical options. If an implementation
+does not recognise an extension, then it should ignore it.
+
+The supported extensions and the contents and structure of their data
+fields are:
+
+Name                    Format        Description
+-----------------------------------------------------------------------------
 permit-X11-forwarding   empty         Flag indicating that X11 forwarding
                                       should be permitted. X11 forwarding will
                                       be refused if this option is absent.
@@ -196,13 +218,4 @@
                                       of this script will not be permitted if
                                       this option is not present.
 
-source-address          string        Comma-separated list of source addresses
-                                      from which this certificate is accepted
-                                      for authentication. Addresses are
-                                      specified in CIDR format (nn.nn.nn.nn/nn
-                                      or hhhh::hhhh/nn).
-                                      If this option is not present then
-                                      certificates may be presented from any
-                                      source address.
-
-$OpenBSD: PROTOCOL.certkeys,v 1.5 2010/05/01 02:50:50 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.6 2010/05/20 23:46:02 djm Exp $