Documentation for OpenSSH certificates.

Also I've filled in the help contexts in all the new GUI controls.
2025-07-02 03:52:49 -05:00 · 2022-08-07 12:06:36 +01:00
parent 426901b891
commit e52087719c
12 changed files with 346 additions and 21 deletions
--- a/ssh/ca-config.c
+++ b/ssh/ca-config.c
@ -412,7 +412,7 @@ void setup_ca_config_box(struct controlbox *b)
    /* Action area, with the Done button in it */
    s = ctrl_getset(b, "", "", "");
    ctrl_columns(s, 5, 20, 20, 20, 20, 20);
-    c = ctrl_pushbutton(s, "Done", 'o', HELPCTX(no_help),
+    c = ctrl_pushbutton(s, "Done", 'o', HELPCTX(ssh_kex_cert),
                        ca_ok_handler, P(st));
    c->button.iscancel = true;
    c->column = 4;
@ -422,7 +422,7 @@ void setup_ca_config_box(struct controlbox *b)
                    "Load, save or delete a host CA record");
    ctrl_columns(s, 2, 75, 25);
    c = ctrl_editbox(s, "Name for this CA (shown in log messages)",
-                     'n', 100, HELPCTX(no_help),
+                     'n', 100, HELPCTX(ssh_kex_cert),
                     ca_name_handler, P(st), P(NULL));
    c->column = 0;
    st->ca_name_edit = c;
@ -430,18 +430,18 @@ void setup_ca_config_box(struct controlbox *b)
     * than alongside that edit box. */
    ctrl_columns(s, 1, 100);
    ctrl_columns(s, 2, 75, 25);
-    c = ctrl_listbox(s, NULL, NO_SHORTCUT, HELPCTX(no_help),
+    c = ctrl_listbox(s, NULL, NO_SHORTCUT, HELPCTX(ssh_kex_cert),
                     ca_reclist_handler, P(st));
    c->column = 0;
    c->listbox.height = 6;
    st->ca_reclist = c;
-    c = ctrl_pushbutton(s, "Load", 'l', HELPCTX(no_help),
+    c = ctrl_pushbutton(s, "Load", 'l', HELPCTX(ssh_kex_cert),
                        ca_load_handler, P(st));
    c->column = 1;
-    c = ctrl_pushbutton(s, "Save", 'v', HELPCTX(no_help),
+    c = ctrl_pushbutton(s, "Save", 'v', HELPCTX(ssh_kex_cert),
                        ca_save_handler, P(st));
    c->column = 1;
-    c = ctrl_pushbutton(s, "Delete", 'd', HELPCTX(no_help),
+    c = ctrl_pushbutton(s, "Delete", 'd', HELPCTX(ssh_kex_cert),
                        ca_delete_handler, P(st));
    c->column = 1;

@ -449,42 +449,45 @@ void setup_ca_config_box(struct controlbox *b)

    ctrl_columns(s, 2, 75, 25);
    c = ctrl_editbox(s, "Public key of certification authority", 'k', 100,
-                     HELPCTX(no_help), ca_pubkey_edit_handler, P(st), P(NULL));
+                     HELPCTX(ssh_kex_cert), ca_pubkey_edit_handler,
+                     P(st), P(NULL));
    c->column = 0;
    st->ca_pubkey_edit = c;
    c = ctrl_filesel(s, "Read from file", NO_SHORTCUT, NULL, false,
                     "Select public key file of certification authority",
-                     HELPCTX(no_help), ca_pubkey_file_handler, P(st));
+                     HELPCTX(ssh_kex_cert), ca_pubkey_file_handler, P(st));
    c->fileselect.just_button = true;
    c->align_next_to = st->ca_pubkey_edit;
    c->column = 1;
    ctrl_columns(s, 1, 100);
-    st->ca_pubkey_info = c = ctrl_text(s, " ", HELPCTX(no_help));
+    st->ca_pubkey_info = c = ctrl_text(s, " ", HELPCTX(ssh_kex_cert));
    c->text.wrap = false;

    s = ctrl_getset(b, "Main", "options", "What this CA is trusted to do");

    c = ctrl_editbox(s, "Valid hosts this key is trusted to certify", 'h', 100,
-                     HELPCTX(no_help), ca_validity_handler, P(st), P(NULL));
+                     HELPCTX(ssh_cert_valid_expr), ca_validity_handler,
+                     P(st), P(NULL));
    st->ca_validity_edit = c;

    ctrl_columns(s, 4, 44, 18, 18, 18);
-    c = ctrl_text(s, "Signature types (RSA keys only):", HELPCTX(no_help));
+    c = ctrl_text(s, "Signature types (RSA keys only):",
+                  HELPCTX(ssh_cert_rsa_hash));
    c->column = 0;
    dlgcontrol *sigtypelabel = c;
-    c = ctrl_checkbox(s, "SHA-1", NO_SHORTCUT, HELPCTX(no_help),
+    c = ctrl_checkbox(s, "SHA-1", NO_SHORTCUT, HELPCTX(ssh_cert_rsa_hash),
                      ca_rsa_type_handler, P(st));
    c->column = 1;
    c->align_next_to = sigtypelabel;
    c->context2 = I(offsetof(ca_options, permit_rsa_sha1));
    st->rsa_type_checkboxes[0] = c;
-    c = ctrl_checkbox(s, "SHA-256", NO_SHORTCUT, HELPCTX(no_help),
+    c = ctrl_checkbox(s, "SHA-256", NO_SHORTCUT, HELPCTX(ssh_cert_rsa_hash),
                      ca_rsa_type_handler, P(st));
    c->column = 2;
    c->align_next_to = sigtypelabel;
    c->context2 = I(offsetof(ca_options, permit_rsa_sha256));
    st->rsa_type_checkboxes[1] = c;
-    c = ctrl_checkbox(s, "SHA-512", NO_SHORTCUT, HELPCTX(no_help),
+    c = ctrl_checkbox(s, "SHA-512", NO_SHORTCUT, HELPCTX(ssh_cert_rsa_hash),
                      ca_rsa_type_handler, P(st));
    c->column = 3;
    c->align_next_to = sigtypelabel;
--- a/ssh/common.c
+++ b/ssh/common.c
@ -934,6 +934,8 @@ SeatPromptResult verify_ssh_host_key(
    seat_dialog_text_append(
        text, SDT_TITLE, "%s Security Alert", appname);

+    HelpCtx helpctx;
+
    if (key && ssh_key_alg(key)->is_certificate) {
        seat_dialog_text_append(
            text, SDT_SCARY_HEADING, "WARNING - POTENTIAL SECURITY BREACH!");
@ -978,6 +980,7 @@ SeatPromptResult verify_ssh_host_key(
            text, SDT_PARA, "The new %s key fingerprint is:", keytype);
        seat_dialog_text_append(
            text, SDT_DISPLAY, "%s", fingerprints[fptype_default]);
+        helpctx = HELPCTX(errors_cert_mismatch);
    } else if (storage_status == 1) {
        seat_dialog_text_append(
            text, SDT_PARA, "The host key is not cached for this server:");
@ -990,6 +993,7 @@ SeatPromptResult verify_ssh_host_key(
            text, SDT_PARA, "The server's %s key fingerprint is:", keytype);
        seat_dialog_text_append(
            text, SDT_DISPLAY, "%s", fingerprints[fptype_default]);
+        helpctx = HELPCTX(errors_hostkey_absent);
    } else {
        seat_dialog_text_append(
            text, SDT_SCARY_HEADING, "WARNING - POTENTIAL SECURITY BREACH!");
@ -1006,6 +1010,7 @@ SeatPromptResult verify_ssh_host_key(
            text, SDT_PARA, "The new %s key fingerprint is:", keytype);
        seat_dialog_text_append(
            text, SDT_DISPLAY, "%s", fingerprints[fptype_default]);
+        helpctx = HELPCTX(errors_hostkey_changed);
    }

    /* The above text is printed even in batch mode. Here's where we stop if
@ -1013,8 +1018,6 @@ SeatPromptResult verify_ssh_host_key(
    seat_dialog_text_append(
        text, SDT_BATCH_ABORT, "Connection abandoned.");

-    HelpCtx helpctx;
-
    if (storage_status == 1) {
        seat_dialog_text_append(
            text, SDT_PARA, "If you trust this host, %s to add the key to "
@ -1029,7 +1032,6 @@ SeatPromptResult verify_ssh_host_key(
            "connection.", pds->hk_cancel_action);
        seat_dialog_text_append(
            text, SDT_PROMPT, "Store key in cache?");
-        helpctx = HELPCTX(errors_hostkey_absent);
    } else {
        seat_dialog_text_append(
            text, SDT_PARA, "If you were expecting this change and trust the "
@ -1044,7 +1046,6 @@ SeatPromptResult verify_ssh_host_key(
            pds->hk_cancel_action, pds->hk_cancel_action_Participle);
        seat_dialog_text_append(
            text, SDT_PROMPT, "Update cached key?");
-        helpctx = HELPCTX(errors_hostkey_changed);
    }

    seat_dialog_text_append(text, SDT_MORE_INFO_KEY,