diff --git a/ceru/subcmds/new/ssh-key b/ceru/subcmds/new/ssh-key index 765b2a5..0f615f9 100755 --- a/ceru/subcmds/new/ssh-key +++ b/ceru/subcmds/new/ssh-key @@ -22,12 +22,18 @@ ${BOLD}${UNDERLINE}${RED}Description${RESET} Generates a new SSH keypair with secure defaults. For more advanced usage run the ${BOLD}${MAGENTA}\`ssh-keygen\`${RESET} utility directly. +${BOLD}${UNDERLINE}${RED}Key Sizes${RESET} + Key sizes are specified in bits via the ${BOLD}${MAGENTA}-b|--bits${RESET} flag. + • ${BOLD}${CYAN}ECDSA keys${RESET} can only operate on elliptic curves of size: ${BOLD}${CYAN}256, 384, or 521 bits${RESET} + • ${BOLD}${CYAN}Ed25519 keys${RESET} have a ${BOLD}${MAGENTA}fixed length${RESET} so the key size is ignored + • ${BOLD}${CYAN}RSA keys${RESET} have been intentionally restricted for Cerulean to: ${BOLD}${CYAN}2048, 3072, 4096, or 8192 bits${RESET} + ${BOLD}${UNDERLINE}${RED}Options${RESET} ${BOLD}${MAGENTA}-h, --help${RESET} Show this message (^_^) ${BOLD}${MAGENTA}-o, --out${RESET} Private key file name to write to (the public key is named identically but ends with ${BOLD}${MAGENTA}.pub${RESET}) ${BOLD}${MAGENTA}-c, --comment${RESET} A comment or email address to write on the key - ${BOLD}${MAGENTA}-t, --type${RESET} The cryptographic algorithm to use: ${BOLD}${MAGENTA}ed25519${RESET} or ${BOLD}${MAGENTA}rsa${RESET} ${BOLD}${CYAN}(default: rsa)${RESET} - ${BOLD}${MAGENTA}-r, --rounds${RESET} The number of key derivation function rounds to apply ${BOLD}${CYAN}(default: 100)${RESET} + ${BOLD}${MAGENTA}-t, --type${RESET} The cryptographic algorithm to use: ${BOLD}${MAGENTA}ecdsa, ed25519, rsa${RESET} ${BOLD}${CYAN}(default: ecdsa)${RESET} + ${BOLD}${MAGENTA}-r, --rounds${RESET} The number of KDF rounds to apply ${BOLD}${CYAN}(default: 100)${RESET} ${BOLD}${MAGENTA}-b, --bits${RESET} The key size in bits ${BOLD}${MAGENTA}(see the \"Key Sizes\" section above) ${CYAN}(defaults: ecdsa=521, rsa=4096, ed25519=NOT-APPLICABLE)${RESET} ${BOLD}${MAGENTA}-N, --nopasswd${RESET} Do not encrypt the private key with a password ${BOLD}${MAGENTA}-H, --hardware-key${RESET} Enable the use of a secure hardware key peripheral device (ie YubiKey)" @@ -92,6 +98,21 @@ if ! isnumeric "$ROUNDS"; then fi case "$TYPE" in + ecdsa) + if [[ -n "$BITS" ]]; then + BITS='521' + else + # NOTE: ECDSA keys can only operate on elliptic curves + # NOTE: of sizes: 256, 384 or 521 bits + case "$BITS" in + 256|384|512) true + ;; + *) + throw-badval 1 "$BITS" '-b|--bits' + ;; + esac + fi + ;; ed25519) # NOTE: the value of BITS does not matter for Ed25519 # NOTE: as it operates on a fixed size elliptic curve @@ -128,7 +149,7 @@ fi if [[ "$HWKEY" == true ]]; then if [[ "$TYPE" == "rsa" ]]; then - echo -e "${BOLD}${MAGENTA}-H|--hardware-key${RESET} flag is not valid for ${BOLD}${MAGE}rsa${RESET} keys ${BOLD}${CYAN}(use ed25519 instead)${RESET}" + echo -e "${BOLD}${MAGENTA}-H|--hardware-key${RESET} flag is not valid for ${BOLD}${MAGENTA}RSA keys${RESET} ${BOLD}${CYAN}(use Ed25519 instead)${RESET}" exit 1 fi TYPE="$TYPE-sk"