* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 20 insertions, 12 deletions

diff --git a/ssh-add.1 b/ssh-add.1
index 829c85445..7e8936262 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-add.1,v 1.46 2007/06/12 13:41:03 jmc Exp $
+.\"     $OpenBSD: ssh-add.1,v 1.52 2010/03/05 10:28:21 djm Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -37,7 +37,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2007 $
+.Dd $Mdocdate: March 5 2010 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@@ -49,9 +49,9 @@
 .Op Fl t Ar life
 .Op Ar
 .Nm ssh-add
-.Fl s Ar reader
+.Fl s Ar pkcs11
 .Nm ssh-add
-.Fl e Ar reader
+.Fl e Ar pkcs11
 .Sh DESCRIPTION
 .Nm
 adds RSA or DSA identities to the authentication agent,
@@ -61,7 +61,14 @@ When run without arguments, it adds the files
 .Pa ~/.ssh/id_dsa
 and
 .Pa ~/.ssh/identity .
+After loading a private key,
+.Nm
+will try to load corresponding certificate information from the
+filename obtained by appending
+.Pa -cert.pub
+to the name of the private key file.
 Alternative file names can be given on the command line.
+.Pp
 If any file requires a passphrase,
 .Nm
 asks for the passphrase from the user.
@@ -105,17 +112,17 @@ If no public key is found at a given path,
 will append
 .Pa .pub
 and retry.
-.It Fl e Ar reader
-Remove key in smartcard
-.Ar reader .
+.It Fl e Ar pkcs11
+Remove keys provided by the PKCS#11 shared library
+.Ar pkcs11 .
 .It Fl L
 Lists public key parameters of all identities currently represented
 by the agent.
 .It Fl l
 Lists fingerprints of all identities currently represented by the agent.
-.It Fl s Ar reader
-Add key in smartcard
-.Ar reader .
+.It Fl s Ar pkcs11
+Add keys provided by the PKCS#11 shared library
+.Ar pkcs11 .
 .It Fl t Ar life
 Set a maximum lifetime when adding identities to an agent.
 The lifetime may be specified in seconds or in a time format
@@ -152,8 +159,9 @@ may be necessary to redirect the input from
 .Pa /dev/null
 to make this work.)
 .It Ev SSH_AUTH_SOCK
-Identifies the path of a unix-domain socket used to communicate with the
-agent.
+Identifies the path of a
+.Ux Ns -domain
+socket used to communicate with the agent.
 .El
 .Sh FILES
 .Bl -tag -width Ds