Import openssh_7.6p1.orig.tar.gz

author: Colin Watson <cjwatson@debian.org> 2017-10-04 11:23:58 +0100
committer: Colin Watson <cjwatson@debian.org> 2017-10-04 11:23:58 +0100
commit: 62f54f20bf351468e0124f63cc2902ee40d9b0e9 (patch)
tree: 3e090f2711b94ca5029d3fa3e8047b1ed1448b1f /ssh-keygen.0
parent: 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (diff)
parent: 66bf74a92131b7effe49fb0eefe5225151869dc5 (diff)
1 files changed, 82 insertions, 79 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 569297da4..fb2c02fe7 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -4,7 +4,7 @@ NAME
     ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion
 SYNOPSIS
-     ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
+     ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
                [-N new_passphrase] [-C comment] [-f output_keyfile]
     ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
     ssh-keygen -i [-m key_format] [-f input_keyfile]
@@ -21,24 +21,21 @@ SYNOPSIS
     ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
     ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
                [-j start_line] [-K checkpt] [-W generator]
-     ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
+     ssh-keygen -s ca_key -I certificate_identity [-h] [-U]
-                [-O option] [-V validity_interval] [-z serial_number] file ...
+                [-D pkcs11_provider] [-n principals] [-O option]
+                [-V validity_interval] [-z serial_number] file ...
     ssh-keygen -L [-f input_keyfile]
-     ssh-keygen -A
+     ssh-keygen -A [-f prefix_path]
     ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
                file ...
     ssh-keygen -Q -f krl_file file ...
 DESCRIPTION
     ssh-keygen generates, manages and converts authentication keys for
-     ssh(1).  ssh-keygen can create keys for use by SSH protocol versions 1
+     ssh(1).  ssh-keygen can create keys for use by SSH protocol version 2.
-     and 2.  Protocol 1 should not be used and is only offered to support
-     legacy devices.  It suffers from a number of cryptographic weaknesses and
-     doesn't support many of the advanced features available for protocol 2.
     The type of key to be generated is specified with the -t option.  If
-     invoked without any arguments, ssh-keygen will generate an RSA key for
+     invoked without any arguments, ssh-keygen will generate an RSA key.
-     use in SSH protocol 2 connections.
     ssh-keygen is also used to generate groups for use in Diffie-Hellman
     group exchange (DH-GEX).  See the MODULI GENERATION section for details.
@@ -48,10 +45,10 @@ DESCRIPTION
     KEY REVOCATION LISTS section for details.
     Normally each user wishing to use SSH with public key authentication runs
-     this once to create the authentication key in ~/.ssh/identity,
+     this once to create the authentication key in ~/.ssh/id_dsa,
-     ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa.
+     ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa.  Additionally, the
-     Additionally, the system administrator may use this to generate host
+     system administrator may use this to generate host keys, as seen in
-     keys, as seen in /etc/rc.
+     /etc/rc.
     Normally this program generates the key and asks for a file in which to
     store the private key.  The public key is stored in a file with the same
@@ -71,32 +68,33 @@ DESCRIPTION
     or forgotten, a new key must be generated and the corresponding public
     key copied to other machines.
-     For RSA1 keys and keys stored in the newer OpenSSH format, there is also
+     For keys stored in the newer OpenSSH format, there is also a comment
-     a comment field in the key file that is only for convenience to the user
+     field in the key file that is only for convenience to the user to help
-     to help identify the key.  The comment can tell what the key is for, or
+     identify the key.  The comment can tell what the key is for, or whatever
-     whatever is useful.  The comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the
+     is useful.  The comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is
-     key is created, but can be changed using the -c option.
+     created, but can be changed using the -c option.
     After a key is generated, instructions below detail where the keys should
     be placed to be activated.
     The options are as follows:
-     -A      For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for
+     -A      For each of the key types (rsa, dsa, ecdsa and ed25519) for which
-             which host keys do not exist, generate the host keys with the
+             host keys do not exist, generate the host keys with the default
-             default key file path, an empty passphrase, default bits for the
+             key file path, an empty passphrase, default bits for the key
-             key type, and default comment.  This is used by /etc/rc to
+             type, and default comment.  If -f has also been specified, its
-             generate new host keys.
+             argument is used as a prefix to the default path for the
+             resulting host key files.  This is used by /etc/rc to generate
+             new host keys.
     -a rounds
-             When saving a new-format private key (i.e. an ed25519 key or any
+             When saving a new-format private key (i.e. an ed25519 key or when
-             SSH protocol 2 key when the -o flag is set), this option
+             the -o flag is set), this option specifies the number of KDF (key
-             specifies the number of KDF (key derivation function) rounds
+             derivation function) rounds used.  Higher numbers result in
-             used.  Higher numbers result in slower passphrase verification
+             slower passphrase verification and increased resistance to brute-
-             and increased resistance to brute-force password cracking (should
+             force password cracking (should the keys be stolen).
-             the keys be stolen).
+             When screening DH-GEX candidates (using the -T command).  This
-             When screening DH-GEX candidates ( using the -T command).  This
             option specifies the number of primality tests to perform.
     -B      Show the bubblebabble digest of specified private or public key
@@ -117,10 +115,10 @@ DESCRIPTION
             Provides a new comment.
     -c      Requests changing the comment in the private and public key
-             files.  This operation is only supported for RSA1 keys and keys
+             files.  This operation is only supported for keys stored in the
-             stored in the newer OpenSSH format.  The program will prompt for
+             newer OpenSSH format.  The program will prompt for the file
-             the file containing the private keys, for the passphrase if the
+             containing the private keys, for the passphrase if the key has
-             key has one, and for the new comment.
+             one, and for the new comment.
     -D pkcs11
             Download the RSA public keys provided by the PKCS#11 shared
@@ -200,11 +198,10 @@ DESCRIPTION
     -L      Prints the contents of one or more certificates.
-     -l      Show fingerprint of specified public key file.  Private RSA1 keys
+     -l      Show fingerprint of specified public key file.  For RSA and DSA
-             are also supported.  For RSA and DSA keys ssh-keygen tries to
+             keys ssh-keygen tries to find the matching public key file and
-             find the matching public key file and prints its fingerprint.  If
+             prints its fingerprint.  If combined with -v, a visual ASCII art
-             combined with -v, a visual ASCII art representation of the key is
+             representation of the key is supplied with the fingerprint.
-             supplied with the fingerprint.
     -M memory
             Specify the amount of memory to use (in megabytes) when
@@ -228,14 +225,29 @@ DESCRIPTION
     -O option
             Specify a certificate option when signing a key.  This option may
-             be specified multiple times.  Please see the CERTIFICATES section
+             be specified multiple times.  See also the CERTIFICATES section
-             for details.  The options that are valid for user certificates
+             for further details.  The options that are valid for user
-             are:
+             certificates are:
             clear   Clear all enabled permissions.  This is useful for
                     clearing the default set of permissions so permissions
                     may be added individually.
+             critical:name[=contents]
+             extension:name[=contents]
+                     Includes an arbitrary certificate critical option or
+                     extension.  The specified name should include a domain
+                     suffix, e.g. M-bM-^@M-^\name@example.comM-bM-^@M-^].  If contents is
+                     specified then it is included as the contents of the
+                     extension/option encoded as a string, otherwise the
+                     extension/option is created with no contents (usually
+                     indicating a flag).  Extensions may be ignored by a
+                     client or server that does not recognise them, whereas
+                     unknown critical options will cause the certificate to be
+                     refused.
+                     At present, no standard options are valid for host keys.
             force-command=command
                     Forces the execution of command instead of any shell or
                     command specified by the user when the certificate is
@@ -277,8 +289,6 @@ DESCRIPTION
                     separated list of one or more address/netmask pairs in
                     CIDR format.
-             At present, no options are valid for host keys.
     -o      Causes ssh-keygen to save private keys using the new OpenSSH
             format rather than the more compatible PEM format.  The new
             format has increased resistance to brute-force password cracking
@@ -322,10 +332,13 @@ DESCRIPTION
             Test DH group exchange candidate primes (generated using the -G
             option) for safety.
-     -t dsa | ecdsa | ed25519 | rsa | rsa1
+     -t dsa | ecdsa | ed25519 | rsa
             Specifies the type of key to create.  The possible values are
-             M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or
+             M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^].
-             M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.
+     -U      When used in combination with -s, this option indicates that a CA
+             key resides in a ssh-agent(1).  See the CERTIFICATES section for
+             more information.
     -u      Update a KRL.  When specified with -k, keys listed via the
             command line are added to the existing KRL rather than a new KRL
@@ -432,6 +445,12 @@ CERTIFICATES
           $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
+     Similarly, it is possible for the CA key to be hosted in a ssh-agent(1).
+     This is indicated by the -U flag and, again, the CA key must be
+     identified by its public half.
+           $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
     In all cases, key_id is a "key identifier" that is logged by the server
     when the certificate is used for authentication.
@@ -512,44 +531,28 @@ KEY REVOCATION LISTS
     was revoked.
 FILES
-     ~/.ssh/identity
-             Contains the protocol version 1 RSA authentication identity of
-             the user.  This file should not be readable by anyone but the
-             user.  It is possible to specify a passphrase when generating the
-             key; that passphrase will be used to encrypt the private part of
-             this file using 3DES.  This file is not automatically accessed by
-             ssh-keygen but it is offered as the default file for the private
-             key.  ssh(1) will read this file when a login attempt is made.
-     ~/.ssh/identity.pub
-             Contains the protocol version 1 RSA public key for
-             authentication.  The contents of this file should be added to
-             ~/.ssh/authorized_keys on all machines where the user wishes to
-             log in using RSA authentication.  There is no need to keep the
-             contents of this file secret.
     ~/.ssh/id_dsa
     ~/.ssh/id_ecdsa
     ~/.ssh/id_ed25519
     ~/.ssh/id_rsa
-             Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
+             Contains the DSA, ECDSA, Ed25519 or RSA authentication identity
-             authentication identity of the user.  This file should not be
+             of the user.  This file should not be readable by anyone but the
-             readable by anyone but the user.  It is possible to specify a
+             user.  It is possible to specify a passphrase when generating the
-             passphrase when generating the key; that passphrase will be used
+             key; that passphrase will be used to encrypt the private part of
-             to encrypt the private part of this file using 128-bit AES.  This
+             this file using 128-bit AES.  This file is not automatically
-             file is not automatically accessed by ssh-keygen but it is
+             accessed by ssh-keygen but it is offered as the default file for
-             offered as the default file for the private key.  ssh(1) will
+             the private key.  ssh(1) will read this file when a login attempt
-             read this file when a login attempt is made.
+             is made.
     ~/.ssh/id_dsa.pub
     ~/.ssh/id_ecdsa.pub
     ~/.ssh/id_ed25519.pub
     ~/.ssh/id_rsa.pub
-             Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA public
+             Contains the DSA, ECDSA, Ed25519 or RSA public key for
-             key for authentication.  The contents of this file should be
+             authentication.  The contents of this file should be added to
-             added to ~/.ssh/authorized_keys on all machines where the user
+             ~/.ssh/authorized_keys on all machines where the user wishes to
-             wishes to log in using public key authentication.  There is no
+             log in using public key authentication.  There is no need to keep
-             need to keep the contents of this file secret.
+             the contents of this file secret.
     /etc/moduli
             Contains Diffie-Hellman groups used for DH-GEX.  The file format
@@ -567,4 +570,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 6.0                      June 16, 2016                     OpenBSD 6.0
+OpenBSD 6.2                      July 8, 2017                      OpenBSD 6.2
author	Colin Watson <cjwatson@debian.org>	2017-10-04 11:23:58 +0100
committer	Colin Watson <cjwatson@debian.org>	2017-10-04 11:23:58 +0100
commit	62f54f20bf351468e0124f63cc2902ee40d9b0e9 (patch)
tree	3e090f2711b94ca5029d3fa3e8047b1ed1448b1f /ssh-keygen.0
parent	6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (diff)
parent	66bf74a92131b7effe49fb0eefe5225151869dc5 (diff)

diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 569297da4..fb2c02fe7 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0
@@ -4,7 +4,7 @@ NAME
4	ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion	4	ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion
5		5
6	SYNOPSIS	6	SYNOPSIS
7	ssh-keygen [-q] [-b bits] [-t dsa \| ecdsa \| ed25519 \| rsa \| rsa1]	7	ssh-keygen [-q] [-b bits] [-t dsa \| ecdsa \| ed25519 \| rsa]
8	[-N new_passphrase] [-C comment] [-f output_keyfile]	8	[-N new_passphrase] [-C comment] [-f output_keyfile]
9	ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]	9	ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
10	ssh-keygen -i [-m key_format] [-f input_keyfile]	10	ssh-keygen -i [-m key_format] [-f input_keyfile]
@@ -21,24 +21,21 @@ SYNOPSIS
21	ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]	21	ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
22	ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]	22	ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
23	[-j start_line] [-K checkpt] [-W generator]	23	[-j start_line] [-K checkpt] [-W generator]
24	ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]	24	ssh-keygen -s ca_key -I certificate_identity [-h] [-U]
25	[-O option] [-V validity_interval] [-z serial_number] file ...	25	[-D pkcs11_provider] [-n principals] [-O option]
		26	[-V validity_interval] [-z serial_number] file ...
26	ssh-keygen -L [-f input_keyfile]	27	ssh-keygen -L [-f input_keyfile]
27	ssh-keygen -A	28	ssh-keygen -A [-f prefix_path]
28	ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]	29	ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
29	file ...	30	file ...
30	ssh-keygen -Q -f krl_file file ...	31	ssh-keygen -Q -f krl_file file ...
31		32
32	DESCRIPTION	33	DESCRIPTION
33	ssh-keygen generates, manages and converts authentication keys for	34	ssh-keygen generates, manages and converts authentication keys for
34	ssh(1). ssh-keygen can create keys for use by SSH protocol versions 1	35	ssh(1). ssh-keygen can create keys for use by SSH protocol version 2.
35	and 2. Protocol 1 should not be used and is only offered to support
36	legacy devices. It suffers from a number of cryptographic weaknesses and
37	doesn't support many of the advanced features available for protocol 2.
38		36
39	The type of key to be generated is specified with the -t option. If	37	The type of key to be generated is specified with the -t option. If
40	invoked without any arguments, ssh-keygen will generate an RSA key for	38	invoked without any arguments, ssh-keygen will generate an RSA key.
41	use in SSH protocol 2 connections.
42		39
43	ssh-keygen is also used to generate groups for use in Diffie-Hellman	40	ssh-keygen is also used to generate groups for use in Diffie-Hellman
44	group exchange (DH-GEX). See the MODULI GENERATION section for details.	41	group exchange (DH-GEX). See the MODULI GENERATION section for details.
@@ -48,10 +45,10 @@ DESCRIPTION
48	KEY REVOCATION LISTS section for details.	45	KEY REVOCATION LISTS section for details.
49		46
50	Normally each user wishing to use SSH with public key authentication runs	47	Normally each user wishing to use SSH with public key authentication runs
51	this once to create the authentication key in ~/.ssh/identity,	48	this once to create the authentication key in ~/.ssh/id_dsa,
52	~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa.	49	~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. Additionally, the
53	Additionally, the system administrator may use this to generate host	50	system administrator may use this to generate host keys, as seen in
54	keys, as seen in /etc/rc.	51	/etc/rc.
55		52
56	Normally this program generates the key and asks for a file in which to	53	Normally this program generates the key and asks for a file in which to
57	store the private key. The public key is stored in a file with the same	54	store the private key. The public key is stored in a file with the same
@@ -71,32 +68,33 @@ DESCRIPTION
71	or forgotten, a new key must be generated and the corresponding public	68	or forgotten, a new key must be generated and the corresponding public
72	key copied to other machines.	69	key copied to other machines.
73		70
74	For RSA1 keys and keys stored in the newer OpenSSH format, there is also	71	For keys stored in the newer OpenSSH format, there is also a comment
75	a comment field in the key file that is only for convenience to the user	72	field in the key file that is only for convenience to the user to help
76	to help identify the key. The comment can tell what the key is for, or	73	identify the key. The comment can tell what the key is for, or whatever
77	whatever is useful. The comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the	74	is useful. The comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is
78	key is created, but can be changed using the -c option.	75	created, but can be changed using the -c option.
79		76
80	After a key is generated, instructions below detail where the keys should	77	After a key is generated, instructions below detail where the keys should
81	be placed to be activated.	78	be placed to be activated.
82		79
83	The options are as follows:	80	The options are as follows:
84		81
85	-A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for	82	-A For each of the key types (rsa, dsa, ecdsa and ed25519) for which
86	which host keys do not exist, generate the host keys with the	83	host keys do not exist, generate the host keys with the default
87	default key file path, an empty passphrase, default bits for the	84	key file path, an empty passphrase, default bits for the key
88	key type, and default comment. This is used by /etc/rc to	85	type, and default comment. If -f has also been specified, its
89	generate new host keys.	86	argument is used as a prefix to the default path for the
		87	resulting host key files. This is used by /etc/rc to generate
		88	new host keys.
90		89
91	-a rounds	90	-a rounds
92	When saving a new-format private key (i.e. an ed25519 key or any	91	When saving a new-format private key (i.e. an ed25519 key or when
93	SSH protocol 2 key when the -o flag is set), this option	92	the -o flag is set), this option specifies the number of KDF (key
94	specifies the number of KDF (key derivation function) rounds	93	derivation function) rounds used. Higher numbers result in
95	used. Higher numbers result in slower passphrase verification	94	slower passphrase verification and increased resistance to brute-
96	and increased resistance to brute-force password cracking (should	95	force password cracking (should the keys be stolen).
97	the keys be stolen).	96
98		97	When screening DH-GEX candidates (using the -T command). This
99	When screening DH-GEX candidates ( using the -T command). This
100	option specifies the number of primality tests to perform.	98	option specifies the number of primality tests to perform.
101		99
102	-B Show the bubblebabble digest of specified private or public key	100	-B Show the bubblebabble digest of specified private or public key
@@ -117,10 +115,10 @@ DESCRIPTION
117	Provides a new comment.	115	Provides a new comment.
118		116
119	-c Requests changing the comment in the private and public key	117	-c Requests changing the comment in the private and public key
120	files. This operation is only supported for RSA1 keys and keys	118	files. This operation is only supported for keys stored in the
121	stored in the newer OpenSSH format. The program will prompt for	119	newer OpenSSH format. The program will prompt for the file
122	the file containing the private keys, for the passphrase if the	120	containing the private keys, for the passphrase if the key has
123	key has one, and for the new comment.	121	one, and for the new comment.
124		122
125	-D pkcs11	123	-D pkcs11
126	Download the RSA public keys provided by the PKCS#11 shared	124	Download the RSA public keys provided by the PKCS#11 shared
@@ -200,11 +198,10 @@ DESCRIPTION
200		198
201	-L Prints the contents of one or more certificates.	199	-L Prints the contents of one or more certificates.
202		200
203	-l Show fingerprint of specified public key file. Private RSA1 keys	201	-l Show fingerprint of specified public key file. For RSA and DSA
204	are also supported. For RSA and DSA keys ssh-keygen tries to	202	keys ssh-keygen tries to find the matching public key file and
205	find the matching public key file and prints its fingerprint. If	203	prints its fingerprint. If combined with -v, a visual ASCII art
206	combined with -v, a visual ASCII art representation of the key is	204	representation of the key is supplied with the fingerprint.
207	supplied with the fingerprint.
208		205
209	-M memory	206	-M memory
210	Specify the amount of memory to use (in megabytes) when	207	Specify the amount of memory to use (in megabytes) when
@@ -228,14 +225,29 @@ DESCRIPTION
228		225
229	-O option	226	-O option
230	Specify a certificate option when signing a key. This option may	227	Specify a certificate option when signing a key. This option may
231	be specified multiple times. Please see the CERTIFICATES section	228	be specified multiple times. See also the CERTIFICATES section
232	for details. The options that are valid for user certificates	229	for further details. The options that are valid for user
233	are:	230	certificates are:
234		231
235	clear Clear all enabled permissions. This is useful for	232	clear Clear all enabled permissions. This is useful for
236	clearing the default set of permissions so permissions	233	clearing the default set of permissions so permissions
237	may be added individually.	234	may be added individually.
238		235
		236	critical:name[=contents]
		237	extension:name[=contents]
		238	Includes an arbitrary certificate critical option or
		239	extension. The specified name should include a domain
		240	suffix, e.g. M-bM-^@M-^\name@example.comM-bM-^@M-^]. If contents is
		241	specified then it is included as the contents of the
		242	extension/option encoded as a string, otherwise the
		243	extension/option is created with no contents (usually
		244	indicating a flag). Extensions may be ignored by a
		245	client or server that does not recognise them, whereas
		246	unknown critical options will cause the certificate to be
		247	refused.
		248
		249	At present, no standard options are valid for host keys.
		250
239	force-command=command	251	force-command=command
240	Forces the execution of command instead of any shell or	252	Forces the execution of command instead of any shell or
241	command specified by the user when the certificate is	253	command specified by the user when the certificate is
@@ -277,8 +289,6 @@ DESCRIPTION
277	separated list of one or more address/netmask pairs in	289	separated list of one or more address/netmask pairs in
278	CIDR format.	290	CIDR format.
279		291
280	At present, no options are valid for host keys.
281
282	-o Causes ssh-keygen to save private keys using the new OpenSSH	292	-o Causes ssh-keygen to save private keys using the new OpenSSH
283	format rather than the more compatible PEM format. The new	293	format rather than the more compatible PEM format. The new
284	format has increased resistance to brute-force password cracking	294	format has increased resistance to brute-force password cracking
@@ -322,10 +332,13 @@ DESCRIPTION
322	Test DH group exchange candidate primes (generated using the -G	332	Test DH group exchange candidate primes (generated using the -G
323	option) for safety.	333	option) for safety.
324		334
325	-t dsa \| ecdsa \| ed25519 \| rsa \| rsa1	335	-t dsa \| ecdsa \| ed25519 \| rsa
326	Specifies the type of key to create. The possible values are	336	Specifies the type of key to create. The possible values are
327	M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or	337	M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^].
328	M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2.	338
		339	-U When used in combination with -s, this option indicates that a CA
		340	key resides in a ssh-agent(1). See the CERTIFICATES section for
		341	more information.
329		342
330	-u Update a KRL. When specified with -k, keys listed via the	343	-u Update a KRL. When specified with -k, keys listed via the
331	command line are added to the existing KRL rather than a new KRL	344	command line are added to the existing KRL rather than a new KRL
@@ -432,6 +445,12 @@ CERTIFICATES
432		445
433	$ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub	446	$ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
434		447
		448	Similarly, it is possible for the CA key to be hosted in a ssh-agent(1).
		449	This is indicated by the -U flag and, again, the CA key must be
		450	identified by its public half.
		451
		452	$ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
		453
435	In all cases, key_id is a "key identifier" that is logged by the server	454	In all cases, key_id is a "key identifier" that is logged by the server
436	when the certificate is used for authentication.	455	when the certificate is used for authentication.
437		456
@@ -512,44 +531,28 @@ KEY REVOCATION LISTS
512	was revoked.	531	was revoked.
513		532
514	FILES	533	FILES
515	~/.ssh/identity
516	Contains the protocol version 1 RSA authentication identity of
517	the user. This file should not be readable by anyone but the
518	user. It is possible to specify a passphrase when generating the
519	key; that passphrase will be used to encrypt the private part of
520	this file using 3DES. This file is not automatically accessed by
521	ssh-keygen but it is offered as the default file for the private
522	key. ssh(1) will read this file when a login attempt is made.
523
524	~/.ssh/identity.pub
525	Contains the protocol version 1 RSA public key for
526	authentication. The contents of this file should be added to
527	~/.ssh/authorized_keys on all machines where the user wishes to
528	log in using RSA authentication. There is no need to keep the
529	contents of this file secret.
530
531	~/.ssh/id_dsa	534	~/.ssh/id_dsa
532	~/.ssh/id_ecdsa	535	~/.ssh/id_ecdsa
533	~/.ssh/id_ed25519	536	~/.ssh/id_ed25519
534	~/.ssh/id_rsa	537	~/.ssh/id_rsa
535	Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA	538	Contains the DSA, ECDSA, Ed25519 or RSA authentication identity
536	authentication identity of the user. This file should not be	539	of the user. This file should not be readable by anyone but the
537	readable by anyone but the user. It is possible to specify a	540	user. It is possible to specify a passphrase when generating the
538	passphrase when generating the key; that passphrase will be used	541	key; that passphrase will be used to encrypt the private part of
539	to encrypt the private part of this file using 128-bit AES. This	542	this file using 128-bit AES. This file is not automatically
540	file is not automatically accessed by ssh-keygen but it is	543	accessed by ssh-keygen but it is offered as the default file for
541	offered as the default file for the private key. ssh(1) will	544	the private key. ssh(1) will read this file when a login attempt
542	read this file when a login attempt is made.	545	is made.
543		546
544	~/.ssh/id_dsa.pub	547	~/.ssh/id_dsa.pub
545	~/.ssh/id_ecdsa.pub	548	~/.ssh/id_ecdsa.pub
546	~/.ssh/id_ed25519.pub	549	~/.ssh/id_ed25519.pub
547	~/.ssh/id_rsa.pub	550	~/.ssh/id_rsa.pub
548	Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA public	551	Contains the DSA, ECDSA, Ed25519 or RSA public key for
549	key for authentication. The contents of this file should be	552	authentication. The contents of this file should be added to
550	added to ~/.ssh/authorized_keys on all machines where the user	553	~/.ssh/authorized_keys on all machines where the user wishes to
551	wishes to log in using public key authentication. There is no	554	log in using public key authentication. There is no need to keep
552	need to keep the contents of this file secret.	555	the contents of this file secret.
553		556
554	/etc/moduli	557	/etc/moduli
555	Contains Diffie-Hellman groups used for DH-GEX. The file format	558	Contains Diffie-Hellman groups used for DH-GEX. The file format
@@ -567,4 +570,4 @@ AUTHORS
567	created OpenSSH. Markus Friedl contributed the support for SSH protocol	570	created OpenSSH. Markus Friedl contributed the support for SSH protocol
568	versions 1.5 and 2.0.	571	versions 1.5 and 2.0.
569		572
570	OpenBSD 6.0 June 16, 2016 OpenBSD 6.0	573	OpenBSD 6.2 July 8, 2017 OpenBSD 6.2