summaryrefslogtreecommitdiff
path: root/ssh-keygen.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2020-02-21 11:57:14 +0000
committerColin Watson <cjwatson@debian.org>2020-02-21 14:27:02 +0000
commit886e47e745586c34e81cfd5c5fb9b5dbc8e84d04 (patch)
treedd6c3b4dc64a17c520af7aaf213163f8a0a63e56 /ssh-keygen.0
parentac2b4c0697fcac554041ab95f81736887eadf6ec (diff)
parenta2dabf35ce0228c86a288d11cc847a9d9801604f (diff)
New upstream release (8.2p1)
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r--ssh-keygen.0375
1 files changed, 235 insertions, 140 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index b68736c11..703739004 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -1,11 +1,12 @@
1SSH-KEYGEN(1) General Commands Manual SSH-KEYGEN(1) 1SSH-KEYGEN(1) General Commands Manual SSH-KEYGEN(1)
2 2
3NAME 3NAME
4 ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion 4 ssh-keygen M-bM-^@M-^S OpenSSH authentication key utility
5 5
6SYNOPSIS 6SYNOPSIS
7 ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format] 7 ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]
8 [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa] 8 [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
9 [-N new_passphrase] [-O option] [-w provider]
9 ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase] 10 ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]
10 [-P old_passphrase] 11 [-P old_passphrase]
11 ssh-keygen -i [-f input_keyfile] [-m key_format] 12 ssh-keygen -i [-f input_keyfile] [-m key_format]
@@ -17,11 +18,11 @@ SYNOPSIS
17 ssh-keygen -D pkcs11 18 ssh-keygen -D pkcs11
18 ssh-keygen -F hostname [-lv] [-f known_hosts_file] 19 ssh-keygen -F hostname [-lv] [-f known_hosts_file]
19 ssh-keygen -H [-f known_hosts_file] 20 ssh-keygen -H [-f known_hosts_file]
21 ssh-keygen -K [-w provider]
20 ssh-keygen -R hostname [-f known_hosts_file] 22 ssh-keygen -R hostname [-f known_hosts_file]
21 ssh-keygen -r hostname [-g] [-f input_keyfile] 23 ssh-keygen -r hostname [-g] [-f input_keyfile]
22 ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] 24 ssh-keygen -M generate [-O option] output_file
23 ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines] 25 ssh-keygen -M screen [-f input_file] [-O option] output_file
24 [-j start_line] [-K checkpt] [-W generator]
25 ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] 26 ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
26 [-n principals] [-O option] [-V validity_interval] 27 [-n principals] [-O option] [-V validity_interval]
27 [-z serial_number] file ... 28 [-z serial_number] file ...
@@ -30,6 +31,7 @@ SYNOPSIS
30 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] 31 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
31 file ... 32 file ...
32 ssh-keygen -Q -f krl_file file ... 33 ssh-keygen -Q -f krl_file file ...
34 ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file
33 ssh-keygen -Y check-novalidate -n namespace -s signature_file 35 ssh-keygen -Y check-novalidate -n namespace -s signature_file
34 ssh-keygen -Y sign -f key_file -n namespace file ... 36 ssh-keygen -Y sign -f key_file -n namespace file ...
35 ssh-keygen -Y verify -f allowed_signers_file -I signer_identity 37 ssh-keygen -Y verify -f allowed_signers_file -I signer_identity
@@ -51,9 +53,9 @@ DESCRIPTION
51 53
52 Normally each user wishing to use SSH with public key authentication runs 54 Normally each user wishing to use SSH with public key authentication runs
53 this once to create the authentication key in ~/.ssh/id_dsa, 55 this once to create the authentication key in ~/.ssh/id_dsa,
54 ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. Additionally, the 56 ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
55 system administrator may use this to generate host keys, as seen in 57 ~/.ssh/id_ed25519_sk or ~/.ssh/id_rsa. Additionally, the system
56 /etc/rc. 58 administrator may use this to generate host keys, as seen in /etc/rc.
57 59
58 Normally this program generates the key and asks for a file in which to 60 Normally this program generates the key and asks for a file in which to
59 store the private key. The public key is stored in a file with the same 61 store the private key. The public key is stored in a file with the same
@@ -104,9 +106,6 @@ DESCRIPTION
104 in slower passphrase verification and increased resistance to 106 in slower passphrase verification and increased resistance to
105 brute-force password cracking (should the keys be stolen). 107 brute-force password cracking (should the keys be stolen).
106 108
107 When screening DH-GEX candidates (using the -T command), this
108 option specifies the number of primality tests to perform.
109
110 -B Show the bubblebabble digest of specified private or public key 109 -B Show the bubblebabble digest of specified private or public key
111 file. 110 file.
112 111
@@ -118,8 +117,8 @@ DESCRIPTION
118 the -b flag determines the key length by selecting from one of 117 the -b flag determines the key length by selecting from one of
119 three elliptic curve sizes: 256, 384 or 521 bits. Attempting to 118 three elliptic curve sizes: 256, 384 or 521 bits. Attempting to
120 use bit lengths other than these three values for ECDSA keys will 119 use bit lengths other than these three values for ECDSA keys will
121 fail. Ed25519 keys have a fixed length and the -b flag will be 120 fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length
122 ignored. 121 and the -b flag will be ignored.
123 122
124 -C comment 123 -C comment
125 Provides a new comment. 124 Provides a new comment.
@@ -156,10 +155,6 @@ DESCRIPTION
156 -f filename 155 -f filename
157 Specifies the filename of the key file. 156 Specifies the filename of the key file.
158 157
159 -G output_file
160 Generate candidate primes for DH-GEX. These primes must be
161 screened for safety (using the -T option) before use.
162
163 -g Use generic DNS format when printing fingerprint resource records 158 -g Use generic DNS format when printing fingerprint resource records
164 using the -r command. 159 using the -r command.
165 160
@@ -185,19 +180,9 @@ DESCRIPTION
185 importing keys from other software, including several commercial 180 importing keys from other software, including several commercial
186 SSH implementations. The default import format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. 181 SSH implementations. The default import format is M-bM-^@M-^\RFC4716M-bM-^@M-^].
187 182
188 -J num_lines 183 -K Download resident keys from a FIDO authenticator. Public and
189 Exit after screening the specified number of lines while 184 private key files will be written to the current directory for
190 performing DH candidate screening using the -T option. 185 each downloaded key.
191
192 -j start_line
193 Start screening at the specified line number while performing DH
194 candidate screening using the -T option.
195
196 -K checkpt
197 Write the last line processed to the file checkpt while
198 performing DH candidate screening using the -T option. This will
199 be used to skip lines in the input file that have already been
200 processed if the job is restarted.
201 186
202 -k Generate a KRL file. In this mode, ssh-keygen will generate a 187 -k Generate a KRL file. In this mode, ssh-keygen will generate a
203 KRL file at the location specified via the -f flag that revokes 188 KRL file at the location specified via the -f flag that revokes
@@ -213,9 +198,21 @@ DESCRIPTION
213 prints its fingerprint. If combined with -v, a visual ASCII art 198 prints its fingerprint. If combined with -v, a visual ASCII art
214 representation of the key is supplied with the fingerprint. 199 representation of the key is supplied with the fingerprint.
215 200
216 -M memory 201 -M generate
217 Specify the amount of memory to use (in megabytes) when 202 Generate candidate Diffie-Hellman Group Exchange (DH-GEX)
218 generating candidate moduli for DH-GEX. 203 parameters for eventual use by the
204 M-bM-^@M-^Xdiffie-hellman-group-exchange-*M-bM-^@M-^Y key exchange methods. The
205 numbers generated by this operation must be further screened
206 before use. See the MODULI GENERATION section for more
207 information.
208
209 -M screen
210 Screen candidate parameters for Diffie-Hellman Group Exchange.
211 This will accept a list of candidate numbers and test that they
212 are safe (Sophie Germain) primes with acceptable group
213 generators. The results of this operation may be added to the
214 /etc/moduli file. See the MODULI GENERATION section for more
215 information.
219 216
220 -m key_format 217 -m key_format
221 Specify a key format for key generation, the -i (import), -e 218 Specify a key format for key generation, the -i (import), -e
@@ -240,70 +237,61 @@ DESCRIPTION
240 CERTIFICATES section for details. 237 CERTIFICATES section for details.
241 238
242 -O option 239 -O option
243 Specify a certificate option when signing a key. This option may 240 Specify a key/value option. These are specific to the operation
244 be specified multiple times. See also the CERTIFICATES section 241 that ssh-keygen has been requested to perform.
245 for further details. 242
246 243 When signing certificates, one of the options listed in the
247 At present, no standard options are valid for host keys. The 244 CERTIFICATES section may be specified here.
248 options that are valid for user certificates are: 245
249 246 When performing moduli generation or screening, one of the
250 clear Clear all enabled permissions. This is useful for 247 options listed in the MODULI GENERATION section may be specified.
251 clearing the default set of permissions so permissions 248
252 may be added individually. 249 When generating a key that will be hosted on a FIDO
253 250 authenticator, this flag may be used to specify key-specific
254 critical:name[=contents] 251 options. Those supported at present are:
255 extension:name[=contents] 252
256 Includes an arbitrary certificate critical option or 253 application
257 extension. The specified name should include a domain 254 Override the default FIDO application/origin string of
258 suffix, e.g. M-bM-^@M-^\name@example.comM-bM-^@M-^]. If contents is 255 M-bM-^@M-^\ssh:M-bM-^@M-^]. This may be useful when generating host or
259 specified then it is included as the contents of the 256 domain-specific resident keys. The specified application
260 extension/option encoded as a string, otherwise the 257 string must begin with M-bM-^@M-^\ssh:M-bM-^@M-^].
261 extension/option is created with no contents (usually 258
262 indicating a flag). Extensions may be ignored by a 259 challenge=path
263 client or server that does not recognise them, whereas 260 Specifies a path to a challenge string that will be
264 unknown critical options will cause the certificate to be 261 passed to the FIDO token during key generation. The
265 refused. 262 challenge string may be used as part of an out-of-band
266 263 protocol for key enrollment (a random challenge is used
267 force-command=command 264 by default).
268 Forces the execution of command instead of any shell or 265
269 command specified by the user when the certificate is 266 device Explicitly specify a fido(4) device to use, rather than
270 used for authentication. 267 letting the token middleware select one.
271 268
272 no-agent-forwarding 269 no-touch-required
273 Disable ssh-agent(1) forwarding (permitted by default). 270 Indicate that the generated private key should not
274 271 require touch events (user presence) when making
275 no-port-forwarding 272 signatures. Note that sshd(8) will refuse such
276 Disable port forwarding (permitted by default). 273 signatures by default, unless overridden via an
277 274 authorized_keys option.
278 no-pty Disable PTY allocation (permitted by default). 275
279 276 resident
280 no-user-rc 277 Indicate that the key should be stored on the FIDO
281 Disable execution of ~/.ssh/rc by sshd(8) (permitted by 278 authenticator itself. Resident keys may be supported on
282 default). 279 FIDO2 tokens and typically require that a PIN be set on
283 280 the token prior to generation. Resident keys may be
284 no-x11-forwarding 281 loaded off the token using ssh-add(1).
285 Disable X11 forwarding (permitted by default). 282
286 283 user A username to be associated with a resident key,
287 permit-agent-forwarding 284 overriding the empty default username. Specifying a
288 Allows ssh-agent(1) forwarding. 285 username may be useful when generating multiple resident
289 286 keys for the same application name.
290 permit-port-forwarding 287
291 Allows port forwarding. 288 write-attestation=path
292 289 May be used at key generation time to record the
293 permit-pty 290 attestation certificate returned from FIDO tokens during
294 Allows PTY allocation. 291 key generation. By default this information is
295 292 discarded.
296 permit-user-rc 293
297 Allows execution of ~/.ssh/rc by sshd(8). 294 The -O option may be specified multiple times.
298
299 permit-X11-forwarding
300 Allows X11 forwarding.
301
302 source-address=address_list
303 Restrict the source addresses from which the certificate
304 is considered valid. The address_list is a comma-
305 separated list of one or more address/netmask pairs in
306 CIDR format.
307 295
308 -P passphrase 296 -P passphrase
309 Provides the (old) passphrase. 297 Provides the (old) passphrase.
@@ -326,10 +314,6 @@ DESCRIPTION
326 Print the SSHFP fingerprint resource record named hostname for 314 Print the SSHFP fingerprint resource record named hostname for
327 the specified public key file. 315 the specified public key file.
328 316
329 -S start
330 Specify start point (in hex) when generating candidate moduli for
331 DH-GEX.
332
333 -s ca_key 317 -s ca_key
334 Certify (sign) a public key using the specified CA key. Please 318 Certify (sign) a public key using the specified CA key. Please
335 see the CERTIFICATES section for details. 319 see the CERTIFICATES section for details.
@@ -338,13 +322,9 @@ DESCRIPTION
338 file used to revoke certificates directly by key ID or serial 322 file used to revoke certificates directly by key ID or serial
339 number. See the KEY REVOCATION LISTS section for details. 323 number. See the KEY REVOCATION LISTS section for details.
340 324
341 -T output_file 325 -t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
342 Test DH group exchange candidate primes (generated using the -G
343 option) for safety.
344
345 -t dsa | ecdsa | ed25519 | rsa
346 Specifies the type of key to create. The possible values are 326 Specifies the type of key to create. The possible values are
347 M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. 327 M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ecdsa-skM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], M-bM-^@M-^\ed25519-skM-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^].
348 328
349 This flag may also be used to specify the desired signature type 329 This flag may also be used to specify the desired signature type
350 when signing certificates using an RSA CA key. The available RSA 330 when signing certificates using an RSA CA key. The available RSA
@@ -390,12 +370,28 @@ DESCRIPTION
390 generation. Multiple -v options increase the verbosity. The 370 generation. Multiple -v options increase the verbosity. The
391 maximum is 3. 371 maximum is 3.
392 372
393 -W generator 373 -w provider
394 Specify desired generator when testing candidate moduli for DH- 374 Specifies a path to a library that will be used when creating
395 GEX. 375 FIDO authenticator-hosted keys, overriding the default of using
376 the internal USB HID support.
396 377
397 -y This option will read a private OpenSSH format file and print an 378 -Y find-principals
398 OpenSSH public key to stdout. 379 Find the principal(s) associated with the public key of a
380 signature, provided using the -s flag in an authorized signers
381 file provided using the -f flag. The format of the allowed
382 signers file is documented in the ALLOWED SIGNERS section below.
383 If one or more matching principals are found, they are returned
384 on standard output.
385
386 -Y check-novalidate
387 Checks that a signature generated using ssh-keygen -Y sign has a
388 valid structure. This does not validate if a signature comes
389 from an authorized signer. When testing a signature, ssh-keygen
390 accepts a message on standard input and a signature namespace
391 using -n. A file containing the corresponding signature must
392 also be supplied using the -s flag. Successful testing of the
393 signature is signalled by ssh-keygen returning a zero exit
394 status.
399 395
400 -Y sign 396 -Y sign
401 Cryptographically sign a file or some data using a SSH key. When 397 Cryptographically sign a file or some data using a SSH key. When
@@ -427,16 +423,10 @@ DESCRIPTION
427 keys can be passed using the -r flag. The revocation file may be 423 keys can be passed using the -r flag. The revocation file may be
428 a KRL or a one-per-line list of public keys. Successful 424 a KRL or a one-per-line list of public keys. Successful
429 verification by an authorized signer is signalled by ssh-keygen 425 verification by an authorized signer is signalled by ssh-keygen
426 returning a zero exit status.
430 427
431 -Y check-novalidate 428 -y This option will read a private OpenSSH format file and print an
432 Checks that a signature generated using ssh-keygen -Y sign has a 429 OpenSSH public key to stdout.
433 valid structure. This does not validate if a signature comes
434 from an authorized signer. When testing a signature, ssh-keygen
435 accepts a message on standard input and a signature namespace
436 using -n. A file containing the corresponding signature must
437 also be supplied using the -s flag. Successful testing of the
438 signature is signalled by ssh-keygen returning a zero exit
439 status.
440 430
441 -z serial_number 431 -z serial_number
442 Specifies a serial number to be embedded in the certificate to 432 Specifies a serial number to be embedded in the certificate to
@@ -455,32 +445,62 @@ MODULI GENERATION
455 intensive process. These candidate primes are then tested for 445 intensive process. These candidate primes are then tested for
456 suitability (a CPU-intensive process). 446 suitability (a CPU-intensive process).
457 447
458 Generation of primes is performed using the -G option. The desired 448 Generation of primes is performed using the -M generate option. The
459 length of the primes may be specified by the -b option. For example: 449 desired length of the primes may be specified by the -O bits option. For
450 example:
460 451
461 # ssh-keygen -G moduli-2048.candidates -b 2048 452 # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
462 453
463 By default, the search for primes begins at a random point in the desired 454 By default, the search for primes begins at a random point in the desired
464 length range. This may be overridden using the -S option, which 455 length range. This may be overridden using the -O start option, which
465 specifies a different start point (in hex). 456 specifies a different start point (in hex).
466 457
467 Once a set of candidates have been generated, they must be screened for 458 Once a set of candidates have been generated, they must be screened for
468 suitability. This may be performed using the -T option. In this mode 459 suitability. This may be performed using the -M screen option. In this
469 ssh-keygen will read candidates from standard input (or a file specified 460 mode ssh-keygen will read candidates from standard input (or a file
470 using the -f option). For example: 461 specified using the -f option). For example:
471 462
472 # ssh-keygen -T moduli-2048 -f moduli-2048.candidates 463 # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
473 464
474 By default, each candidate will be subjected to 100 primality tests. 465 By default, each candidate will be subjected to 100 primality tests.
475 This may be overridden using the -a option. The DH generator value will 466 This may be overridden using the -O prime-tests option. The DH generator
476 be chosen automatically for the prime under consideration. If a specific 467 value will be chosen automatically for the prime under consideration. If
477 generator is desired, it may be requested using the -W option. Valid 468 a specific generator is desired, it may be requested using the -O
478 generator values are 2, 3, and 5. 469 generator option. Valid generator values are 2, 3, and 5.
479 470
480 Screened DH groups may be installed in /etc/moduli. It is important that 471 Screened DH groups may be installed in /etc/moduli. It is important that
481 this file contains moduli of a range of bit lengths and that both ends of 472 this file contains moduli of a range of bit lengths and that both ends of
482 a connection share common moduli. 473 a connection share common moduli.
483 474
475 A number of options are available for moduli generation and screening via
476 the -O flag:
477
478 lines=number
479 Exit after screening the specified number of lines while
480 performing DH candidate screening.
481
482 start-line=line-number
483 Start screening at the specified line number while performing DH
484 candidate screening.
485
486 checkpoint=filename
487 Write the last line processed to the specified file while
488 performing DH candidate screening. This will be used to skip
489 lines in the input file that have already been processed if the
490 job is restarted.
491
492 memory=mbytes
493 Specify the amount of memory to use (in megabytes) when
494 generating candidate moduli for DH-GEX.
495
496 start=hex-value
497 Specify start point (in hex) when generating candidate moduli for
498 DH-GEX.
499
500 generator=value
501 Specify desired generator (in decimal) when testing candidate
502 moduli for DH-GEX.
503
484CERTIFICATES 504CERTIFICATES
485 ssh-keygen supports signing of keys to produce certificates that may be 505 ssh-keygen supports signing of keys to produce certificates that may be
486 used for user or host authentication. Certificates consist of a public 506 used for user or host authentication. Certificates consist of a public
@@ -531,8 +551,71 @@ CERTIFICATES
531 be specified through certificate options. A certificate option may 551 be specified through certificate options. A certificate option may
532 disable features of the SSH session, may be valid only when presented 552 disable features of the SSH session, may be valid only when presented
533 from particular source addresses or may force the use of a specific 553 from particular source addresses or may force the use of a specific
534 command. For a list of valid certificate options, see the documentation 554 command.
535 for the -O option above. 555
556 The options that are valid for user certificates are:
557
558 clear Clear all enabled permissions. This is useful for clearing the
559 default set of permissions so permissions may be added
560 individually.
561
562 critical:name[=contents]
563 extension:name[=contents]
564 Includes an arbitrary certificate critical option or extension.
565 The specified name should include a domain suffix, e.g.
566 M-bM-^@M-^\name@example.comM-bM-^@M-^]. If contents is specified then it is included
567 as the contents of the extension/option encoded as a string,
568 otherwise the extension/option is created with no contents
569 (usually indicating a flag). Extensions may be ignored by a
570 client or server that does not recognise them, whereas unknown
571 critical options will cause the certificate to be refused.
572
573 force-command=command
574 Forces the execution of command instead of any shell or command
575 specified by the user when the certificate is used for
576 authentication.
577
578 no-agent-forwarding
579 Disable ssh-agent(1) forwarding (permitted by default).
580
581 no-port-forwarding
582 Disable port forwarding (permitted by default).
583
584 no-pty Disable PTY allocation (permitted by default).
585
586 no-user-rc
587 Disable execution of ~/.ssh/rc by sshd(8) (permitted by default).
588
589 no-x11-forwarding
590 Disable X11 forwarding (permitted by default).
591
592 permit-agent-forwarding
593 Allows ssh-agent(1) forwarding.
594
595 permit-port-forwarding
596 Allows port forwarding.
597
598 permit-pty
599 Allows PTY allocation.
600
601 permit-user-rc
602 Allows execution of ~/.ssh/rc by sshd(8).
603
604 permit-X11-forwarding
605 Allows X11 forwarding.
606
607 no-touch-required
608 Do not require signatures made using this key require
609 demonstration of user presence (e.g. by having the user touch the
610 authenticator). This option only makes sense for the FIDO
611 authenticator algorithms ecdsa-sk and ed25519-sk.
612
613 source-address=address_list
614 Restrict the source addresses from which the certificate is
615 considered valid. The address_list is a comma-separated list of
616 one or more address/netmask pairs in CIDR format.
617
618 At present, no standard options are valid for host keys.
536 619
537 Finally, certificates may be defined with a validity lifetime. The -V 620 Finally, certificates may be defined with a validity lifetime. The -V
538 option allows specification of certificate start and end times. A 621 option allows specification of certificate start and end times. A
@@ -618,7 +701,7 @@ ALLOWED SIGNERS
618 The principals field is a pattern-list (See PATTERNS in ssh_config(5)) 701 The principals field is a pattern-list (See PATTERNS in ssh_config(5))
619 consisting of one or more comma-separated USER@DOMAIN identity patterns 702 consisting of one or more comma-separated USER@DOMAIN identity patterns
620 that are accepted for signing. When verifying, the identity presented 703 that are accepted for signing. When verifying, the identity presented
621 via the -I -option must match a principals pattern in order for the 704 via the -I option must match a principals pattern in order for the
622 corresponding key to be considered acceptable for verification. 705 corresponding key to be considered acceptable for verification.
623 706
624 The options (if present) consist of comma-separated option 707 The options (if present) consist of comma-separated option
@@ -651,13 +734,22 @@ ALLOWED SIGNERS
651 # A key that is accepted only for file signing. 734 # A key that is accepted only for file signing.
652 user2@example.com namespaces="file" ssh-ed25519 AAA41... 735 user2@example.com namespaces="file" ssh-ed25519 AAA41...
653 736
737ENVIRONMENT
738 SSH_SK_PROVIDER
739 Specifies a path to a library that will be used when loading any
740 FIDO authenticator-hosted keys, overriding the default of using
741 the built-in USB HID support.
742
654FILES 743FILES
655 ~/.ssh/id_dsa 744 ~/.ssh/id_dsa
656 ~/.ssh/id_ecdsa 745 ~/.ssh/id_ecdsa
746 ~/.ssh/id_ecdsa_sk
657 ~/.ssh/id_ed25519 747 ~/.ssh/id_ed25519
748 ~/.ssh/id_ed25519_sk
658 ~/.ssh/id_rsa 749 ~/.ssh/id_rsa
659 Contains the DSA, ECDSA, Ed25519 or RSA authentication identity 750 Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
660 of the user. This file should not be readable by anyone but the 751 authenticator-hosted Ed25519 or RSA authentication identity of
752 the user. This file should not be readable by anyone but the
661 user. It is possible to specify a passphrase when generating the 753 user. It is possible to specify a passphrase when generating the
662 key; that passphrase will be used to encrypt the private part of 754 key; that passphrase will be used to encrypt the private part of
663 this file using 128-bit AES. This file is not automatically 755 this file using 128-bit AES. This file is not automatically
@@ -667,9 +759,12 @@ FILES
667 759
668 ~/.ssh/id_dsa.pub 760 ~/.ssh/id_dsa.pub
669 ~/.ssh/id_ecdsa.pub 761 ~/.ssh/id_ecdsa.pub
762 ~/.ssh/id_ecdsa_sk.pub
670 ~/.ssh/id_ed25519.pub 763 ~/.ssh/id_ed25519.pub
764 ~/.ssh/id_ed25519_sk.pub
671 ~/.ssh/id_rsa.pub 765 ~/.ssh/id_rsa.pub
672 Contains the DSA, ECDSA, Ed25519 or RSA public key for 766 Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
767 authenticator-hosted Ed25519 or RSA public key for
673 authentication. The contents of this file should be added to 768 authentication. The contents of this file should be added to
674 ~/.ssh/authorized_keys on all machines where the user wishes to 769 ~/.ssh/authorized_keys on all machines where the user wishes to
675 log in using public key authentication. There is no need to keep 770 log in using public key authentication. There is no need to keep
@@ -691,4 +786,4 @@ AUTHORS
691 created OpenSSH. Markus Friedl contributed the support for SSH protocol 786 created OpenSSH. Markus Friedl contributed the support for SSH protocol
692 versions 1.5 and 2.0. 787 versions 1.5 and 2.0.
693 788
694OpenBSD 6.6 October 3, 2019 OpenBSD 6.6 789OpenBSD 6.6 February 7, 2020 OpenBSD 6.6