diff options
| author | Colin Watson <cjwatson@debian.org> | 2020-10-18 12:04:32 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2020-10-18 12:04:32 +0100 |
| commit | 2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb (patch) | |
| tree | 336445493163aa0370cb7830d97ebd8819b2e2c5 /ssh-keygen.0 | |
| parent | 202f5a676221c244cd450086c334c2b59f339e86 (diff) | |
| parent | 279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29 (diff) | |
Import openssh_8.4p1.orig.tar.gz
Diffstat (limited to 'ssh-keygen.0')
| -rw-r--r-- | ssh-keygen.0 | 47 |
1 files changed, 33 insertions, 14 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index c388cdf7a..111eb9e08 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
| @@ -4,21 +4,22 @@ NAME | |||
| 4 | ssh-keygen M-bM-^@M-^S OpenSSH authentication key utility | 4 | ssh-keygen M-bM-^@M-^S OpenSSH authentication key utility |
| 5 | 5 | ||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format] | 7 | ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile] |
| 8 | [-m format] [-N new_passphrase] [-O option] | ||
| 8 | [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa] | 9 | [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa] |
| 9 | [-N new_passphrase] [-O option] [-w provider] | 10 | [-w provider] |
| 10 | ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase] | 11 | ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase] |
| 11 | [-P old_passphrase] | 12 | [-P old_passphrase] |
| 12 | ssh-keygen -i [-f input_keyfile] [-m key_format] | 13 | ssh-keygen -i [-f input_keyfile] [-m key_format] |
| 13 | ssh-keygen -e [-f input_keyfile] [-m key_format] | 14 | ssh-keygen -e [-f input_keyfile] [-m key_format] |
| 14 | ssh-keygen -y [-f input_keyfile] | 15 | ssh-keygen -y [-f input_keyfile] |
| 15 | ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase] | 16 | ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase] |
| 16 | ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] | 17 | ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] |
| 17 | ssh-keygen -B [-f input_keyfile] | 18 | ssh-keygen -B [-f input_keyfile] |
| 18 | ssh-keygen -D pkcs11 | 19 | ssh-keygen -D pkcs11 |
| 19 | ssh-keygen -F hostname [-lv] [-f known_hosts_file] | 20 | ssh-keygen -F hostname [-lv] [-f known_hosts_file] |
| 20 | ssh-keygen -H [-f known_hosts_file] | 21 | ssh-keygen -H [-f known_hosts_file] |
| 21 | ssh-keygen -K [-w provider] | 22 | ssh-keygen -K [-a rounds] [-w provider] |
| 22 | ssh-keygen -R hostname [-f known_hosts_file] | 23 | ssh-keygen -R hostname [-f known_hosts_file] |
| 23 | ssh-keygen -r hostname [-g] [-f input_keyfile] | 24 | ssh-keygen -r hostname [-g] [-f input_keyfile] |
| 24 | ssh-keygen -M generate [-O option] output_file | 25 | ssh-keygen -M generate [-O option] output_file |
| @@ -27,7 +28,7 @@ SYNOPSIS | |||
| 27 | [-n principals] [-O option] [-V validity_interval] | 28 | [-n principals] [-O option] [-V validity_interval] |
| 28 | [-z serial_number] file ... | 29 | [-z serial_number] file ... |
| 29 | ssh-keygen -L [-f input_keyfile] | 30 | ssh-keygen -L [-f input_keyfile] |
| 30 | ssh-keygen -A [-f prefix_path] | 31 | ssh-keygen -A [-a rounds] [-f prefix_path] |
| 31 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] | 32 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] |
| 32 | file ... | 33 | file ... |
| 33 | ssh-keygen -Q [-l] -f krl_file file ... | 34 | ssh-keygen -Q [-l] -f krl_file file ... |
| @@ -87,8 +88,8 @@ DESCRIPTION | |||
| 87 | new keys, and existing new-format keys may be converted using this option | 88 | new keys, and existing new-format keys may be converted using this option |
| 88 | in conjunction with the -p (change passphrase) flag. | 89 | in conjunction with the -p (change passphrase) flag. |
| 89 | 90 | ||
| 90 | After a key is generated, instructions below detail where the keys should | 91 | After a key is generated, ssh-keygen will ask where the keys should be |
| 91 | be placed to be activated. | 92 | placed to be activated. |
| 92 | 93 | ||
| 93 | The options are as follows: | 94 | The options are as follows: |
| 94 | 95 | ||
| @@ -104,7 +105,8 @@ DESCRIPTION | |||
| 104 | When saving a private key, this option specifies the number of | 105 | When saving a private key, this option specifies the number of |
| 105 | KDF (key derivation function) rounds used. Higher numbers result | 106 | KDF (key derivation function) rounds used. Higher numbers result |
| 106 | in slower passphrase verification and increased resistance to | 107 | in slower passphrase verification and increased resistance to |
| 107 | brute-force password cracking (should the keys be stolen). | 108 | brute-force password cracking (should the keys be stolen). The |
| 109 | default is 16 rounds. | ||
| 108 | 110 | ||
| 109 | -B Show the bubblebabble digest of specified private or public key | 111 | -B Show the bubblebabble digest of specified private or public key |
| 110 | file. | 112 | file. |
| @@ -182,7 +184,9 @@ DESCRIPTION | |||
| 182 | 184 | ||
| 183 | -K Download resident keys from a FIDO authenticator. Public and | 185 | -K Download resident keys from a FIDO authenticator. Public and |
| 184 | private key files will be written to the current directory for | 186 | private key files will be written to the current directory for |
| 185 | each downloaded key. | 187 | each downloaded key. If multiple FIDO authenticators are |
| 188 | attached, keys will be downloaded from the first touched | ||
| 189 | authenticator. | ||
| 186 | 190 | ||
| 187 | -k Generate a KRL file. In this mode, ssh-keygen will generate a | 191 | -k Generate a KRL file. In this mode, ssh-keygen will generate a |
| 188 | KRL file at the location specified via the -f flag that revokes | 192 | KRL file at the location specified via the -f flag that revokes |
| @@ -285,10 +289,18 @@ DESCRIPTION | |||
| 285 | username may be useful when generating multiple resident | 289 | username may be useful when generating multiple resident |
| 286 | keys for the same application name. | 290 | keys for the same application name. |
| 287 | 291 | ||
| 292 | verify-required | ||
| 293 | Indicate that this private key should require user | ||
| 294 | verification for each signature. Not all FIDO tokens | ||
| 295 | support this option. Currently PIN authentication is the | ||
| 296 | only supported verification method, but other methods may | ||
| 297 | be supported in the future. | ||
| 298 | |||
| 288 | write-attestation=path | 299 | write-attestation=path |
| 289 | May be used at key generation time to record the | 300 | May be used at key generation time to record the |
| 290 | attestation certificate returned from FIDO tokens during | 301 | attestation data returned from FIDO tokens during key |
| 291 | key generation. By default this information is | 302 | generation. Please note that this information is |
| 303 | potentially sensitive. By default, this information is | ||
| 292 | discarded. | 304 | discarded. |
| 293 | 305 | ||
| 294 | The -O option may be specified multiple times. | 306 | The -O option may be specified multiple times. |
| @@ -606,7 +618,7 @@ CERTIFICATES | |||
| 606 | Allows X11 forwarding. | 618 | Allows X11 forwarding. |
| 607 | 619 | ||
| 608 | no-touch-required | 620 | no-touch-required |
| 609 | Do not require signatures made using this key require | 621 | Do not require signatures made using this key include |
| 610 | demonstration of user presence (e.g. by having the user touch the | 622 | demonstration of user presence (e.g. by having the user touch the |
| 611 | authenticator). This option only makes sense for the FIDO | 623 | authenticator). This option only makes sense for the FIDO |
| 612 | authenticator algorithms ecdsa-sk and ed25519-sk. | 624 | authenticator algorithms ecdsa-sk and ed25519-sk. |
| @@ -616,6 +628,13 @@ CERTIFICATES | |||
| 616 | considered valid. The address_list is a comma-separated list of | 628 | considered valid. The address_list is a comma-separated list of |
| 617 | one or more address/netmask pairs in CIDR format. | 629 | one or more address/netmask pairs in CIDR format. |
| 618 | 630 | ||
| 631 | verify-required | ||
| 632 | Require signatures made using this key indicate that the user was | ||
| 633 | first verified. This option only makes sense for the FIDO | ||
| 634 | authenticator algorithms ecdsa-sk and ed25519-sk. Currently PIN | ||
| 635 | authentication is the only supported verification method, but | ||
| 636 | other methods may be supported in the future. | ||
| 637 | |||
| 619 | At present, no standard options are valid for host keys. | 638 | At present, no standard options are valid for host keys. |
| 620 | 639 | ||
| 621 | Finally, certificates may be defined with a validity lifetime. The -V | 640 | Finally, certificates may be defined with a validity lifetime. The -V |
| @@ -787,4 +806,4 @@ AUTHORS | |||
| 787 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 806 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 788 | versions 1.5 and 2.0. | 807 | versions 1.5 and 2.0. |
| 789 | 808 | ||
| 790 | OpenBSD 6.7 April 3, 2020 OpenBSD 6.7 | 809 | OpenBSD 6.8 September 9, 2020 OpenBSD 6.8 |