diff options
| author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
| commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
| tree | 89400a44e42d84937deba7864e4964d6c7734da5 /ssh-keygen.0 | |
| parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
| parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) | |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'ssh-keygen.0')
| -rw-r--r-- | ssh-keygen.0 | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index a01b30db0..6c1763d4d 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
| @@ -24,6 +24,7 @@ SYNOPSIS | |||
| 24 | ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] | 24 | ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] |
| 25 | [-O option] [-V validity_interval] [-z serial_number] file ... | 25 | [-O option] [-V validity_interval] [-z serial_number] file ... |
| 26 | ssh-keygen -L [-f input_keyfile] | 26 | ssh-keygen -L [-f input_keyfile] |
| 27 | ssh-keygen -A | ||
| 27 | 28 | ||
| 28 | DESCRIPTION | 29 | DESCRIPTION |
| 29 | ssh-keygen generates, manages and converts authentication keys for | 30 | ssh-keygen generates, manages and converts authentication keys for |
| @@ -57,8 +58,8 @@ DESCRIPTION | |||
| 57 | the -p option. | 58 | the -p option. |
| 58 | 59 | ||
| 59 | There is no way to recover a lost passphrase. If the passphrase is lost | 60 | There is no way to recover a lost passphrase. If the passphrase is lost |
| 60 | or forgotten, a new key must be generated and copied to the corresponding | 61 | or forgotten, a new key must be generated and the corresponding public |
| 61 | public key to other machines. | 62 | key copied to other machines. |
| 62 | 63 | ||
| 63 | For RSA1 keys, there is also a comment field in the key file that is only | 64 | For RSA1 keys, there is also a comment field in the key file that is only |
| 64 | for convenience to the user to help identify the key. The comment can | 65 | for convenience to the user to help identify the key. The comment can |
| @@ -71,6 +72,12 @@ DESCRIPTION | |||
| 71 | 72 | ||
| 72 | The options are as follows: | 73 | The options are as follows: |
| 73 | 74 | ||
| 75 | -A For each of the key types (rsa1, rsa, dsa and ecdsa) for which | ||
| 76 | host keys do not exist, generate the host keys with the default | ||
| 77 | key file path, an empty passphrase, default bits for the key | ||
| 78 | type, and default comment. This is used by /etc/rc to generate | ||
| 79 | new host keys. | ||
| 80 | |||
| 74 | -a trials | 81 | -a trials |
| 75 | Specifies the number of primality tests to perform when screening | 82 | Specifies the number of primality tests to perform when screening |
| 76 | DH-GEX candidates using the -T command. | 83 | DH-GEX candidates using the -T command. |
| @@ -82,7 +89,11 @@ DESCRIPTION | |||
| 82 | Specifies the number of bits in the key to create. For RSA keys, | 89 | Specifies the number of bits in the key to create. For RSA keys, |
| 83 | the minimum size is 768 bits and the default is 2048 bits. | 90 | the minimum size is 768 bits and the default is 2048 bits. |
| 84 | Generally, 2048 bits is considered sufficient. DSA keys must be | 91 | Generally, 2048 bits is considered sufficient. DSA keys must be |
| 85 | exactly 1024 bits as specified by FIPS 186-2. | 92 | exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, |
| 93 | the -b flag determines they key length by selecting from one of | ||
| 94 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to | ||
| 95 | use bit lengths other than these three values for ECDSA keys will | ||
| 96 | fail. | ||
| 86 | 97 | ||
| 87 | -C comment | 98 | -C comment |
| 88 | Provides a new comment. | 99 | Provides a new comment. |
| @@ -231,7 +242,7 @@ DESCRIPTION | |||
| 231 | containing the private key, for the old passphrase, and twice for | 242 | containing the private key, for the old passphrase, and twice for |
| 232 | the new passphrase. | 243 | the new passphrase. |
| 233 | 244 | ||
| 234 | -q Silence ssh-keygen. Used by /etc/rc when creating a new key. | 245 | -q Silence ssh-keygen. |
| 235 | 246 | ||
| 236 | -R hostname | 247 | -R hostname |
| 237 | Removes all keys belonging to hostname from a known_hosts file. | 248 | Removes all keys belonging to hostname from a known_hosts file. |
| @@ -440,4 +451,4 @@ AUTHORS | |||
| 440 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 451 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 441 | versions 1.5 and 2.0. | 452 | versions 1.5 and 2.0. |
| 442 | 453 | ||
| 443 | OpenBSD 4.9 October 28, 2010 OpenBSD 4.9 | 454 | OpenBSD 5.0 April 13, 2011 OpenBSD 5.0 |