diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-01-28 08:01:34 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-01-29 18:52:55 +1100 |
| commit | 24c0f752adf9021277a7b0a84931bb5fe48ea379 (patch) | |
| tree | cd1b9474e73ad7647b4ad88775365e7430d3fe64 /ssh-keygen.1 | |
| parent | 156bef36f93a48212383235bb8e3d71eaf2b2777 (diff) | |
upstream: changes to support FIDO attestation
Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.
Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.
ok markus@
OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
Diffstat (limited to 'ssh-keygen.1')
| -rw-r--r-- | ssh-keygen.1 | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index b4a873920..c6a976183 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: ssh-keygen.1,v 1.196 2020/01/23 23:31:52 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.197 2020/01/28 08:01:34 djm Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -35,7 +35,7 @@ | |||
| 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 37 | .\" | 37 | .\" |
| 38 | .Dd $Mdocdate: January 23 2020 $ | 38 | .Dd $Mdocdate: January 28 2020 $ |
| 39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
| 40 | .Os | 40 | .Os |
| 41 | .Sh NAME | 41 | .Sh NAME |
| @@ -483,6 +483,14 @@ Note that | |||
| 483 | .Xr sshd 8 | 483 | .Xr sshd 8 |
| 484 | will refuse such signatures by default, unless overridden via | 484 | will refuse such signatures by default, unless overridden via |
| 485 | an authorized_keys option. | 485 | an authorized_keys option. |
| 486 | .It Cm challenge=path | ||
| 487 | Specifies a path to a challenge string that will be passed to the | ||
| 488 | FIDO token during key generation. | ||
| 489 | The challenge string is optional, but may be used as part of an out-of-band | ||
| 490 | protocol for key enrollment. | ||
| 491 | If no | ||
| 492 | .Cm challenge | ||
| 493 | is specified, a random challenge is used. | ||
| 486 | .It Cm resident | 494 | .It Cm resident |
| 487 | Indicate that the key should be stored on the FIDO authenticator itself. | 495 | Indicate that the key should be stored on the FIDO authenticator itself. |
| 488 | Resident keys may be supported on FIDO2 tokens and typically require that | 496 | Resident keys may be supported on FIDO2 tokens and typically require that |
| @@ -494,6 +502,10 @@ A username to be associated with a resident key, | |||
| 494 | overriding the empty default username. | 502 | overriding the empty default username. |
| 495 | Specifying a username may be useful when generating multiple resident keys | 503 | Specifying a username may be useful when generating multiple resident keys |
| 496 | for the same application name. | 504 | for the same application name. |
| 505 | .It Cm write-attestation=path | ||
| 506 | May be used at key generation time to record the attestation certificate | ||
| 507 | returned from FIDO tokens during key generation. | ||
| 508 | By default this information is discarded. | ||
| 497 | .El | 509 | .El |
| 498 | .Pp | 510 | .Pp |
| 499 | The | 511 | The |