upstream: Remove the -x option currently used for

FIDO/U2F-specific key flags. Instead these flags may be specified via -O. ok markus@ OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
author: djm@openbsd.org <djm@openbsd.org> 2019-12-30 09:49:52 +0000
committer: Damien Miller <djm@mindrot.org> 2019-12-30 21:02:29 +1100
commit: 3093d12ff80927cf45da08d9f262a26680fb14ee (patch)
tree: ab91da4fce3c19c5518e03dd6db6202d75455f86 /ssh-keygen.1
parent: ef65e7dbaa8fac3245aa2bfc9f7e09be7cba0d9d (diff)
1 files changed, 24 insertions, 15 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 9afb92943..1f4edace5 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.184 2019/12/30 03:30:09 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.185 2019/12/30 09:49:52 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -48,10 +48,10 @@
 .Op Fl C Ar comment
 .Op Fl f Ar output_keyfile
 .Op Fl m Ar format
+.Op Fl O Ar option
 .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
 .Op Fl N Ar new_passphrase
 .Op Fl w Ar provider
-.Op Fl x Ar flags
 .Nm ssh-keygen
 .Fl p
 .Op Fl f Ar keyfile
@@ -453,7 +453,28 @@ listed in the
 .Sx MODULI GENERATION
 section may be specified.
 .Pp
-This option may be specified multiple times.
+When generating a key that will be hosted on a FIDO authenticator, this
+flag may be used to specify key-specific options.
+Two FIDO authenticator options are supported at present:
+.Pp
+.Cm no-touch-required
+indicates that the generated private key should not require touch
+events (user presence) when making signatures.
+Note that
+.Xr sshd 8
+will refuse such signatures by default, unless overridden via
+an authorized_keys option.
+.Pp
+.Cm resident
+indicates that the key should be stored on the FIDO authenticator itself.
+Resident keys may be supported on FIDO2 tokens and typically require that
+a PIN be set on the token prior to generation.
+Resident keys may be loaded off the token using
+.Xr ssh-add 1 .
+.Pp
+The
+.Fl O
+option may be specified multiple times.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
@@ -573,18 +594,6 @@ The maximum is 3.
 Specifies a path to a library that will be used when creating
 FIDO authenticator-hosted keys, overriding the default of using
 the internal USB HID support.
-.It Fl x Ar flags
-Specifies the authenticator flags to use when enrolling an authenticator-hosted
-key.
-Flags may be specified by name or directly as a hexadecimal value.
-Only one named flag is supported at present:
-.Cm no-touch-required ,
-which indicates that the generated private key should not require touch
-events (user presence) when making signatures.
-Note that
-.Xr sshd 8
-will refuse such signatures by default, unless overridden via
-an authorized_keys option.
 .It Fl Y Cm check-novalidate
 Checks that a signature generated using
 .Nm
author	djm@openbsd.org <djm@openbsd.org>	2019-12-30 09:49:52 +0000
committer	Damien Miller <djm@mindrot.org>	2019-12-30 21:02:29 +1100
commit	3093d12ff80927cf45da08d9f262a26680fb14ee (patch)
tree	ab91da4fce3c19c5518e03dd6db6202d75455f86 /ssh-keygen.1
parent	ef65e7dbaa8fac3245aa2bfc9f7e09be7cba0d9d (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9afb92943..1f4edace5 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.184 2019/12/30 03:30:09 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.185 2019/12/30 09:49:52 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -48,10 +48,10 @@
48	.Op Fl C Ar comment	48	.Op Fl C Ar comment
49	.Op Fl f Ar output_keyfile	49	.Op Fl f Ar output_keyfile
50	.Op Fl m Ar format	50	.Op Fl m Ar format
		51	.Op Fl O Ar option
51	.Op Fl t Cm dsa \| ecdsa \| ecdsa-sk \| ed25519 \| ed25519-sk \| rsa	52	.Op Fl t Cm dsa \| ecdsa \| ecdsa-sk \| ed25519 \| ed25519-sk \| rsa
52	.Op Fl N Ar new_passphrase	53	.Op Fl N Ar new_passphrase
53	.Op Fl w Ar provider	54	.Op Fl w Ar provider
54	.Op Fl x Ar flags
55	.Nm ssh-keygen	55	.Nm ssh-keygen
56	.Fl p	56	.Fl p
57	.Op Fl f Ar keyfile	57	.Op Fl f Ar keyfile
@@ -453,7 +453,28 @@ listed in the
453	.Sx MODULI GENERATION	453	.Sx MODULI GENERATION
454	section may be specified.	454	section may be specified.
455	.Pp	455	.Pp
456	This option may be specified multiple times.	456	When generating a key that will be hosted on a FIDO authenticator, this
		457	flag may be used to specify key-specific options.
		458	Two FIDO authenticator options are supported at present:
		459	.Pp
		460	.Cm no-touch-required
		461	indicates that the generated private key should not require touch
		462	events (user presence) when making signatures.
		463	Note that
		464	.Xr sshd 8
		465	will refuse such signatures by default, unless overridden via
		466	an authorized_keys option.
		467	.Pp
		468	.Cm resident
		469	indicates that the key should be stored on the FIDO authenticator itself.
		470	Resident keys may be supported on FIDO2 tokens and typically require that
		471	a PIN be set on the token prior to generation.
		472	Resident keys may be loaded off the token using
		473	.Xr ssh-add 1 .
		474	.Pp
		475	The
		476	.Fl O
		477	option may be specified multiple times.
457	.It Fl P Ar passphrase	478	.It Fl P Ar passphrase
458	Provides the (old) passphrase.	479	Provides the (old) passphrase.
459	.It Fl p	480	.It Fl p
@@ -573,18 +594,6 @@ The maximum is 3.
573	Specifies a path to a library that will be used when creating	594	Specifies a path to a library that will be used when creating
574	FIDO authenticator-hosted keys, overriding the default of using	595	FIDO authenticator-hosted keys, overriding the default of using
575	the internal USB HID support.	596	the internal USB HID support.
576	.It Fl x Ar flags
577	Specifies the authenticator flags to use when enrolling an authenticator-hosted
578	key.
579	Flags may be specified by name or directly as a hexadecimal value.
580	Only one named flag is supported at present:
581	.Cm no-touch-required ,
582	which indicates that the generated private key should not require touch
583	events (user presence) when making signatures.
584	Note that
585	.Xr sshd 8
586	will refuse such signatures by default, unless overridden via
587	an authorized_keys option.
588	.It Fl Y Cm check-novalidate	597	.It Fl Y Cm check-novalidate
589	Checks that a signature generated using	598	Checks that a signature generated using
590	.Nm	599	.Nm