diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 09:49:52 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-12-30 21:02:29 +1100 |
commit | 3093d12ff80927cf45da08d9f262a26680fb14ee (patch) | |
tree | ab91da4fce3c19c5518e03dd6db6202d75455f86 /ssh-keygen.1 | |
parent | ef65e7dbaa8fac3245aa2bfc9f7e09be7cba0d9d (diff) |
upstream: Remove the -x option currently used for
FIDO/U2F-specific key flags. Instead these flags may be specified via -O.
ok markus@
OpenBSD-Commit-ID: f23ebde2a8a7e1bf860a51055a711cffb8c328c1
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 39 |
1 files changed, 24 insertions, 15 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9afb92943..1f4edace5 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.184 2019/12/30 03:30:09 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.185 2019/12/30 09:49:52 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -48,10 +48,10 @@ | |||
48 | .Op Fl C Ar comment | 48 | .Op Fl C Ar comment |
49 | .Op Fl f Ar output_keyfile | 49 | .Op Fl f Ar output_keyfile |
50 | .Op Fl m Ar format | 50 | .Op Fl m Ar format |
51 | .Op Fl O Ar option | ||
51 | .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa | 52 | .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa |
52 | .Op Fl N Ar new_passphrase | 53 | .Op Fl N Ar new_passphrase |
53 | .Op Fl w Ar provider | 54 | .Op Fl w Ar provider |
54 | .Op Fl x Ar flags | ||
55 | .Nm ssh-keygen | 55 | .Nm ssh-keygen |
56 | .Fl p | 56 | .Fl p |
57 | .Op Fl f Ar keyfile | 57 | .Op Fl f Ar keyfile |
@@ -453,7 +453,28 @@ listed in the | |||
453 | .Sx MODULI GENERATION | 453 | .Sx MODULI GENERATION |
454 | section may be specified. | 454 | section may be specified. |
455 | .Pp | 455 | .Pp |
456 | This option may be specified multiple times. | 456 | When generating a key that will be hosted on a FIDO authenticator, this |
457 | flag may be used to specify key-specific options. | ||
458 | Two FIDO authenticator options are supported at present: | ||
459 | .Pp | ||
460 | .Cm no-touch-required | ||
461 | indicates that the generated private key should not require touch | ||
462 | events (user presence) when making signatures. | ||
463 | Note that | ||
464 | .Xr sshd 8 | ||
465 | will refuse such signatures by default, unless overridden via | ||
466 | an authorized_keys option. | ||
467 | .Pp | ||
468 | .Cm resident | ||
469 | indicates that the key should be stored on the FIDO authenticator itself. | ||
470 | Resident keys may be supported on FIDO2 tokens and typically require that | ||
471 | a PIN be set on the token prior to generation. | ||
472 | Resident keys may be loaded off the token using | ||
473 | .Xr ssh-add 1 . | ||
474 | .Pp | ||
475 | The | ||
476 | .Fl O | ||
477 | option may be specified multiple times. | ||
457 | .It Fl P Ar passphrase | 478 | .It Fl P Ar passphrase |
458 | Provides the (old) passphrase. | 479 | Provides the (old) passphrase. |
459 | .It Fl p | 480 | .It Fl p |
@@ -573,18 +594,6 @@ The maximum is 3. | |||
573 | Specifies a path to a library that will be used when creating | 594 | Specifies a path to a library that will be used when creating |
574 | FIDO authenticator-hosted keys, overriding the default of using | 595 | FIDO authenticator-hosted keys, overriding the default of using |
575 | the internal USB HID support. | 596 | the internal USB HID support. |
576 | .It Fl x Ar flags | ||
577 | Specifies the authenticator flags to use when enrolling an authenticator-hosted | ||
578 | key. | ||
579 | Flags may be specified by name or directly as a hexadecimal value. | ||
580 | Only one named flag is supported at present: | ||
581 | .Cm no-touch-required , | ||
582 | which indicates that the generated private key should not require touch | ||
583 | events (user presence) when making signatures. | ||
584 | Note that | ||
585 | .Xr sshd 8 | ||
586 | will refuse such signatures by default, unless overridden via | ||
587 | an authorized_keys option. | ||
588 | .It Fl Y Cm check-novalidate | 597 | .It Fl Y Cm check-novalidate |
589 | Checks that a signature generated using | 598 | Checks that a signature generated using |
590 | .Nm | 599 | .Nm |