diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-05-20 00:20:35 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-05-20 10:21:58 +1000 |
commit | 476e3551b2952ef73acc43d995e832539bf9bc4d (patch) | |
tree | 326f23ca0f27d7fd4242ce88892d0af9a2da2c3c /ssh-keygen.1 | |
parent | 606077ee1e77af5908431d003fb28461ef7be092 (diff) |
upstream: When signing certificates with an RSA key, default to
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
will therefore be incompatible with OpenSSH < 7.2 unless the default is
overridden.
Document the ability of the ssh-keygen -t flag to override the
signature algorithm when signing certificates, and the new default.
ok deraadt@
OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index f29774249..673bf6e2f 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.158 2019/04/19 05:47:44 dtucker Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.159 2019/05/20 00:20:35 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: April 19 2019 $ | 38 | .Dd $Mdocdate: May 20 2019 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -577,6 +577,15 @@ The possible values are | |||
577 | .Dq ed25519 , | 577 | .Dq ed25519 , |
578 | or | 578 | or |
579 | .Dq rsa . | 579 | .Dq rsa . |
580 | .Pp | ||
581 | This flag may also be used to specify the desired signature type when | ||
582 | signing certificates using a RSA CA key. | ||
583 | The available RSA signature variants are | ||
584 | .Dq ssh-rsa | ||
585 | (SHA1 signatures, not recommended), | ||
586 | .Dq rsa-sha2-256 | ||
587 | .Dq rsa-sha2-512 | ||
588 | (the default). | ||
580 | .It Fl U | 589 | .It Fl U |
581 | When used in combination with | 590 | When used in combination with |
582 | .Fl s , | 591 | .Fl s , |