diff options
author | djm@openbsd.org <djm@openbsd.org> | 2017-06-28 01:09:22 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-06-28 11:13:19 +1000 |
commit | a98339edbc1fc21342a390f345179a9c3031bef7 (patch) | |
tree | 574e103d0a458f96213e808118eb75d39bc3387f /ssh-keygen.1 | |
parent | c9cdef35524bd59007e17d5bd2502dade69e2dfb (diff) |
upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus
Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 786d37d51..66f8321c5 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.141 2017/05/05 10:41:58 naddy Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.142 2017/06/28 01:09:22 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: May 5 2017 $ | 38 | .Dd $Mdocdate: June 28 2017 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -114,6 +114,8 @@ | |||
114 | .Fl s Ar ca_key | 114 | .Fl s Ar ca_key |
115 | .Fl I Ar certificate_identity | 115 | .Fl I Ar certificate_identity |
116 | .Op Fl h | 116 | .Op Fl h |
117 | .Op Fl U | ||
118 | .Op Fl D Ar pkcs11_provider | ||
117 | .Op Fl n Ar principals | 119 | .Op Fl n Ar principals |
118 | .Op Fl O Ar option | 120 | .Op Fl O Ar option |
119 | .Op Fl V Ar validity_interval | 121 | .Op Fl V Ar validity_interval |
@@ -558,6 +560,14 @@ The possible values are | |||
558 | .Dq ed25519 , | 560 | .Dq ed25519 , |
559 | or | 561 | or |
560 | .Dq rsa . | 562 | .Dq rsa . |
563 | .It Fl U | ||
564 | When used in combination with | ||
565 | .Fl s , | ||
566 | this option indicates that a CA key resides in a | ||
567 | .Xr ssh-agent 1 . | ||
568 | See the | ||
569 | .Sx CERTIFICATES | ||
570 | section for more information. | ||
561 | .It Fl u | 571 | .It Fl u |
562 | Update a KRL. | 572 | Update a KRL. |
563 | When specified with | 573 | When specified with |
@@ -705,6 +715,14 @@ to | |||
705 | .Pp | 715 | .Pp |
706 | .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub | 716 | .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub |
707 | .Pp | 717 | .Pp |
718 | Similarly, it is possible for the CA key to be hosted in a | ||
719 | .Xr ssh-agent 1 . | ||
720 | This is indicated by the | ||
721 | .Fl U | ||
722 | flag and, again, the CA key must be identified by its public half. | ||
723 | .Pp | ||
724 | .Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub | ||
725 | .Pp | ||
708 | In all cases, | 726 | In all cases, |
709 | .Ar key_id | 727 | .Ar key_id |
710 | is a "key identifier" that is logged by the server when the certificate | 728 | is a "key identifier" that is logged by the server when the certificate |