summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
diff options
context:
space:
mode:
authornaddy@openbsd.org <naddy@openbsd.org>2019-11-07 08:38:38 +0000
committerDamien Miller <djm@mindrot.org>2019-11-08 14:09:32 +1100
commitaa4c640dc362816d63584a16e786d5e314e24390 (patch)
treeff9a6015ea0de5579d49d66d42590d93887fd7aa /ssh-keygen.1
parentb236b27d6dada7f0542214003632b4e9b7aa1380 (diff)
upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r--ssh-keygen.136
1 files changed, 28 insertions, 8 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index dca566ca2..bdb5015d1 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.172 2019/10/22 08:50:35 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.173 2019/11/07 08:38:38 naddy Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: October 22 2019 $ 38.Dd $Mdocdate: November 7 2019 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -48,8 +48,10 @@
48.Op Fl C Ar comment 48.Op Fl C Ar comment
49.Op Fl f Ar output_keyfile 49.Op Fl f Ar output_keyfile
50.Op Fl m Ar format 50.Op Fl m Ar format
51.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa
51.Op Fl N Ar new_passphrase 52.Op Fl N Ar new_passphrase
52.Op Fl t Cm dsa | ecdsa | ed25519 | rsa 53.Op Fl w Ar provider
54.Op Fl x Ar flags
53.Nm ssh-keygen 55.Nm ssh-keygen
54.Fl p 56.Fl p
55.Op Fl f Ar keyfile 57.Op Fl f Ar keyfile
@@ -188,6 +190,7 @@ with public key authentication runs this once to create the authentication
188key in 190key in
189.Pa ~/.ssh/id_dsa , 191.Pa ~/.ssh/id_dsa ,
190.Pa ~/.ssh/id_ecdsa , 192.Pa ~/.ssh/id_ecdsa ,
193.Pa ~/.ssh/id_ecdsa_sk ,
191.Pa ~/.ssh/id_ed25519 194.Pa ~/.ssh/id_ed25519
192or 195or
193.Pa ~/.ssh/id_rsa . 196.Pa ~/.ssh/id_rsa .
@@ -248,7 +251,7 @@ should be placed to be activated.
248The options are as follows: 251The options are as follows:
249.Bl -tag -width Ds 252.Bl -tag -width Ds
250.It Fl A 253.It Fl A
251For each of the key types (rsa, dsa, ecdsa and ed25519) 254For each of the key types (rsa, dsa, ecdsa, ecdsa-sk and ed25519)
252for which host keys 255for which host keys
253do not exist, generate the host keys with the default key file path, 256do not exist, generate the host keys with the default key file path,
254an empty passphrase, default bits for the key type, and default comment. 257an empty passphrase, default bits for the key type, and default comment.
@@ -282,7 +285,7 @@ flag determines the key length by selecting from one of three elliptic
282curve sizes: 256, 384 or 521 bits. 285curve sizes: 256, 384 or 521 bits.
283Attempting to use bit lengths other than these three values for ECDSA keys 286Attempting to use bit lengths other than these three values for ECDSA keys
284will fail. 287will fail.
285Ed25519 keys have a fixed length and the 288ECDSA-SK and Ed25519 keys have a fixed length and the
286.Fl b 289.Fl b
287flag will be ignored. 290flag will be ignored.
288.It Fl C Ar comment 291.It Fl C Ar comment
@@ -583,11 +586,12 @@ section for details.
583Test DH group exchange candidate primes (generated using the 586Test DH group exchange candidate primes (generated using the
584.Fl G 587.Fl G
585option) for safety. 588option) for safety.
586.It Fl t Cm dsa | ecdsa | ed25519 | rsa 589.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa
587Specifies the type of key to create. 590Specifies the type of key to create.
588The possible values are 591The possible values are
589.Dq dsa , 592.Dq dsa ,
590.Dq ecdsa , 593.Dq ecdsa ,
594.Dq ecdsa-sk ,
591.Dq ed25519 , 595.Dq ed25519 ,
592or 596or
593.Dq rsa . 597.Dq rsa .
@@ -658,6 +662,14 @@ options increase the verbosity.
658The maximum is 3. 662The maximum is 3.
659.It Fl W Ar generator 663.It Fl W Ar generator
660Specify desired generator when testing candidate moduli for DH-GEX. 664Specify desired generator when testing candidate moduli for DH-GEX.
665.It Fl w Ar provider
666Specifies a path to a security key provider library that will be used when
667creating any security key-hosted keys, overriding the default of using the
668.Ev SSH_SK_PROVIDER
669environment variable to specify a provider.
670.It Fl x Ar flags
671Specifies the security key flags to use when enrolling a security key-hosted
672key.
661.It Fl y 673.It Fl y
662This option will read a private 674This option will read a private
663OpenSSH format file and print an OpenSSH public key to stdout. 675OpenSSH format file and print an OpenSSH public key to stdout.
@@ -1020,13 +1032,20 @@ user1@example.com,user2@example.com ssh-rsa AAAAX1...
1020# A key that is accepted only for file signing. 1032# A key that is accepted only for file signing.
1021user2@example.com namespaces="file" ssh-ed25519 AAA41... 1033user2@example.com namespaces="file" ssh-ed25519 AAA41...
1022.Ed 1034.Ed
1035.Sh ENVIRONMENT
1036.Bl -tag -width Ds
1037.It Ev SSH_SK_PROVIDER
1038Specifies the path to a security key provider library used to interact with
1039hardware security keys.
1040.El
1023.Sh FILES 1041.Sh FILES
1024.Bl -tag -width Ds -compact 1042.Bl -tag -width Ds -compact
1025.It Pa ~/.ssh/id_dsa 1043.It Pa ~/.ssh/id_dsa
1026.It Pa ~/.ssh/id_ecdsa 1044.It Pa ~/.ssh/id_ecdsa
1045.It Pa ~/.ssh/id_ecdsa_sk
1027.It Pa ~/.ssh/id_ed25519 1046.It Pa ~/.ssh/id_ed25519
1028.It Pa ~/.ssh/id_rsa 1047.It Pa ~/.ssh/id_rsa
1029Contains the DSA, ECDSA, Ed25519 or RSA 1048Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA
1030authentication identity of the user. 1049authentication identity of the user.
1031This file should not be readable by anyone but the user. 1050This file should not be readable by anyone but the user.
1032It is possible to 1051It is possible to
@@ -1040,9 +1059,10 @@ will read this file when a login attempt is made.
1040.Pp 1059.Pp
1041.It Pa ~/.ssh/id_dsa.pub 1060.It Pa ~/.ssh/id_dsa.pub
1042.It Pa ~/.ssh/id_ecdsa.pub 1061.It Pa ~/.ssh/id_ecdsa.pub
1062.It Pa ~/.ssh/id_ecdsa_sk.pub
1043.It Pa ~/.ssh/id_ed25519.pub 1063.It Pa ~/.ssh/id_ed25519.pub
1044.It Pa ~/.ssh/id_rsa.pub 1064.It Pa ~/.ssh/id_rsa.pub
1045Contains the DSA, ECDSA, Ed25519 or RSA 1065Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA
1046public key for authentication. 1066public key for authentication.
1047The contents of this file should be added to 1067The contents of this file should be added to
1048.Pa ~/.ssh/authorized_keys 1068.Pa ~/.ssh/authorized_keys