diff options
author | naddy@openbsd.org <naddy@openbsd.org> | 2019-11-07 08:38:38 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-08 14:09:32 +1100 |
commit | aa4c640dc362816d63584a16e786d5e314e24390 (patch) | |
tree | ff9a6015ea0de5579d49d66d42590d93887fd7aa /ssh-keygen.1 | |
parent | b236b27d6dada7f0542214003632b4e9b7aa1380 (diff) |
upstream: Fill in missing man page bits for U2F security key support:
Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.
Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.
ok djm@
OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index dca566ca2..bdb5015d1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.172 2019/10/22 08:50:35 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.173 2019/11/07 08:38:38 naddy Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: October 22 2019 $ | 38 | .Dd $Mdocdate: November 7 2019 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -48,8 +48,10 @@ | |||
48 | .Op Fl C Ar comment | 48 | .Op Fl C Ar comment |
49 | .Op Fl f Ar output_keyfile | 49 | .Op Fl f Ar output_keyfile |
50 | .Op Fl m Ar format | 50 | .Op Fl m Ar format |
51 | .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa | ||
51 | .Op Fl N Ar new_passphrase | 52 | .Op Fl N Ar new_passphrase |
52 | .Op Fl t Cm dsa | ecdsa | ed25519 | rsa | 53 | .Op Fl w Ar provider |
54 | .Op Fl x Ar flags | ||
53 | .Nm ssh-keygen | 55 | .Nm ssh-keygen |
54 | .Fl p | 56 | .Fl p |
55 | .Op Fl f Ar keyfile | 57 | .Op Fl f Ar keyfile |
@@ -188,6 +190,7 @@ with public key authentication runs this once to create the authentication | |||
188 | key in | 190 | key in |
189 | .Pa ~/.ssh/id_dsa , | 191 | .Pa ~/.ssh/id_dsa , |
190 | .Pa ~/.ssh/id_ecdsa , | 192 | .Pa ~/.ssh/id_ecdsa , |
193 | .Pa ~/.ssh/id_ecdsa_sk , | ||
191 | .Pa ~/.ssh/id_ed25519 | 194 | .Pa ~/.ssh/id_ed25519 |
192 | or | 195 | or |
193 | .Pa ~/.ssh/id_rsa . | 196 | .Pa ~/.ssh/id_rsa . |
@@ -248,7 +251,7 @@ should be placed to be activated. | |||
248 | The options are as follows: | 251 | The options are as follows: |
249 | .Bl -tag -width Ds | 252 | .Bl -tag -width Ds |
250 | .It Fl A | 253 | .It Fl A |
251 | For each of the key types (rsa, dsa, ecdsa and ed25519) | 254 | For each of the key types (rsa, dsa, ecdsa, ecdsa-sk and ed25519) |
252 | for which host keys | 255 | for which host keys |
253 | do not exist, generate the host keys with the default key file path, | 256 | do not exist, generate the host keys with the default key file path, |
254 | an empty passphrase, default bits for the key type, and default comment. | 257 | an empty passphrase, default bits for the key type, and default comment. |
@@ -282,7 +285,7 @@ flag determines the key length by selecting from one of three elliptic | |||
282 | curve sizes: 256, 384 or 521 bits. | 285 | curve sizes: 256, 384 or 521 bits. |
283 | Attempting to use bit lengths other than these three values for ECDSA keys | 286 | Attempting to use bit lengths other than these three values for ECDSA keys |
284 | will fail. | 287 | will fail. |
285 | Ed25519 keys have a fixed length and the | 288 | ECDSA-SK and Ed25519 keys have a fixed length and the |
286 | .Fl b | 289 | .Fl b |
287 | flag will be ignored. | 290 | flag will be ignored. |
288 | .It Fl C Ar comment | 291 | .It Fl C Ar comment |
@@ -583,11 +586,12 @@ section for details. | |||
583 | Test DH group exchange candidate primes (generated using the | 586 | Test DH group exchange candidate primes (generated using the |
584 | .Fl G | 587 | .Fl G |
585 | option) for safety. | 588 | option) for safety. |
586 | .It Fl t Cm dsa | ecdsa | ed25519 | rsa | 589 | .It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa |
587 | Specifies the type of key to create. | 590 | Specifies the type of key to create. |
588 | The possible values are | 591 | The possible values are |
589 | .Dq dsa , | 592 | .Dq dsa , |
590 | .Dq ecdsa , | 593 | .Dq ecdsa , |
594 | .Dq ecdsa-sk , | ||
591 | .Dq ed25519 , | 595 | .Dq ed25519 , |
592 | or | 596 | or |
593 | .Dq rsa . | 597 | .Dq rsa . |
@@ -658,6 +662,14 @@ options increase the verbosity. | |||
658 | The maximum is 3. | 662 | The maximum is 3. |
659 | .It Fl W Ar generator | 663 | .It Fl W Ar generator |
660 | Specify desired generator when testing candidate moduli for DH-GEX. | 664 | Specify desired generator when testing candidate moduli for DH-GEX. |
665 | .It Fl w Ar provider | ||
666 | Specifies a path to a security key provider library that will be used when | ||
667 | creating any security key-hosted keys, overriding the default of using the | ||
668 | .Ev SSH_SK_PROVIDER | ||
669 | environment variable to specify a provider. | ||
670 | .It Fl x Ar flags | ||
671 | Specifies the security key flags to use when enrolling a security key-hosted | ||
672 | key. | ||
661 | .It Fl y | 673 | .It Fl y |
662 | This option will read a private | 674 | This option will read a private |
663 | OpenSSH format file and print an OpenSSH public key to stdout. | 675 | OpenSSH format file and print an OpenSSH public key to stdout. |
@@ -1020,13 +1032,20 @@ user1@example.com,user2@example.com ssh-rsa AAAAX1... | |||
1020 | # A key that is accepted only for file signing. | 1032 | # A key that is accepted only for file signing. |
1021 | user2@example.com namespaces="file" ssh-ed25519 AAA41... | 1033 | user2@example.com namespaces="file" ssh-ed25519 AAA41... |
1022 | .Ed | 1034 | .Ed |
1035 | .Sh ENVIRONMENT | ||
1036 | .Bl -tag -width Ds | ||
1037 | .It Ev SSH_SK_PROVIDER | ||
1038 | Specifies the path to a security key provider library used to interact with | ||
1039 | hardware security keys. | ||
1040 | .El | ||
1023 | .Sh FILES | 1041 | .Sh FILES |
1024 | .Bl -tag -width Ds -compact | 1042 | .Bl -tag -width Ds -compact |
1025 | .It Pa ~/.ssh/id_dsa | 1043 | .It Pa ~/.ssh/id_dsa |
1026 | .It Pa ~/.ssh/id_ecdsa | 1044 | .It Pa ~/.ssh/id_ecdsa |
1045 | .It Pa ~/.ssh/id_ecdsa_sk | ||
1027 | .It Pa ~/.ssh/id_ed25519 | 1046 | .It Pa ~/.ssh/id_ed25519 |
1028 | .It Pa ~/.ssh/id_rsa | 1047 | .It Pa ~/.ssh/id_rsa |
1029 | Contains the DSA, ECDSA, Ed25519 or RSA | 1048 | Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA |
1030 | authentication identity of the user. | 1049 | authentication identity of the user. |
1031 | This file should not be readable by anyone but the user. | 1050 | This file should not be readable by anyone but the user. |
1032 | It is possible to | 1051 | It is possible to |
@@ -1040,9 +1059,10 @@ will read this file when a login attempt is made. | |||
1040 | .Pp | 1059 | .Pp |
1041 | .It Pa ~/.ssh/id_dsa.pub | 1060 | .It Pa ~/.ssh/id_dsa.pub |
1042 | .It Pa ~/.ssh/id_ecdsa.pub | 1061 | .It Pa ~/.ssh/id_ecdsa.pub |
1062 | .It Pa ~/.ssh/id_ecdsa_sk.pub | ||
1043 | .It Pa ~/.ssh/id_ed25519.pub | 1063 | .It Pa ~/.ssh/id_ed25519.pub |
1044 | .It Pa ~/.ssh/id_rsa.pub | 1064 | .It Pa ~/.ssh/id_rsa.pub |
1045 | Contains the DSA, ECDSA, Ed25519 or RSA | 1065 | Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA |
1046 | public key for authentication. | 1066 | public key for authentication. |
1047 | The contents of this file should be added to | 1067 | The contents of this file should be added to |
1048 | .Pa ~/.ssh/authorized_keys | 1068 | .Pa ~/.ssh/authorized_keys |