upstream: mention the new vs. old key formats in the introduction

and give some hints on how keys may be converted or written in the old format. OpenBSD-Commit-ID: 9c90a9f92eddc249e07fad1204d0e15c8aa13823
author: djm@openbsd.org <djm@openbsd.org> 2019-01-22 11:00:15 +0000
committer: Damien Miller <djm@mindrot.org> 2019-01-22 22:42:01 +1100
commit: c45616a199c322ca674315de88e788f1d2596e26 (patch)
tree: 748bfa7e85cd8026bfe72d1d783c6b9eaf6fd8dd /ssh-keygen.1
parent: fd8eb1383a34c986a00ef13d745ae9bd3ea21760 (diff)
1 files changed, 18 insertions, 6 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 8e96d9014..56815e272 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.152 2018/12/07 03:33:18 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.153 2019/01/22 11:00:15 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 7 2018 $
+.Dd $Mdocdate: January 22 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -205,16 +205,28 @@ There is no way to recover a lost passphrase.
 If the passphrase is lost or forgotten, a new key must be generated
 and the corresponding public key copied to other machines.
 .Pp
-For keys stored in the newer OpenSSH format,
+.Nm
-there is also a comment field in the key file that is only for
+will by default write keys in an OpenSSH-specific format.
-convenience to the user to help identify the key.
+This format is preferred as it offers better protection for
-The comment can tell what the key is for, or whatever is useful.
+keys at rest as well as allowing storage of key comments within
+the private key file itself.
+The key comment may be useful to help identify the key.
 The comment is initialized to
 .Dq user@host
 when the key is created, but can be changed using the
 .Fl c
 option.
 .Pp
+It is still possible for
+.Nm
+to write the previously-used PEM format private keys using the
+.Fl m
+flag.
+This may be used when generating new keys, and existing new-format
+keys may be converted using this option in conjunction with the
+.Fl p
+(change passphrase) flag.
+.Pp
 After a key is generated, instructions below detail where the keys
 should be placed to be activated.
 .Pp
author	djm@openbsd.org <djm@openbsd.org>	2019-01-22 11:00:15 +0000
committer	Damien Miller <djm@mindrot.org>	2019-01-22 22:42:01 +1100
commit	c45616a199c322ca674315de88e788f1d2596e26 (patch)
tree	748bfa7e85cd8026bfe72d1d783c6b9eaf6fd8dd /ssh-keygen.1
parent	fd8eb1383a34c986a00ef13d745ae9bd3ea21760 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 8e96d9014..56815e272 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.152 2018/12/07 03:33:18 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.153 2019/01/22 11:00:15 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: December 7 2018 $	38	.Dd $Mdocdate: January 22 2019 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -205,16 +205,28 @@ There is no way to recover a lost passphrase.
205	If the passphrase is lost or forgotten, a new key must be generated	205	If the passphrase is lost or forgotten, a new key must be generated
206	and the corresponding public key copied to other machines.	206	and the corresponding public key copied to other machines.
207	.Pp	207	.Pp
208	For keys stored in the newer OpenSSH format,	208	.Nm
209	there is also a comment field in the key file that is only for	209	will by default write keys in an OpenSSH-specific format.
210	convenience to the user to help identify the key.	210	This format is preferred as it offers better protection for
211	The comment can tell what the key is for, or whatever is useful.	211	keys at rest as well as allowing storage of key comments within
		212	the private key file itself.
		213	The key comment may be useful to help identify the key.
212	The comment is initialized to	214	The comment is initialized to
213	.Dq user@host	215	.Dq user@host
214	when the key is created, but can be changed using the	216	when the key is created, but can be changed using the
215	.Fl c	217	.Fl c
216	option.	218	option.
217	.Pp	219	.Pp
		220	It is still possible for
		221	.Nm
		222	to write the previously-used PEM format private keys using the
		223	.Fl m
		224	flag.
		225	This may be used when generating new keys, and existing new-format
		226	keys may be converted using this option in conjunction with the
		227	.Fl p
		228	(change passphrase) flag.
		229	.Pp
218	After a key is generated, instructions below detail where the keys	230	After a key is generated, instructions below detail where the keys
219	should be placed to be activated.	231	should be placed to be activated.
220	.Pp	232	.Pp