summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
diff options
context:
space:
mode:
authorjmc@openbsd.org <jmc@openbsd.org>2020-01-06 07:43:28 +0000
committerDamien Miller <djm@mindrot.org>2020-01-09 21:29:19 +1100
commitcd53476383f0cf475f40ba8ac8deb6b76dd5ce4e (patch)
tree86dc359961d27c0b751c815eb550bc56687310a9 /ssh-keygen.1
parent30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89 (diff)
upstream: put the fido options in a list, and tidy up the text a
little; ok djm OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r--ssh-keygen.136
1 files changed, 17 insertions, 19 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 92c516588..2e9894280 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.189 2020/01/06 02:00:46 djm Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.190 2020/01/06 07:43:28 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -460,39 +460,37 @@ listed in the
460.Sx MODULI GENERATION 460.Sx MODULI GENERATION
461section may be specified. 461section may be specified.
462.Pp 462.Pp
463When generating a key that will be hosted on a FIDO authenticator, this 463When generating a key that will be hosted on a FIDO authenticator,
464flag may be used to specify key-specific options. 464this flag may be used to specify key-specific options.
465The FIDO authenticator options are supported at present are: 465Those supported at present are:
466.Pp 466.Bl -tag -width Ds
467.Cm application 467.It Cm application
468overrides the default FIDO application/origin string of 468Override the default FIDO application/origin string of
469.Dq ssh: . 469.Dq ssh: .
470This option may be useful when generating host or domain-specific resident 470This may be useful when generating host or domain-specific resident keys.
471keys. 471.It Cm device
472.Cm device 472Explicitly specify a
473explicitly specify a device to generate the key on, rather than accepting
474the authenticator middleware's automatic selection.
475.Xr fido 4 473.Xr fido 4
476device to use, rather than letting the token middleware select one. 474device to use, rather than letting the token middleware select one.
477.Cm no-touch-required 475.It Cm no-touch-required
478indicates that the generated private key should not require touch 476Indicate that the generated private key should not require touch
479events (user presence) when making signatures. 477events (user presence) when making signatures.
480Note that 478Note that
481.Xr sshd 8 479.Xr sshd 8
482will refuse such signatures by default, unless overridden via 480will refuse such signatures by default, unless overridden via
483an authorized_keys option. 481an authorized_keys option.
484.Pp 482.It Cm resident
485.Cm resident 483Indicate that the key should be stored on the FIDO authenticator itself.
486indicates that the key should be stored on the FIDO authenticator itself.
487Resident keys may be supported on FIDO2 tokens and typically require that 484Resident keys may be supported on FIDO2 tokens and typically require that
488a PIN be set on the token prior to generation. 485a PIN be set on the token prior to generation.
489Resident keys may be loaded off the token using 486Resident keys may be loaded off the token using
490.Xr ssh-add 1 . 487.Xr ssh-add 1 .
491.Cm user 488.It Cm user
492allows specification of a username to be associated with a resident key, 489A username to be associated with a resident key,
493overriding the empty default username. 490overriding the empty default username.
494Specifying a username may be useful when generating multiple resident keys 491Specifying a username may be useful when generating multiple resident keys
495for the same application name. 492for the same application name.
493.El
496.Pp 494.Pp
497The 495The
498.Fl O 496.Fl O