upstream: prepare for use of ssh-keygen -O flag beyond certs

Move list of available certificate options in ssh-keygen.1 to the CERTIFICATES section. Collect options specified by -O but delay parsing/validation of certificate options until we're sure that we're acting as a CA. ok markus@ OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106
author: djm@openbsd.org <djm@openbsd.org> 2019-12-30 03:28:41 +0000
committer: Damien Miller <djm@mindrot.org> 2019-12-30 14:32:20 +1100
commit: 1e645fe767f27725dc7fd7864526de34683f7daf (patch)
tree: 61d4230dba514a5a560522c97e424cee60b33156 /ssh-keygen.1
parent: 20ccd854245c598e2b47cc9f8d4955d645195055 (diff)
1 files changed, 93 insertions, 95 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 038e2c578..67a57b9f7 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 27 2019 $
+.Dd $Mdocdate: December 30 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -458,97 +458,10 @@ Please see the
 section for details.
 .It Fl O Ar option
 Specify a certificate option when signing a key.
-This option may be specified multiple times.
+See the
-See also the
 .Sx CERTIFICATES
-section for further details.
+section for a list of available certificate options.
-.Pp
+This option may be specified multiple times.
-At present, no standard options are valid for host keys.
-The options that are valid for user certificates are:
-.Pp
-.Bl -tag -width Ds -compact
-.It Ic clear
-Clear all enabled permissions.
-This is useful for clearing the default set of permissions so permissions may
-be added individually.
-.Pp
-.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
-.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
-Includes an arbitrary certificate critical option or extension.
-The specified
-.Ar name
-should include a domain suffix, e.g.\&
-.Dq name@example.com .
-If
-.Ar contents
-is specified then it is included as the contents of the extension/option
-encoded as a string, otherwise the extension/option is created with no
-contents (usually indicating a flag).
-Extensions may be ignored by a client or server that does not recognise them,
-whereas unknown critical options will cause the certificate to be refused.
-.Pp
-.It Ic force-command Ns = Ns Ar command
-Forces the execution of
-.Ar command
-instead of any shell or command specified by the user when
-the certificate is used for authentication.
-.Pp
-.It Ic no-agent-forwarding
-Disable
-.Xr ssh-agent 1
-forwarding (permitted by default).
-.Pp
-.It Ic no-port-forwarding
-Disable port forwarding (permitted by default).
-.Pp
-.It Ic no-pty
-Disable PTY allocation (permitted by default).
-.Pp
-.It Ic no-user-rc
-Disable execution of
-.Pa ~/.ssh/rc
-by
-.Xr sshd 8
-(permitted by default).
-.Pp
-.It Ic no-x11-forwarding
-Disable X11 forwarding (permitted by default).
-.Pp
-.It Ic permit-agent-forwarding
-Allows
-.Xr ssh-agent 1
-forwarding.
-.Pp
-.It Ic permit-port-forwarding
-Allows port forwarding.
-.Pp
-.It Ic permit-pty
-Allows PTY allocation.
-.Pp
-.It Ic permit-user-rc
-Allows execution of
-.Pa ~/.ssh/rc
-by
-.Xr sshd 8 .
-.Pp
-.It Ic permit-X11-forwarding
-Allows X11 forwarding.
-.Pp
-.It Ic no-touch-required
-Do not require signatures made using this key require demonstration
-of user presence (e.g. by having the user touch the key).
-This option only makes sense for the FIDO authenticator algorithms
-.Cm ecdsa-sk
-and
-.Cm ed25519-sk .
-.Pp
-.It Ic source-address Ns = Ns Ar address_list
-Restrict the source addresses from which the certificate is considered valid.
-The
-.Ar address_list
-is a comma-separated list of one or more address/netmask pairs in CIDR
-format.
-.El
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
@@ -899,9 +812,94 @@ be specified through certificate options.
 A certificate option may disable features of the SSH session, may be
 valid only when presented from particular source addresses or may
 force the use of a specific command.
-For a list of valid certificate options, see the documentation for the
+.Pp
-.Fl O
+The options that are valid for user certificates are:
-option above.
+.Pp
+.Bl -tag -width Ds -compact
+.It Ic clear
+Clear all enabled permissions.
+This is useful for clearing the default set of permissions so permissions may
+be added individually.
+.Pp
+.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
+.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
+Includes an arbitrary certificate critical option or extension.
+The specified
+.Ar name
+should include a domain suffix, e.g.\&
+.Dq name@example.com .
+If
+.Ar contents
+is specified then it is included as the contents of the extension/option
+encoded as a string, otherwise the extension/option is created with no
+contents (usually indicating a flag).
+Extensions may be ignored by a client or server that does not recognise them,
+whereas unknown critical options will cause the certificate to be refused.
+.Pp
+.It Ic force-command Ns = Ns Ar command
+Forces the execution of
+.Ar command
+instead of any shell or command specified by the user when
+the certificate is used for authentication.
+.Pp
+.It Ic no-agent-forwarding
+Disable
+.Xr ssh-agent 1
+forwarding (permitted by default).
+.Pp
+.It Ic no-port-forwarding
+Disable port forwarding (permitted by default).
+.Pp
+.It Ic no-pty
+Disable PTY allocation (permitted by default).
+.Pp
+.It Ic no-user-rc
+Disable execution of
+.Pa ~/.ssh/rc
+by
+.Xr sshd 8
+(permitted by default).
+.Pp
+.It Ic no-x11-forwarding
+Disable X11 forwarding (permitted by default).
+.Pp
+.It Ic permit-agent-forwarding
+Allows
+.Xr ssh-agent 1
+forwarding.
+.Pp
+.It Ic permit-port-forwarding
+Allows port forwarding.
+.Pp
+.It Ic permit-pty
+Allows PTY allocation.
+.Pp
+.It Ic permit-user-rc
+Allows execution of
+.Pa ~/.ssh/rc
+by
+.Xr sshd 8 .
+.Pp
+.It Ic permit-X11-forwarding
+Allows X11 forwarding.
+.Pp
+.It Ic no-touch-required
+Do not require signatures made using this key require demonstration
+of user presence (e.g. by having the user touch the key).
+This option only makes sense for the Security Key algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
+.Pp
+.It Ic source-address Ns = Ns Ar address_list
+Restrict the source addresses from which the certificate is considered valid.
+The
+.Ar address_list
+is a comma-separated list of one or more address/netmask pairs in CIDR
+format.
+.El
+.Pp
+At present, no standard options are valid for host keys.
 .Pp
 Finally, certificates may be defined with a validity lifetime.
 The
author	djm@openbsd.org <djm@openbsd.org>	2019-12-30 03:28:41 +0000
committer	Damien Miller <djm@mindrot.org>	2019-12-30 14:32:20 +1100
commit	1e645fe767f27725dc7fd7864526de34683f7daf (patch)
tree	61d4230dba514a5a560522c97e424cee60b33156 /ssh-keygen.1
parent	20ccd854245c598e2b47cc9f8d4955d645195055 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 038e2c578..67a57b9f7 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: December 27 2019 $	38	.Dd $Mdocdate: December 30 2019 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -458,97 +458,10 @@ Please see the
458	section for details.	458	section for details.
459	.It Fl O Ar option	459	.It Fl O Ar option
460	Specify a certificate option when signing a key.	460	Specify a certificate option when signing a key.
461	This option may be specified multiple times.	461	See the
462	See also the
463	.Sx CERTIFICATES	462	.Sx CERTIFICATES
464	section for further details.	463	section for a list of available certificate options.
465	.Pp	464	This option may be specified multiple times.
466	At present, no standard options are valid for host keys.
467	The options that are valid for user certificates are:
468	.Pp
469	.Bl -tag -width Ds -compact
470	.It Ic clear
471	Clear all enabled permissions.
472	This is useful for clearing the default set of permissions so permissions may
473	be added individually.
474	.Pp
475	.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
476	.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
477	Includes an arbitrary certificate critical option or extension.
478	The specified
479	.Ar name
480	should include a domain suffix, e.g.\&
481	.Dq name@example.com .
482	If
483	.Ar contents
484	is specified then it is included as the contents of the extension/option
485	encoded as a string, otherwise the extension/option is created with no
486	contents (usually indicating a flag).
487	Extensions may be ignored by a client or server that does not recognise them,
488	whereas unknown critical options will cause the certificate to be refused.
489	.Pp
490	.It Ic force-command Ns = Ns Ar command
491	Forces the execution of
492	.Ar command
493	instead of any shell or command specified by the user when
494	the certificate is used for authentication.
495	.Pp
496	.It Ic no-agent-forwarding
497	Disable
498	.Xr ssh-agent 1
499	forwarding (permitted by default).
500	.Pp
501	.It Ic no-port-forwarding
502	Disable port forwarding (permitted by default).
503	.Pp
504	.It Ic no-pty
505	Disable PTY allocation (permitted by default).
506	.Pp
507	.It Ic no-user-rc
508	Disable execution of
509	.Pa ~/.ssh/rc
510	by
511	.Xr sshd 8
512	(permitted by default).
513	.Pp
514	.It Ic no-x11-forwarding
515	Disable X11 forwarding (permitted by default).
516	.Pp
517	.It Ic permit-agent-forwarding
518	Allows
519	.Xr ssh-agent 1
520	forwarding.
521	.Pp
522	.It Ic permit-port-forwarding
523	Allows port forwarding.
524	.Pp
525	.It Ic permit-pty
526	Allows PTY allocation.
527	.Pp
528	.It Ic permit-user-rc
529	Allows execution of
530	.Pa ~/.ssh/rc
531	by
532	.Xr sshd 8 .
533	.Pp
534	.It Ic permit-X11-forwarding
535	Allows X11 forwarding.
536	.Pp
537	.It Ic no-touch-required
538	Do not require signatures made using this key require demonstration
539	of user presence (e.g. by having the user touch the key).
540	This option only makes sense for the FIDO authenticator algorithms
541	.Cm ecdsa-sk
542	and
543	.Cm ed25519-sk .
544	.Pp
545	.It Ic source-address Ns = Ns Ar address_list
546	Restrict the source addresses from which the certificate is considered valid.
547	The
548	.Ar address_list
549	is a comma-separated list of one or more address/netmask pairs in CIDR
550	format.
551	.El
552	.It Fl P Ar passphrase	465	.It Fl P Ar passphrase
553	Provides the (old) passphrase.	466	Provides the (old) passphrase.
554	.It Fl p	467	.It Fl p
@@ -899,9 +812,94 @@ be specified through certificate options.
899	A certificate option may disable features of the SSH session, may be	812	A certificate option may disable features of the SSH session, may be
900	valid only when presented from particular source addresses or may	813	valid only when presented from particular source addresses or may
901	force the use of a specific command.	814	force the use of a specific command.
902	For a list of valid certificate options, see the documentation for the	815	.Pp
903	.Fl O	816	The options that are valid for user certificates are:
904	option above.	817	.Pp
		818	.Bl -tag -width Ds -compact
		819	.It Ic clear
		820	Clear all enabled permissions.
		821	This is useful for clearing the default set of permissions so permissions may
		822	be added individually.
		823	.Pp
		824	.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
		825	.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
		826	Includes an arbitrary certificate critical option or extension.
		827	The specified
		828	.Ar name
		829	should include a domain suffix, e.g.\&
		830	.Dq name@example.com .
		831	If
		832	.Ar contents
		833	is specified then it is included as the contents of the extension/option
		834	encoded as a string, otherwise the extension/option is created with no
		835	contents (usually indicating a flag).
		836	Extensions may be ignored by a client or server that does not recognise them,
		837	whereas unknown critical options will cause the certificate to be refused.
		838	.Pp
		839	.It Ic force-command Ns = Ns Ar command
		840	Forces the execution of
		841	.Ar command
		842	instead of any shell or command specified by the user when
		843	the certificate is used for authentication.
		844	.Pp
		845	.It Ic no-agent-forwarding
		846	Disable
		847	.Xr ssh-agent 1
		848	forwarding (permitted by default).
		849	.Pp
		850	.It Ic no-port-forwarding
		851	Disable port forwarding (permitted by default).
		852	.Pp
		853	.It Ic no-pty
		854	Disable PTY allocation (permitted by default).
		855	.Pp
		856	.It Ic no-user-rc
		857	Disable execution of
		858	.Pa ~/.ssh/rc
		859	by
		860	.Xr sshd 8
		861	(permitted by default).
		862	.Pp
		863	.It Ic no-x11-forwarding
		864	Disable X11 forwarding (permitted by default).
		865	.Pp
		866	.It Ic permit-agent-forwarding
		867	Allows
		868	.Xr ssh-agent 1
		869	forwarding.
		870	.Pp
		871	.It Ic permit-port-forwarding
		872	Allows port forwarding.
		873	.Pp
		874	.It Ic permit-pty
		875	Allows PTY allocation.
		876	.Pp
		877	.It Ic permit-user-rc
		878	Allows execution of
		879	.Pa ~/.ssh/rc
		880	by
		881	.Xr sshd 8 .
		882	.Pp
		883	.It Ic permit-X11-forwarding
		884	Allows X11 forwarding.
		885	.Pp
		886	.It Ic no-touch-required
		887	Do not require signatures made using this key require demonstration
		888	of user presence (e.g. by having the user touch the key).
		889	This option only makes sense for the Security Key algorithms
		890	.Cm ecdsa-sk
		891	and
		892	.Cm ed25519-sk .
		893	.Pp
		894	.It Ic source-address Ns = Ns Ar address_list
		895	Restrict the source addresses from which the certificate is considered valid.
		896	The
		897	.Ar address_list
		898	is a comma-separated list of one or more address/netmask pairs in CIDR
		899	format.
		900	.El
		901	.Pp
		902	At present, no standard options are valid for host keys.
905	.Pp	903	.Pp
906	Finally, certificates may be defined with a validity lifetime.	904	Finally, certificates may be defined with a validity lifetime.
907	The	905	The