diff options
| author | Colin Watson <cjwatson@debian.org> | 2010-04-16 10:25:59 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2010-04-16 10:25:59 +0100 |
| commit | 716621abf50722a46f97ecafed5ce134c94f1a81 (patch) | |
| tree | 9993f08b7ea89f3038c3cfcf8fd1c71bdc7e7ae7 /ssh-keygen.1 | |
| parent | ae31b42e02d7bf7004ec0302088f4e169c0f08ce (diff) | |
| parent | 78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (diff) | |
* New upstream release:
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
paths.
- Include a language tag when sending a protocol 2 disconnection
message.
- Make logging of certificates used for user authentication more clear
and consistent between CAs specified using TrustedUserCAKeys and
authorized_keys.
Diffstat (limited to 'ssh-keygen.1')
| -rw-r--r-- | ssh-keygen.1 | 43 |
1 files changed, 21 insertions, 22 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9dec5a098..64638aa9c 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
| 4 | .\" | 4 | .\" |
| @@ -37,7 +37,7 @@ | |||
| 37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 39 | .\" | 39 | .\" |
| 40 | .Dd $Mdocdate: March 8 2010 $ | 40 | .Dd $Mdocdate: March 13 2010 $ |
| 41 | .Dt SSH-KEYGEN 1 | 41 | .Dt SSH-KEYGEN 1 |
| 42 | .Os | 42 | .Os |
| 43 | .Sh NAME | 43 | .Sh NAME |
| @@ -305,8 +305,15 @@ Please see the | |||
| 305 | section for details. | 305 | section for details. |
| 306 | The constraints that are valid for user certificates are: | 306 | The constraints that are valid for user certificates are: |
| 307 | .Bl -tag -width Ds | 307 | .Bl -tag -width Ds |
| 308 | .It Ic no-x11-forwarding | 308 | .It Ic clear |
| 309 | Disable X11 forwarding (permitted by default). | 309 | Clear all enabled permissions. |
| 310 | This is useful for clearing the default set of permissions so permissions may | ||
| 311 | be added individually. | ||
| 312 | .It Ic force-command Ns = Ns Ar command | ||
| 313 | Forces the execution of | ||
| 314 | .Ar command | ||
| 315 | instead of any shell or command specified by the user when | ||
| 316 | the certificate is used for authentication. | ||
| 310 | .It Ic no-agent-forwarding | 317 | .It Ic no-agent-forwarding |
| 311 | Disable | 318 | Disable |
| 312 | .Xr ssh-agent 1 | 319 | .Xr ssh-agent 1 |
| @@ -321,12 +328,8 @@ Disable execution of | |||
| 321 | by | 328 | by |
| 322 | .Xr sshd 8 | 329 | .Xr sshd 8 |
| 323 | (permitted by default). | 330 | (permitted by default). |
| 324 | .It Ic clear | 331 | .It Ic no-x11-forwarding |
| 325 | Clear all enabled permissions. | 332 | Disable X11 forwarding (permitted by default). |
| 326 | This is useful for clearing the default set of permissions so permissions may | ||
| 327 | be added individually. | ||
| 328 | .It Ic permit-x11-forwarding | ||
| 329 | Allows X11 forwarding. | ||
| 330 | .It Ic permit-agent-forwarding | 333 | .It Ic permit-agent-forwarding |
| 331 | Allows | 334 | Allows |
| 332 | .Xr ssh-agent 1 | 335 | .Xr ssh-agent 1 |
| @@ -340,14 +343,10 @@ Allows execution of | |||
| 340 | .Pa ~/.ssh/rc | 343 | .Pa ~/.ssh/rc |
| 341 | by | 344 | by |
| 342 | .Xr sshd 8 . | 345 | .Xr sshd 8 . |
| 343 | .It Ic force-command=command | 346 | .It Ic permit-x11-forwarding |
| 344 | Forces the execution of | 347 | Allows X11 forwarding. |
| 345 | .Ar command | 348 | .It Ic source-address Ns = Ns Ar address_list |
| 346 | instead of any shell or command specified by the user when | 349 | Restrict the source addresses from which the certificate is considered valid. |
| 347 | the certificate is used for authentication. | ||
| 348 | .It Ic source-address=address_list | ||
| 349 | Restrict the source addresses from which the certificate is considered valid | ||
| 350 | from. | ||
| 351 | The | 350 | The |
| 352 | .Ar address_list | 351 | .Ar address_list |
| 353 | is a comma-separated list of one or more address/netmask pairs in CIDR | 352 | is a comma-separated list of one or more address/netmask pairs in CIDR |
| @@ -410,7 +409,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting | |||
| 410 | of a minus sign followed by a relative time in the format described in the | 409 | of a minus sign followed by a relative time in the format described in the |
| 411 | .Sx TIME FORMATS | 410 | .Sx TIME FORMATS |
| 412 | section of | 411 | section of |
| 413 | .Xr ssh_config 5 . | 412 | .Xr sshd_config 5 . |
| 414 | The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or | 413 | The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or |
| 415 | a relative time starting with a plus character. | 414 | a relative time starting with a plus character. |
| 416 | .Pp | 415 | .Pp |
| @@ -515,7 +514,7 @@ To generate a user certificate: | |||
| 515 | .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub | 514 | .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub |
| 516 | .Pp | 515 | .Pp |
| 517 | The resultant certificate will be placed in | 516 | The resultant certificate will be placed in |
| 518 | .Pa /path/to/user_key_cert.pub . | 517 | .Pa /path/to/user_key-cert.pub . |
| 519 | A host certificate requires the | 518 | A host certificate requires the |
| 520 | .Fl h | 519 | .Fl h |
| 521 | option: | 520 | option: |
| @@ -523,7 +522,7 @@ option: | |||
| 523 | .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub | 522 | .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub |
| 524 | .Pp | 523 | .Pp |
| 525 | The host certificate will be output to | 524 | The host certificate will be output to |
| 526 | .Pa /path/to/host_key_cert.pub . | 525 | .Pa /path/to/host_key-cert.pub . |
| 527 | In both cases, | 526 | In both cases, |
| 528 | .Ar key_id | 527 | .Ar key_id |
| 529 | is a "key identifier" that is logged by the server when the certificate | 528 | is a "key identifier" that is logged by the server when the certificate |
| @@ -535,7 +534,7 @@ By default, generated certificates are valid for all users or hosts. | |||
| 535 | To generate a certificate for a specified set of principals: | 534 | To generate a certificate for a specified set of principals: |
| 536 | .Pp | 535 | .Pp |
| 537 | .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub | 536 | .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub |
| 538 | .Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub | 537 | .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" |
| 539 | .Pp | 538 | .Pp |
| 540 | Additional limitations on the validity and use of user certificates may | 539 | Additional limitations on the validity and use of user certificates may |
| 541 | be specified through certificate constraints. | 540 | be specified through certificate constraints. |