upstream: Fill in missing man page bits for U2F security key support:

Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
author: naddy@openbsd.org <naddy@openbsd.org> 2019-11-07 08:38:38 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-08 14:09:32 +1100
commit: aa4c640dc362816d63584a16e786d5e314e24390 (patch)
tree: ff9a6015ea0de5579d49d66d42590d93887fd7aa /ssh-keygen.1
parent: b236b27d6dada7f0542214003632b4e9b7aa1380 (diff)
1 files changed, 28 insertions, 8 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index dca566ca2..bdb5015d1 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.172 2019/10/22 08:50:35 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.173 2019/11/07 08:38:38 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 22 2019 $
+.Dd $Mdocdate: November 7 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -48,8 +48,10 @@
 .Op Fl C Ar comment
 .Op Fl f Ar output_keyfile
 .Op Fl m Ar format
+.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa
 .Op Fl N Ar new_passphrase
-.Op Fl t Cm dsa | ecdsa | ed25519 | rsa
+.Op Fl w Ar provider
+.Op Fl x Ar flags
 .Nm ssh-keygen
 .Fl p
 .Op Fl f Ar keyfile
@@ -188,6 +190,7 @@ with public key authentication runs this once to create the authentication
 key in
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ecdsa_sk ,
 .Pa ~/.ssh/id_ed25519
 or
 .Pa ~/.ssh/id_rsa .
@@ -248,7 +251,7 @@ should be placed to be activated.
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl A
-For each of the key types (rsa, dsa, ecdsa and ed25519)
+For each of the key types (rsa, dsa, ecdsa, ecdsa-sk and ed25519)
 for which host keys
 do not exist, generate the host keys with the default key file path,
 an empty passphrase, default bits for the key type, and default comment.
@@ -282,7 +285,7 @@ flag determines the key length by selecting from one of three elliptic
 curve sizes: 256, 384 or 521 bits.
 Attempting to use bit lengths other than these three values for ECDSA keys
 will fail.
-Ed25519 keys have a fixed length and the
+ECDSA-SK and Ed25519 keys have a fixed length and the
 .Fl b
 flag will be ignored.
 .It Fl C Ar comment
@@ -583,11 +586,12 @@ section for details.
 Test DH group exchange candidate primes (generated using the
 .Fl G
 option) for safety.
-.It Fl t Cm dsa | ecdsa | ed25519 | rsa
+.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | rsa
 Specifies the type of key to create.
 The possible values are
 .Dq dsa ,
 .Dq ecdsa ,
+.Dq ecdsa-sk ,
 .Dq ed25519 ,
 or
 .Dq rsa .
@@ -658,6 +662,14 @@ options increase the verbosity.
 The maximum is 3.
 .It Fl W Ar generator
 Specify desired generator when testing candidate moduli for DH-GEX.
+.It Fl w Ar provider
+Specifies a path to a security key provider library that will be used when
+creating any security key-hosted keys, overriding the default of using the
+.Ev SSH_SK_PROVIDER
+environment variable to specify a provider.
+.It Fl x Ar flags
+Specifies the security key flags to use when enrolling a security key-hosted
+key.
 .It Fl y
 This option will read a private
 OpenSSH format file and print an OpenSSH public key to stdout.
@@ -1020,13 +1032,20 @@ user1@example.com,user2@example.com ssh-rsa AAAAX1...
 # A key that is accepted only for file signing.
 user2@example.com namespaces="file" ssh-ed25519 AAA41...
 .Ed
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.It Ev SSH_SK_PROVIDER
+Specifies the path to a security key provider library used to interact with
+hardware security keys.
+.El
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
+.It Pa ~/.ssh/id_ecdsa_sk
 .It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_rsa
-Contains the DSA, ECDSA, Ed25519 or RSA
+Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA
 authentication identity of the user.
 This file should not be readable by anyone but the user.
 It is possible to
@@ -1040,9 +1059,10 @@ will read this file when a login attempt is made.
 .Pp
 .It Pa ~/.ssh/id_dsa.pub
 .It Pa ~/.ssh/id_ecdsa.pub
+.It Pa ~/.ssh/id_ecdsa_sk.pub
 .It Pa ~/.ssh/id_ed25519.pub
 .It Pa ~/.ssh/id_rsa.pub
-Contains the DSA, ECDSA, Ed25519 or RSA
+Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA
 public key for authentication.
 The contents of this file should be added to
 .Pa ~/.ssh/authorized_keys
author	naddy@openbsd.org <naddy@openbsd.org>	2019-11-07 08:38:38 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-08 14:09:32 +1100
commit	aa4c640dc362816d63584a16e786d5e314e24390 (patch)
tree	ff9a6015ea0de5579d49d66d42590d93887fd7aa /ssh-keygen.1
parent	b236b27d6dada7f0542214003632b4e9b7aa1380 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index dca566ca2..bdb5015d1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.172 2019/10/22 08:50:35 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.173 2019/11/07 08:38:38 naddy Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: October 22 2019 $	38	.Dd $Mdocdate: November 7 2019 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -48,8 +48,10 @@
48	.Op Fl C Ar comment	48	.Op Fl C Ar comment
49	.Op Fl f Ar output_keyfile	49	.Op Fl f Ar output_keyfile
50	.Op Fl m Ar format	50	.Op Fl m Ar format
		51	.Op Fl t Cm dsa \| ecdsa \| ecdsa-sk \| ed25519 \| rsa
51	.Op Fl N Ar new_passphrase	52	.Op Fl N Ar new_passphrase
52	.Op Fl t Cm dsa \| ecdsa \| ed25519 \| rsa	53	.Op Fl w Ar provider
		54	.Op Fl x Ar flags
53	.Nm ssh-keygen	55	.Nm ssh-keygen
54	.Fl p	56	.Fl p
55	.Op Fl f Ar keyfile	57	.Op Fl f Ar keyfile
@@ -188,6 +190,7 @@ with public key authentication runs this once to create the authentication
188	key in	190	key in
189	.Pa ~/.ssh/id_dsa ,	191	.Pa ~/.ssh/id_dsa ,
190	.Pa ~/.ssh/id_ecdsa ,	192	.Pa ~/.ssh/id_ecdsa ,
		193	.Pa ~/.ssh/id_ecdsa_sk ,
191	.Pa ~/.ssh/id_ed25519	194	.Pa ~/.ssh/id_ed25519
192	or	195	or
193	.Pa ~/.ssh/id_rsa .	196	.Pa ~/.ssh/id_rsa .
@@ -248,7 +251,7 @@ should be placed to be activated.
248	The options are as follows:	251	The options are as follows:
249	.Bl -tag -width Ds	252	.Bl -tag -width Ds
250	.It Fl A	253	.It Fl A
251	For each of the key types (rsa, dsa, ecdsa and ed25519)	254	For each of the key types (rsa, dsa, ecdsa, ecdsa-sk and ed25519)
252	for which host keys	255	for which host keys
253	do not exist, generate the host keys with the default key file path,	256	do not exist, generate the host keys with the default key file path,
254	an empty passphrase, default bits for the key type, and default comment.	257	an empty passphrase, default bits for the key type, and default comment.
@@ -282,7 +285,7 @@ flag determines the key length by selecting from one of three elliptic
282	curve sizes: 256, 384 or 521 bits.	285	curve sizes: 256, 384 or 521 bits.
283	Attempting to use bit lengths other than these three values for ECDSA keys	286	Attempting to use bit lengths other than these three values for ECDSA keys
284	will fail.	287	will fail.
285	Ed25519 keys have a fixed length and the	288	ECDSA-SK and Ed25519 keys have a fixed length and the
286	.Fl b	289	.Fl b
287	flag will be ignored.	290	flag will be ignored.
288	.It Fl C Ar comment	291	.It Fl C Ar comment
@@ -583,11 +586,12 @@ section for details.
583	Test DH group exchange candidate primes (generated using the	586	Test DH group exchange candidate primes (generated using the
584	.Fl G	587	.Fl G
585	option) for safety.	588	option) for safety.
586	.It Fl t Cm dsa \| ecdsa \| ed25519 \| rsa	589	.It Fl t Cm dsa \| ecdsa \| ecdsa-sk \| ed25519 \| rsa
587	Specifies the type of key to create.	590	Specifies the type of key to create.
588	The possible values are	591	The possible values are
589	.Dq dsa ,	592	.Dq dsa ,
590	.Dq ecdsa ,	593	.Dq ecdsa ,
		594	.Dq ecdsa-sk ,
591	.Dq ed25519 ,	595	.Dq ed25519 ,
592	or	596	or
593	.Dq rsa .	597	.Dq rsa .
@@ -658,6 +662,14 @@ options increase the verbosity.
658	The maximum is 3.	662	The maximum is 3.
659	.It Fl W Ar generator	663	.It Fl W Ar generator
660	Specify desired generator when testing candidate moduli for DH-GEX.	664	Specify desired generator when testing candidate moduli for DH-GEX.
		665	.It Fl w Ar provider
		666	Specifies a path to a security key provider library that will be used when
		667	creating any security key-hosted keys, overriding the default of using the
		668	.Ev SSH_SK_PROVIDER
		669	environment variable to specify a provider.
		670	.It Fl x Ar flags
		671	Specifies the security key flags to use when enrolling a security key-hosted
		672	key.
661	.It Fl y	673	.It Fl y
662	This option will read a private	674	This option will read a private
663	OpenSSH format file and print an OpenSSH public key to stdout.	675	OpenSSH format file and print an OpenSSH public key to stdout.
@@ -1020,13 +1032,20 @@ user1@example.com,user2@example.com ssh-rsa AAAAX1...
1020	# A key that is accepted only for file signing.	1032	# A key that is accepted only for file signing.
1021	user2@example.com namespaces="file" ssh-ed25519 AAA41...	1033	user2@example.com namespaces="file" ssh-ed25519 AAA41...
1022	.Ed	1034	.Ed
		1035	.Sh ENVIRONMENT
		1036	.Bl -tag -width Ds
		1037	.It Ev SSH_SK_PROVIDER
		1038	Specifies the path to a security key provider library used to interact with
		1039	hardware security keys.
		1040	.El
1023	.Sh FILES	1041	.Sh FILES
1024	.Bl -tag -width Ds -compact	1042	.Bl -tag -width Ds -compact
1025	.It Pa ~/.ssh/id_dsa	1043	.It Pa ~/.ssh/id_dsa
1026	.It Pa ~/.ssh/id_ecdsa	1044	.It Pa ~/.ssh/id_ecdsa
		1045	.It Pa ~/.ssh/id_ecdsa_sk
1027	.It Pa ~/.ssh/id_ed25519	1046	.It Pa ~/.ssh/id_ed25519
1028	.It Pa ~/.ssh/id_rsa	1047	.It Pa ~/.ssh/id_rsa
1029	Contains the DSA, ECDSA, Ed25519 or RSA	1048	Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA
1030	authentication identity of the user.	1049	authentication identity of the user.
1031	This file should not be readable by anyone but the user.	1050	This file should not be readable by anyone but the user.
1032	It is possible to	1051	It is possible to
@@ -1040,9 +1059,10 @@ will read this file when a login attempt is made.
1040	.Pp	1059	.Pp
1041	.It Pa ~/.ssh/id_dsa.pub	1060	.It Pa ~/.ssh/id_dsa.pub
1042	.It Pa ~/.ssh/id_ecdsa.pub	1061	.It Pa ~/.ssh/id_ecdsa.pub
		1062	.It Pa ~/.ssh/id_ecdsa_sk.pub
1043	.It Pa ~/.ssh/id_ed25519.pub	1063	.It Pa ~/.ssh/id_ed25519.pub
1044	.It Pa ~/.ssh/id_rsa.pub	1064	.It Pa ~/.ssh/id_rsa.pub
1045	Contains the DSA, ECDSA, Ed25519 or RSA	1065	Contains the DSA, ECDSA, security key-hosted ECDSA, Ed25519 or RSA
1046	public key for authentication.	1066	public key for authentication.
1047	The contents of this file should be added to	1067	The contents of this file should be added to
1048	.Pa ~/.ssh/authorized_keys	1068	.Pa ~/.ssh/authorized_keys