- djm@cvs.openbsd.org 2013/12/07 08:08:26

[ssh-keygen.1] document -a and -o wrt new key format
author: Damien Miller <djm@mindrot.org> 2013-12-18 17:45:35 +1100
committer: Damien Miller <djm@mindrot.org> 2013-12-18 17:45:35 +1100
commit: 4f752cf71cf44bf4bc777541156c2bf56daf9ce9 (patch)
tree: 7b0ec937b093595dc86991e9139439eb6791add9 /ssh-keygen.1
parent: 6d6fcd14e23a9053198342bb379815b15e504084 (diff)
1 files changed, 24 insertions, 7 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 0d55854e9..689db22ff 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.117 2013/12/07 08:08:26 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 27 2013 $
+.Dd $Mdocdate: December 7 2013 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -103,7 +103,7 @@
 .Fl T Ar output_file
 .Fl f Ar input_file
 .Op Fl v
-.Op Fl a Ar num_trials
+.Op Fl a Ar rounds
 .Op Fl J Ar num_lines
 .Op Fl j Ar start_line
 .Op Fl K Ar checkpt
@@ -222,11 +222,20 @@ an empty passphrase, default bits for the key type, and default comment.
 This is used by
 .Pa /etc/rc
 to generate new host keys.
-.It Fl a Ar trials
+.It Fl a Ar rounds
-Specifies the number of primality tests to perform when screening DH-GEX
+When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
-candidates using the
+2 key when the
+.Fl o
+flag is set), this option specifies the number of KDF (key derivation function)
+rounds used.
+Higher numbers result in slower passphrase verification and increased
+resistance to brute-force password cracking (should the keys be stolen).
+.Pp
+When screening DH-GEX candidates (
+using the
 .Fl T
-command.
+command).
+This option specifies the number of primality tests to perform.
 .It Fl B
 Show the bubblebabble digest of specified private or public key file.
 .It Fl b Ar bits
@@ -447,6 +456,14 @@ format.
 .El
 .Pp
 At present, no options are valid for host keys.
+.It Fl o
+Causes
+.Nm
+to save SSH protocol 2 private keys using the new OpenSSH format rather than
+the more compatible PEM format.
+The new format has increased resistance to brute-force password cracking
+but is not supported by versions of OpenSSH prior to 6.5.
+Ed25519 keys always use the new private key format.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
author	Damien Miller <djm@mindrot.org>	2013-12-18 17:45:35 +1100
committer	Damien Miller <djm@mindrot.org>	2013-12-18 17:45:35 +1100
commit	4f752cf71cf44bf4bc777541156c2bf56daf9ce9 (patch)
tree	7b0ec937b093595dc86991e9139439eb6791add9 /ssh-keygen.1
parent	6d6fcd14e23a9053198342bb379815b15e504084 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 0d55854e9..689db22ff 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.117 2013/12/07 08:08:26 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: June 27 2013 $	38	.Dd $Mdocdate: December 7 2013 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -103,7 +103,7 @@
103	.Fl T Ar output_file	103	.Fl T Ar output_file
104	.Fl f Ar input_file	104	.Fl f Ar input_file
105	.Op Fl v	105	.Op Fl v
106	.Op Fl a Ar num_trials	106	.Op Fl a Ar rounds
107	.Op Fl J Ar num_lines	107	.Op Fl J Ar num_lines
108	.Op Fl j Ar start_line	108	.Op Fl j Ar start_line
109	.Op Fl K Ar checkpt	109	.Op Fl K Ar checkpt
@@ -222,11 +222,20 @@ an empty passphrase, default bits for the key type, and default comment.
222	This is used by	222	This is used by
223	.Pa /etc/rc	223	.Pa /etc/rc
224	to generate new host keys.	224	to generate new host keys.
225	.It Fl a Ar trials	225	.It Fl a Ar rounds
226	Specifies the number of primality tests to perform when screening DH-GEX	226	When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
227	candidates using the	227	2 key when the
		228	.Fl o
		229	flag is set), this option specifies the number of KDF (key derivation function)
		230	rounds used.
		231	Higher numbers result in slower passphrase verification and increased
		232	resistance to brute-force password cracking (should the keys be stolen).
		233	.Pp
		234	When screening DH-GEX candidates (
		235	using the
228	.Fl T	236	.Fl T
229	command.	237	command).
		238	This option specifies the number of primality tests to perform.
230	.It Fl B	239	.It Fl B
231	Show the bubblebabble digest of specified private or public key file.	240	Show the bubblebabble digest of specified private or public key file.
232	.It Fl b Ar bits	241	.It Fl b Ar bits
@@ -447,6 +456,14 @@ format.
447	.El	456	.El
448	.Pp	457	.Pp
449	At present, no options are valid for host keys.	458	At present, no options are valid for host keys.
		459	.It Fl o
		460	Causes
		461	.Nm
		462	to save SSH protocol 2 private keys using the new OpenSSH format rather than
		463	the more compatible PEM format.
		464	The new format has increased resistance to brute-force password cracking
		465	but is not supported by versions of OpenSSH prior to 6.5.
		466	Ed25519 keys always use the new private key format.
450	.It Fl P Ar passphrase	467	.It Fl P Ar passphrase
451	Provides the (old) passphrase.	468	Provides the (old) passphrase.
452	.It Fl p	469	.It Fl p