diff options
author | jmc@openbsd.org <jmc@openbsd.org> | 2017-05-02 07:13:31 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-05-08 09:18:04 +1000 |
commit | 6b84897f7fd39956b849eac7810319d8a9958568 (patch) | |
tree | 9d5dd486e60b6990f89f7135a97365f8d6d869a4 /ssh-keygen.1 | |
parent | d1c6b7fdbdfe4a7a37ecd48a97f0796b061c2868 (diff) |
upstream commit
tidy up -O somewhat; ok djm
Upstream-ID: 804405f716bf7ef15c1f36ab48581ca16aeb4d52
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 61 |
1 files changed, 34 insertions, 27 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index be1a169f4..0202fe757 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.136 2017/04/30 23:18:44 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.137 2017/05/02 07:13:31 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: April 30 2017 $ | 38 | .Dd $Mdocdate: May 2 2017 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -422,80 +422,87 @@ section for details. | |||
422 | .It Fl O Ar option | 422 | .It Fl O Ar option |
423 | Specify a certificate option when signing a key. | 423 | Specify a certificate option when signing a key. |
424 | This option may be specified multiple times. | 424 | This option may be specified multiple times. |
425 | Please see the | 425 | See also the |
426 | .Sx CERTIFICATES | 426 | .Sx CERTIFICATES |
427 | section for details. | 427 | section for further details. |
428 | At present, no standard options are valid for host keys. | ||
428 | The options that are valid for user certificates are: | 429 | The options that are valid for user certificates are: |
429 | .Bl -tag -width Ds | 430 | .Pp |
431 | .Bl -tag -width Ds -compact | ||
430 | .It Ic clear | 432 | .It Ic clear |
431 | Clear all enabled permissions. | 433 | Clear all enabled permissions. |
432 | This is useful for clearing the default set of permissions so permissions may | 434 | This is useful for clearing the default set of permissions so permissions may |
433 | be added individually. | 435 | be added individually. |
436 | .Pp | ||
437 | .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents | ||
438 | .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents | ||
439 | Includes an arbitrary certificate critical option or extension. | ||
440 | The specified | ||
441 | .Ar name | ||
442 | should include a domain suffix, e.g.\& | ||
443 | .Dq name@example.com . | ||
444 | If | ||
445 | .Ar contents | ||
446 | is specified then it is included as the contents of the extension/option | ||
447 | encoded as a string, otherwise the extension/option is created with no | ||
448 | contents (usually indicating a flag). | ||
449 | Extensions may be ignored by a client or server that does not recognise them, | ||
450 | whereas unknown critical options will cause the certificate to be refused. | ||
451 | .Pp | ||
434 | .It Ic force-command Ns = Ns Ar command | 452 | .It Ic force-command Ns = Ns Ar command |
435 | Forces the execution of | 453 | Forces the execution of |
436 | .Ar command | 454 | .Ar command |
437 | instead of any shell or command specified by the user when | 455 | instead of any shell or command specified by the user when |
438 | the certificate is used for authentication. | 456 | the certificate is used for authentication. |
457 | .Pp | ||
439 | .It Ic no-agent-forwarding | 458 | .It Ic no-agent-forwarding |
440 | Disable | 459 | Disable |
441 | .Xr ssh-agent 1 | 460 | .Xr ssh-agent 1 |
442 | forwarding (permitted by default). | 461 | forwarding (permitted by default). |
462 | .Pp | ||
443 | .It Ic no-port-forwarding | 463 | .It Ic no-port-forwarding |
444 | Disable port forwarding (permitted by default). | 464 | Disable port forwarding (permitted by default). |
465 | .Pp | ||
445 | .It Ic no-pty | 466 | .It Ic no-pty |
446 | Disable PTY allocation (permitted by default). | 467 | Disable PTY allocation (permitted by default). |
468 | .Pp | ||
447 | .It Ic no-user-rc | 469 | .It Ic no-user-rc |
448 | Disable execution of | 470 | Disable execution of |
449 | .Pa ~/.ssh/rc | 471 | .Pa ~/.ssh/rc |
450 | by | 472 | by |
451 | .Xr sshd 8 | 473 | .Xr sshd 8 |
452 | (permitted by default). | 474 | (permitted by default). |
475 | .Pp | ||
453 | .It Ic no-x11-forwarding | 476 | .It Ic no-x11-forwarding |
454 | Disable X11 forwarding (permitted by default). | 477 | Disable X11 forwarding (permitted by default). |
478 | .Pp | ||
455 | .It Ic permit-agent-forwarding | 479 | .It Ic permit-agent-forwarding |
456 | Allows | 480 | Allows |
457 | .Xr ssh-agent 1 | 481 | .Xr ssh-agent 1 |
458 | forwarding. | 482 | forwarding. |
483 | .Pp | ||
459 | .It Ic permit-port-forwarding | 484 | .It Ic permit-port-forwarding |
460 | Allows port forwarding. | 485 | Allows port forwarding. |
486 | .Pp | ||
461 | .It Ic permit-pty | 487 | .It Ic permit-pty |
462 | Allows PTY allocation. | 488 | Allows PTY allocation. |
489 | .Pp | ||
463 | .It Ic permit-user-rc | 490 | .It Ic permit-user-rc |
464 | Allows execution of | 491 | Allows execution of |
465 | .Pa ~/.ssh/rc | 492 | .Pa ~/.ssh/rc |
466 | by | 493 | by |
467 | .Xr sshd 8 . | 494 | .Xr sshd 8 . |
495 | .Pp | ||
468 | .It Ic permit-x11-forwarding | 496 | .It Ic permit-x11-forwarding |
469 | Allows X11 forwarding. | 497 | Allows X11 forwarding. |
498 | .Pp | ||
470 | .It Ic source-address Ns = Ns Ar address_list | 499 | .It Ic source-address Ns = Ns Ar address_list |
471 | Restrict the source addresses from which the certificate is considered valid. | 500 | Restrict the source addresses from which the certificate is considered valid. |
472 | The | 501 | The |
473 | .Ar address_list | 502 | .Ar address_list |
474 | is a comma-separated list of one or more address/netmask pairs in CIDR | 503 | is a comma-separated list of one or more address/netmask pairs in CIDR |
475 | format. | 504 | format. |
476 | .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents | ||
477 | Includes an arbitrary certificate extension. | ||
478 | .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents | ||
479 | Includes an arbitrary certificate critical option. | ||
480 | .El | 505 | .El |
481 | .Pp | ||
482 | At present, no standard options are valid for host keys. | ||
483 | .Pp | ||
484 | For non-standard certificate extensions or options included using | ||
485 | .Ic extension | ||
486 | or | ||
487 | .Ic option , | ||
488 | the specified | ||
489 | .Ar name | ||
490 | should include a domain suffix, e.g.\& | ||
491 | .Dq name@example.com . | ||
492 | If | ||
493 | .Ar contents | ||
494 | is specified then it is included as the contents of the extension/option | ||
495 | encoded as a string, otherwise the extension/option is created with no | ||
496 | contents (usually indicating a flag). | ||
497 | Extensions may be ignored by a client or server that does not recognise them, | ||
498 | whereas unknown critical options will cause the certificate to be refused. | ||
499 | .It Fl o | 506 | .It Fl o |
500 | Causes | 507 | Causes |
501 | .Nm | 508 | .Nm |