summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-04-16 10:25:59 +0100
committerColin Watson <cjwatson@debian.org>2010-04-16 10:25:59 +0100
commit716621abf50722a46f97ecafed5ce134c94f1a81 (patch)
tree9993f08b7ea89f3038c3cfcf8fd1c71bdc7e7ae7 /ssh-keygen.1
parentae31b42e02d7bf7004ec0302088f4e169c0f08ce (diff)
parent78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (diff)
* New upstream release:
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths. - Include a language tag when sending a protocol 2 disconnection message. - Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys.
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r--ssh-keygen.143
1 files changed, 21 insertions, 22 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 9dec5a098..64638aa9c 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
2.\" 2.\"
3.\" -*- nroff -*- 3.\" -*- nroff -*-
4.\" 4.\"
@@ -37,7 +37,7 @@
37.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 37.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 38.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39.\" 39.\"
40.Dd $Mdocdate: March 8 2010 $ 40.Dd $Mdocdate: March 13 2010 $
41.Dt SSH-KEYGEN 1 41.Dt SSH-KEYGEN 1
42.Os 42.Os
43.Sh NAME 43.Sh NAME
@@ -305,8 +305,15 @@ Please see the
305section for details. 305section for details.
306The constraints that are valid for user certificates are: 306The constraints that are valid for user certificates are:
307.Bl -tag -width Ds 307.Bl -tag -width Ds
308.It Ic no-x11-forwarding 308.It Ic clear
309Disable X11 forwarding (permitted by default). 309Clear all enabled permissions.
310This is useful for clearing the default set of permissions so permissions may
311be added individually.
312.It Ic force-command Ns = Ns Ar command
313Forces the execution of
314.Ar command
315instead of any shell or command specified by the user when
316the certificate is used for authentication.
310.It Ic no-agent-forwarding 317.It Ic no-agent-forwarding
311Disable 318Disable
312.Xr ssh-agent 1 319.Xr ssh-agent 1
@@ -321,12 +328,8 @@ Disable execution of
321by 328by
322.Xr sshd 8 329.Xr sshd 8
323(permitted by default). 330(permitted by default).
324.It Ic clear 331.It Ic no-x11-forwarding
325Clear all enabled permissions. 332Disable X11 forwarding (permitted by default).
326This is useful for clearing the default set of permissions so permissions may
327be added individually.
328.It Ic permit-x11-forwarding
329Allows X11 forwarding.
330.It Ic permit-agent-forwarding 333.It Ic permit-agent-forwarding
331Allows 334Allows
332.Xr ssh-agent 1 335.Xr ssh-agent 1
@@ -340,14 +343,10 @@ Allows execution of
340.Pa ~/.ssh/rc 343.Pa ~/.ssh/rc
341by 344by
342.Xr sshd 8 . 345.Xr sshd 8 .
343.It Ic force-command=command 346.It Ic permit-x11-forwarding
344Forces the execution of 347Allows X11 forwarding.
345.Ar command 348.It Ic source-address Ns = Ns Ar address_list
346instead of any shell or command specified by the user when 349Restrict the source addresses from which the certificate is considered valid.
347the certificate is used for authentication.
348.It Ic source-address=address_list
349Restrict the source addresses from which the certificate is considered valid
350from.
351The 350The
352.Ar address_list 351.Ar address_list
353is a comma-separated list of one or more address/netmask pairs in CIDR 352is a comma-separated list of one or more address/netmask pairs in CIDR
@@ -410,7 +409,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
410of a minus sign followed by a relative time in the format described in the 409of a minus sign followed by a relative time in the format described in the
411.Sx TIME FORMATS 410.Sx TIME FORMATS
412section of 411section of
413.Xr ssh_config 5 . 412.Xr sshd_config 5 .
414The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 413The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
415a relative time starting with a plus character. 414a relative time starting with a plus character.
416.Pp 415.Pp
@@ -515,7 +514,7 @@ To generate a user certificate:
515.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 514.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
516.Pp 515.Pp
517The resultant certificate will be placed in 516The resultant certificate will be placed in
518.Pa /path/to/user_key_cert.pub . 517.Pa /path/to/user_key-cert.pub .
519A host certificate requires the 518A host certificate requires the
520.Fl h 519.Fl h
521option: 520option:
@@ -523,7 +522,7 @@ option:
523.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 522.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
524.Pp 523.Pp
525The host certificate will be output to 524The host certificate will be output to
526.Pa /path/to/host_key_cert.pub . 525.Pa /path/to/host_key-cert.pub .
527In both cases, 526In both cases,
528.Ar key_id 527.Ar key_id
529is a "key identifier" that is logged by the server when the certificate 528is a "key identifier" that is logged by the server when the certificate
@@ -535,7 +534,7 @@ By default, generated certificates are valid for all users or hosts.
535To generate a certificate for a specified set of principals: 534To generate a certificate for a specified set of principals:
536.Pp 535.Pp
537.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 536.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
538.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub 537.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
539.Pp 538.Pp
540Additional limitations on the validity and use of user certificates may 539Additional limitations on the validity and use of user certificates may
541be specified through certificate constraints. 540be specified through certificate constraints.