diff options
author | Colin Watson <cjwatson@debian.org> | 2010-04-16 10:25:59 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2010-04-16 10:25:59 +0100 |
commit | 716621abf50722a46f97ecafed5ce134c94f1a81 (patch) | |
tree | 9993f08b7ea89f3038c3cfcf8fd1c71bdc7e7ae7 /ssh-keygen.1 | |
parent | ae31b42e02d7bf7004ec0302088f4e169c0f08ce (diff) | |
parent | 78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (diff) |
* New upstream release:
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
paths.
- Include a language tag when sending a protocol 2 disconnection
message.
- Make logging of certificates used for user authentication more clear
and consistent between CAs specified using TrustedUserCAKeys and
authorized_keys.
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 43 |
1 files changed, 21 insertions, 22 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9dec5a098..64638aa9c 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -37,7 +37,7 @@ | |||
37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
39 | .\" | 39 | .\" |
40 | .Dd $Mdocdate: March 8 2010 $ | 40 | .Dd $Mdocdate: March 13 2010 $ |
41 | .Dt SSH-KEYGEN 1 | 41 | .Dt SSH-KEYGEN 1 |
42 | .Os | 42 | .Os |
43 | .Sh NAME | 43 | .Sh NAME |
@@ -305,8 +305,15 @@ Please see the | |||
305 | section for details. | 305 | section for details. |
306 | The constraints that are valid for user certificates are: | 306 | The constraints that are valid for user certificates are: |
307 | .Bl -tag -width Ds | 307 | .Bl -tag -width Ds |
308 | .It Ic no-x11-forwarding | 308 | .It Ic clear |
309 | Disable X11 forwarding (permitted by default). | 309 | Clear all enabled permissions. |
310 | This is useful for clearing the default set of permissions so permissions may | ||
311 | be added individually. | ||
312 | .It Ic force-command Ns = Ns Ar command | ||
313 | Forces the execution of | ||
314 | .Ar command | ||
315 | instead of any shell or command specified by the user when | ||
316 | the certificate is used for authentication. | ||
310 | .It Ic no-agent-forwarding | 317 | .It Ic no-agent-forwarding |
311 | Disable | 318 | Disable |
312 | .Xr ssh-agent 1 | 319 | .Xr ssh-agent 1 |
@@ -321,12 +328,8 @@ Disable execution of | |||
321 | by | 328 | by |
322 | .Xr sshd 8 | 329 | .Xr sshd 8 |
323 | (permitted by default). | 330 | (permitted by default). |
324 | .It Ic clear | 331 | .It Ic no-x11-forwarding |
325 | Clear all enabled permissions. | 332 | Disable X11 forwarding (permitted by default). |
326 | This is useful for clearing the default set of permissions so permissions may | ||
327 | be added individually. | ||
328 | .It Ic permit-x11-forwarding | ||
329 | Allows X11 forwarding. | ||
330 | .It Ic permit-agent-forwarding | 333 | .It Ic permit-agent-forwarding |
331 | Allows | 334 | Allows |
332 | .Xr ssh-agent 1 | 335 | .Xr ssh-agent 1 |
@@ -340,14 +343,10 @@ Allows execution of | |||
340 | .Pa ~/.ssh/rc | 343 | .Pa ~/.ssh/rc |
341 | by | 344 | by |
342 | .Xr sshd 8 . | 345 | .Xr sshd 8 . |
343 | .It Ic force-command=command | 346 | .It Ic permit-x11-forwarding |
344 | Forces the execution of | 347 | Allows X11 forwarding. |
345 | .Ar command | 348 | .It Ic source-address Ns = Ns Ar address_list |
346 | instead of any shell or command specified by the user when | 349 | Restrict the source addresses from which the certificate is considered valid. |
347 | the certificate is used for authentication. | ||
348 | .It Ic source-address=address_list | ||
349 | Restrict the source addresses from which the certificate is considered valid | ||
350 | from. | ||
351 | The | 350 | The |
352 | .Ar address_list | 351 | .Ar address_list |
353 | is a comma-separated list of one or more address/netmask pairs in CIDR | 352 | is a comma-separated list of one or more address/netmask pairs in CIDR |
@@ -410,7 +409,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting | |||
410 | of a minus sign followed by a relative time in the format described in the | 409 | of a minus sign followed by a relative time in the format described in the |
411 | .Sx TIME FORMATS | 410 | .Sx TIME FORMATS |
412 | section of | 411 | section of |
413 | .Xr ssh_config 5 . | 412 | .Xr sshd_config 5 . |
414 | The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or | 413 | The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or |
415 | a relative time starting with a plus character. | 414 | a relative time starting with a plus character. |
416 | .Pp | 415 | .Pp |
@@ -515,7 +514,7 @@ To generate a user certificate: | |||
515 | .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub | 514 | .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub |
516 | .Pp | 515 | .Pp |
517 | The resultant certificate will be placed in | 516 | The resultant certificate will be placed in |
518 | .Pa /path/to/user_key_cert.pub . | 517 | .Pa /path/to/user_key-cert.pub . |
519 | A host certificate requires the | 518 | A host certificate requires the |
520 | .Fl h | 519 | .Fl h |
521 | option: | 520 | option: |
@@ -523,7 +522,7 @@ option: | |||
523 | .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub | 522 | .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub |
524 | .Pp | 523 | .Pp |
525 | The host certificate will be output to | 524 | The host certificate will be output to |
526 | .Pa /path/to/host_key_cert.pub . | 525 | .Pa /path/to/host_key-cert.pub . |
527 | In both cases, | 526 | In both cases, |
528 | .Ar key_id | 527 | .Ar key_id |
529 | is a "key identifier" that is logged by the server when the certificate | 528 | is a "key identifier" that is logged by the server when the certificate |
@@ -535,7 +534,7 @@ By default, generated certificates are valid for all users or hosts. | |||
535 | To generate a certificate for a specified set of principals: | 534 | To generate a certificate for a specified set of principals: |
536 | .Pp | 535 | .Pp |
537 | .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub | 536 | .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub |
538 | .Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub | 537 | .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" |
539 | .Pp | 538 | .Pp |
540 | Additional limitations on the validity and use of user certificates may | 539 | Additional limitations on the validity and use of user certificates may |
541 | be specified through certificate constraints. | 540 | be specified through certificate constraints. |