diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-06-28 01:09:22 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-06-28 11:13:19 +1000 |
| commit | a98339edbc1fc21342a390f345179a9c3031bef7 (patch) | |
| tree | 574e103d0a458f96213e808118eb75d39bc3387f /ssh-keygen.1 | |
| parent | c9cdef35524bd59007e17d5bd2502dade69e2dfb (diff) | |
upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus
Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
Diffstat (limited to 'ssh-keygen.1')
| -rw-r--r-- | ssh-keygen.1 | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 786d37d51..66f8321c5 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: ssh-keygen.1,v 1.141 2017/05/05 10:41:58 naddy Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.142 2017/06/28 01:09:22 djm Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -35,7 +35,7 @@ | |||
| 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 37 | .\" | 37 | .\" |
| 38 | .Dd $Mdocdate: May 5 2017 $ | 38 | .Dd $Mdocdate: June 28 2017 $ |
| 39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
| 40 | .Os | 40 | .Os |
| 41 | .Sh NAME | 41 | .Sh NAME |
| @@ -114,6 +114,8 @@ | |||
| 114 | .Fl s Ar ca_key | 114 | .Fl s Ar ca_key |
| 115 | .Fl I Ar certificate_identity | 115 | .Fl I Ar certificate_identity |
| 116 | .Op Fl h | 116 | .Op Fl h |
| 117 | .Op Fl U | ||
| 118 | .Op Fl D Ar pkcs11_provider | ||
| 117 | .Op Fl n Ar principals | 119 | .Op Fl n Ar principals |
| 118 | .Op Fl O Ar option | 120 | .Op Fl O Ar option |
| 119 | .Op Fl V Ar validity_interval | 121 | .Op Fl V Ar validity_interval |
| @@ -558,6 +560,14 @@ The possible values are | |||
| 558 | .Dq ed25519 , | 560 | .Dq ed25519 , |
| 559 | or | 561 | or |
| 560 | .Dq rsa . | 562 | .Dq rsa . |
| 563 | .It Fl U | ||
| 564 | When used in combination with | ||
| 565 | .Fl s , | ||
| 566 | this option indicates that a CA key resides in a | ||
| 567 | .Xr ssh-agent 1 . | ||
| 568 | See the | ||
| 569 | .Sx CERTIFICATES | ||
| 570 | section for more information. | ||
| 561 | .It Fl u | 571 | .It Fl u |
| 562 | Update a KRL. | 572 | Update a KRL. |
| 563 | When specified with | 573 | When specified with |
| @@ -705,6 +715,14 @@ to | |||
| 705 | .Pp | 715 | .Pp |
| 706 | .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub | 716 | .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub |
| 707 | .Pp | 717 | .Pp |
| 718 | Similarly, it is possible for the CA key to be hosted in a | ||
| 719 | .Xr ssh-agent 1 . | ||
| 720 | This is indicated by the | ||
| 721 | .Fl U | ||
| 722 | flag and, again, the CA key must be identified by its public half. | ||
| 723 | .Pp | ||
| 724 | .Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub | ||
| 725 | .Pp | ||
| 708 | In all cases, | 726 | In all cases, |
| 709 | .Ar key_id | 727 | .Ar key_id |
| 710 | is a "key identifier" that is logged by the server when the certificate | 728 | is a "key identifier" that is logged by the server when the certificate |