merge 5.6p1

author: Colin Watson <cjwatson@debian.org> 2010-08-23 22:56:08 +0100
committer: Colin Watson <cjwatson@debian.org> 2010-08-23 22:56:08 +0100
commit: 31e30b835fd9695d3b6647cab4867001b092e28f (patch)
tree: 138e715c25661825457c7280cd66e3f4853d474c /ssh-keygen.1
parent: 78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (diff)
parent: 43094ebf14c9b16f1ea398bc5b65a7335e947288 (diff)
1 files changed, 65 insertions, 24 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 3e03a9bd0..9acd8f8c9 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -37,15 +37,15 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 13 2010 $
+.Dd $Mdocdate: August 4 2010 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
 .Nm ssh-keygen
 .Nd authentication key generation, management and conversion
 .Sh SYNOPSIS
-.Nm ssh-keygen
 .Bk -words
+.Nm ssh-keygen
 .Op Fl q
 .Op Fl b Ar bits
 .Fl t Ar type
@@ -59,9 +59,11 @@
 .Op Fl f Ar keyfile
 .Nm ssh-keygen
 .Fl i
+.Op Fl m Ar key_format
 .Op Fl f Ar input_keyfile
 .Nm ssh-keygen
 .Fl e
+.Op Fl m Ar key_format
 .Op Fl f Ar input_keyfile
 .Nm ssh-keygen
 .Fl y
@@ -110,8 +112,9 @@
 .Fl I Ar certificate_identity
 .Op Fl h
 .Op Fl n Ar principals
-.Op Fl O Ar constraint
+.Op Fl O Ar option
 .Op Fl V Ar validity_interval
+.Op Fl z Ar serial_number
 .Ar
 .Nm ssh-keygen
 .Fl L
@@ -212,13 +215,20 @@ the passphrase if the key has one, and for the new comment.
 .It Fl D Ar pkcs11
 Download the RSA public keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
+When used in combination with
+.Fl s ,
+this option indicates that a CA key resides in a PKCS#11 token (see the
+.Sx CERTIFICATES
+section for details).
 .It Fl e
 This option will read a private or public OpenSSH key file and
-print the key in
+print to stdout the key in one of the formats specified by the
-RFC 4716 SSH Public Key File Format
+.Fl m
-to stdout.
+option.
-This option allows exporting keys for use by several commercial
+The default export format is
-SSH implementations.
+.Dq RFC4716 .
+This option allows exporting OpenSSH keys for use by other programs, including
+several commercial SSH implementations.
 .It Fl F Ar hostname
 Search for the specified
 .Ar hostname
@@ -269,13 +279,14 @@ Please see the
 section for details.
 .It Fl i
 This option will read an unencrypted private (or public) key file
-in SSH2-compatible format and print an OpenSSH compatible private
+in the format specified by the
+.Fl m
+option and print an OpenSSH compatible private
 (or public) key to stdout.
-.Nm
+This option allows importing keys from other software, including several
-also reads the
+commercial SSH implementations.
-RFC 4716 SSH Public Key File Format.
+The default import format is
-This option allows importing keys from several commercial
+.Dq RFC4716 .
-SSH implementations.
 .It Fl L
 Prints the contents of a certificate.
 .It Fl l
@@ -290,6 +301,22 @@ an ASCII art representation of the key is supplied with the fingerprint.
 .It Fl M Ar memory
 Specify the amount of memory to use (in megabytes) when generating
 candidate moduli for DH-GEX.
+.It Fl m Ar key_format
+Specify a key format for the
+.Fl i
+(import) or
+.Fl e
+(export) conversion options.
+The supported key formats are:
+.Dq RFC4716
+(RFC 4716/SSH2 public or private key),
+.Dq PKCS8
+(PEM PKCS8 public key)
+or
+.Dq PEM
+(PEM public key).
+The default conversion format is
+.Dq RFC4716 .
 .It Fl N Ar new_passphrase
 Provides the new passphrase.
 .It Fl n Ar principals
@@ -299,13 +326,13 @@ Multiple principals may be specified, separated by commas.
 Please see the
 .Sx CERTIFICATES
 section for details.
-.It Fl O Ar constraint
+.It Fl O Ar option
-Specify a certificate constraint when signing a key.
+Specify a certificate option when signing a key.
 This option may be specified multiple times.
 Please see the
 .Sx CERTIFICATES
 section for details.
-The constraints that are valid for user certificates are:
+The options that are valid for user certificates are:
 .Bl -tag -width Ds
 .It Ic clear
 Clear all enabled permissions.
@@ -355,7 +382,7 @@ is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
 .El
 .Pp
-At present, no constraints are valid for host keys.
+At present, no options are valid for host keys.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
@@ -441,6 +468,10 @@ Specify desired generator when testing candidate moduli for DH-GEX.
 .It Fl y
 This option will read a private
 OpenSSH format file and print an OpenSSH public key to stdout.
+.It Fl z Ar serial_number
+Specifies a serial number to be embedded in the certificate to distinguish
+this certificate from others from the same CA.
+The default serial number is zero.
 .El
 .Sh MODULI GENERATION
 .Nm
@@ -501,7 +532,7 @@ that both ends of a connection share common moduli.
 supports signing of keys to produce certificates that may be used for
 user or host authentication.
 Certificates consist of a public key, some identity information, zero or
-more principal (user or host) names and an optional set of constraints that
+more principal (user or host) names and a set of options that
 are signed by a Certification Authority (CA) key.
 Clients or servers may then trust only the CA key and verify its signature
 on a certificate rather than trusting many user/host keys.
@@ -527,7 +558,17 @@ option:
 .Pp
 The host certificate will be output to
 .Pa /path/to/host_key-cert.pub .
-In both cases,
+.Pp
+It is possible to sign using a CA key stored in a PKCS#11 token by
+providing the token library using
+.Fl D
+and identifying the CA key by providing its public half as an argument
+to
+.Fl s :
+.Pp
+.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
+.Pp
+In all cases,
 .Ar key_id
 is a "key identifier" that is logged by the server when the certificate
 is used for authentication.
@@ -541,11 +582,11 @@ To generate a certificate for a specified set of principals:
 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
 .Pp
 Additional limitations on the validity and use of user certificates may
-be specified through certificate constraints.
+be specified through certificate options.
-A constrained certificate may disable features of the SSH session, may be
+A certificate option may disable features of the SSH session, may be
 valid only when presented from particular source addresses or may
 force the use of a specific command.
-For a list of valid certificate constraints, see the documentation for the
+For a list of valid certificate options, see the documentation for the
 .Fl O
 option above.
 .Pp
author	Colin Watson <cjwatson@debian.org>	2010-08-23 22:56:08 +0100
committer	Colin Watson <cjwatson@debian.org>	2010-08-23 22:56:08 +0100
commit	31e30b835fd9695d3b6647cab4867001b092e28f (patch)
tree	138e715c25661825457c7280cd66e3f4853d474c /ssh-keygen.1
parent	78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (diff)
parent	43094ebf14c9b16f1ea398bc5b65a7335e947288 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3e03a9bd0..9acd8f8c9 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $
2	.\"	2	.\"
3	.\" -- nroff --	3	.\" -- nroff --
4	.\"	4	.\"
@@ -37,15 +37,15 @@
37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39	.\"	39	.\"
40	.Dd $Mdocdate: March 13 2010 $	40	.Dd $Mdocdate: August 4 2010 $
41	.Dt SSH-KEYGEN 1	41	.Dt SSH-KEYGEN 1
42	.Os	42	.Os
43	.Sh NAME	43	.Sh NAME
44	.Nm ssh-keygen	44	.Nm ssh-keygen
45	.Nd authentication key generation, management and conversion	45	.Nd authentication key generation, management and conversion
46	.Sh SYNOPSIS	46	.Sh SYNOPSIS
47	.Nm ssh-keygen
48	.Bk -words	47	.Bk -words
		48	.Nm ssh-keygen
49	.Op Fl q	49	.Op Fl q
50	.Op Fl b Ar bits	50	.Op Fl b Ar bits
51	.Fl t Ar type	51	.Fl t Ar type
@@ -59,9 +59,11 @@
59	.Op Fl f Ar keyfile	59	.Op Fl f Ar keyfile
60	.Nm ssh-keygen	60	.Nm ssh-keygen
61	.Fl i	61	.Fl i
		62	.Op Fl m Ar key_format
62	.Op Fl f Ar input_keyfile	63	.Op Fl f Ar input_keyfile
63	.Nm ssh-keygen	64	.Nm ssh-keygen
64	.Fl e	65	.Fl e
		66	.Op Fl m Ar key_format
65	.Op Fl f Ar input_keyfile	67	.Op Fl f Ar input_keyfile
66	.Nm ssh-keygen	68	.Nm ssh-keygen
67	.Fl y	69	.Fl y
@@ -110,8 +112,9 @@
110	.Fl I Ar certificate_identity	112	.Fl I Ar certificate_identity
111	.Op Fl h	113	.Op Fl h
112	.Op Fl n Ar principals	114	.Op Fl n Ar principals
113	.Op Fl O Ar constraint	115	.Op Fl O Ar option
114	.Op Fl V Ar validity_interval	116	.Op Fl V Ar validity_interval
		117	.Op Fl z Ar serial_number
115	.Ar	118	.Ar
116	.Nm ssh-keygen	119	.Nm ssh-keygen
117	.Fl L	120	.Fl L
@@ -212,13 +215,20 @@ the passphrase if the key has one, and for the new comment.
212	.It Fl D Ar pkcs11	215	.It Fl D Ar pkcs11
213	Download the RSA public keys provided by the PKCS#11 shared library	216	Download the RSA public keys provided by the PKCS#11 shared library
214	.Ar pkcs11 .	217	.Ar pkcs11 .
		218	When used in combination with
		219	.Fl s ,
		220	this option indicates that a CA key resides in a PKCS#11 token (see the
		221	.Sx CERTIFICATES
		222	section for details).
215	.It Fl e	223	.It Fl e
216	This option will read a private or public OpenSSH key file and	224	This option will read a private or public OpenSSH key file and
217	print the key in	225	print to stdout the key in one of the formats specified by the
218	RFC 4716 SSH Public Key File Format	226	.Fl m
219	to stdout.	227	option.
220	This option allows exporting keys for use by several commercial	228	The default export format is
221	SSH implementations.	229	.Dq RFC4716 .
		230	This option allows exporting OpenSSH keys for use by other programs, including
		231	several commercial SSH implementations.
222	.It Fl F Ar hostname	232	.It Fl F Ar hostname
223	Search for the specified	233	Search for the specified
224	.Ar hostname	234	.Ar hostname
@@ -269,13 +279,14 @@ Please see the
269	section for details.	279	section for details.
270	.It Fl i	280	.It Fl i
271	This option will read an unencrypted private (or public) key file	281	This option will read an unencrypted private (or public) key file
272	in SSH2-compatible format and print an OpenSSH compatible private	282	in the format specified by the
		283	.Fl m
		284	option and print an OpenSSH compatible private
273	(or public) key to stdout.	285	(or public) key to stdout.
274	.Nm	286	This option allows importing keys from other software, including several
275	also reads the	287	commercial SSH implementations.
276	RFC 4716 SSH Public Key File Format.	288	The default import format is
277	This option allows importing keys from several commercial	289	.Dq RFC4716 .
278	SSH implementations.
279	.It Fl L	290	.It Fl L
280	Prints the contents of a certificate.	291	Prints the contents of a certificate.
281	.It Fl l	292	.It Fl l
@@ -290,6 +301,22 @@ an ASCII art representation of the key is supplied with the fingerprint.
290	.It Fl M Ar memory	301	.It Fl M Ar memory
291	Specify the amount of memory to use (in megabytes) when generating	302	Specify the amount of memory to use (in megabytes) when generating
292	candidate moduli for DH-GEX.	303	candidate moduli for DH-GEX.
		304	.It Fl m Ar key_format
		305	Specify a key format for the
		306	.Fl i
		307	(import) or
		308	.Fl e
		309	(export) conversion options.
		310	The supported key formats are:
		311	.Dq RFC4716
		312	(RFC 4716/SSH2 public or private key),
		313	.Dq PKCS8
		314	(PEM PKCS8 public key)
		315	or
		316	.Dq PEM
		317	(PEM public key).
		318	The default conversion format is
		319	.Dq RFC4716 .
293	.It Fl N Ar new_passphrase	320	.It Fl N Ar new_passphrase
294	Provides the new passphrase.	321	Provides the new passphrase.
295	.It Fl n Ar principals	322	.It Fl n Ar principals
@@ -299,13 +326,13 @@ Multiple principals may be specified, separated by commas.
299	Please see the	326	Please see the
300	.Sx CERTIFICATES	327	.Sx CERTIFICATES
301	section for details.	328	section for details.
302	.It Fl O Ar constraint	329	.It Fl O Ar option
303	Specify a certificate constraint when signing a key.	330	Specify a certificate option when signing a key.
304	This option may be specified multiple times.	331	This option may be specified multiple times.
305	Please see the	332	Please see the
306	.Sx CERTIFICATES	333	.Sx CERTIFICATES
307	section for details.	334	section for details.
308	The constraints that are valid for user certificates are:	335	The options that are valid for user certificates are:
309	.Bl -tag -width Ds	336	.Bl -tag -width Ds
310	.It Ic clear	337	.It Ic clear
311	Clear all enabled permissions.	338	Clear all enabled permissions.
@@ -355,7 +382,7 @@ is a comma-separated list of one or more address/netmask pairs in CIDR
355	format.	382	format.
356	.El	383	.El
357	.Pp	384	.Pp
358	At present, no constraints are valid for host keys.	385	At present, no options are valid for host keys.
359	.It Fl P Ar passphrase	386	.It Fl P Ar passphrase
360	Provides the (old) passphrase.	387	Provides the (old) passphrase.
361	.It Fl p	388	.It Fl p
@@ -441,6 +468,10 @@ Specify desired generator when testing candidate moduli for DH-GEX.
441	.It Fl y	468	.It Fl y
442	This option will read a private	469	This option will read a private
443	OpenSSH format file and print an OpenSSH public key to stdout.	470	OpenSSH format file and print an OpenSSH public key to stdout.
		471	.It Fl z Ar serial_number
		472	Specifies a serial number to be embedded in the certificate to distinguish
		473	this certificate from others from the same CA.
		474	The default serial number is zero.
444	.El	475	.El
445	.Sh MODULI GENERATION	476	.Sh MODULI GENERATION
446	.Nm	477	.Nm
@@ -501,7 +532,7 @@ that both ends of a connection share common moduli.
501	supports signing of keys to produce certificates that may be used for	532	supports signing of keys to produce certificates that may be used for
502	user or host authentication.	533	user or host authentication.
503	Certificates consist of a public key, some identity information, zero or	534	Certificates consist of a public key, some identity information, zero or
504	more principal (user or host) names and an optional set of constraints that	535	more principal (user or host) names and a set of options that
505	are signed by a Certification Authority (CA) key.	536	are signed by a Certification Authority (CA) key.
506	Clients or servers may then trust only the CA key and verify its signature	537	Clients or servers may then trust only the CA key and verify its signature
507	on a certificate rather than trusting many user/host keys.	538	on a certificate rather than trusting many user/host keys.
@@ -527,7 +558,17 @@ option:
527	.Pp	558	.Pp
528	The host certificate will be output to	559	The host certificate will be output to
529	.Pa /path/to/host_key-cert.pub .	560	.Pa /path/to/host_key-cert.pub .
530	In both cases,	561	.Pp
		562	It is possible to sign using a CA key stored in a PKCS#11 token by
		563	providing the token library using
		564	.Fl D
		565	and identifying the CA key by providing its public half as an argument
		566	to
		567	.Fl s :
		568	.Pp
		569	.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
		570	.Pp
		571	In all cases,
531	.Ar key_id	572	.Ar key_id
532	is a "key identifier" that is logged by the server when the certificate	573	is a "key identifier" that is logged by the server when the certificate
533	is used for authentication.	574	is used for authentication.
@@ -541,11 +582,11 @@ To generate a certificate for a specified set of principals:
541	.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"	582	.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
542	.Pp	583	.Pp
543	Additional limitations on the validity and use of user certificates may	584	Additional limitations on the validity and use of user certificates may
544	be specified through certificate constraints.	585	be specified through certificate options.
545	A constrained certificate may disable features of the SSH session, may be	586	A certificate option may disable features of the SSH session, may be
546	valid only when presented from particular source addresses or may	587	valid only when presented from particular source addresses or may
547	force the use of a specific command.	588	force the use of a specific command.
548	For a list of valid certificate constraints, see the documentation for the	589	For a list of valid certificate options, see the documentation for the
549	.Fl O	590	.Fl O
550	option above.	591	option above.
551	.Pp	592	.Pp