merge 5.5p1

author: Colin Watson <cjwatson@debian.org> 2010-04-16 10:04:09 +0100
committer: Colin Watson <cjwatson@debian.org> 2010-04-16 10:04:09 +0100
commit: 78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (patch)
tree: 13e783343edf688afffb4a8e02dc9685342b98a6 /ssh-keygen.1
parent: d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)
parent: ff0095389ba9a9e4599e6051c8d5bae6777c4d64 (diff)
1 files changed, 21 insertions, 22 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 6557f9336..3e03a9bd0 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -37,7 +37,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 8 2010 $
+.Dd $Mdocdate: March 13 2010 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -307,8 +307,15 @@ Please see the
 section for details.
 The constraints that are valid for user certificates are:
 .Bl -tag -width Ds
-.It Ic no-x11-forwarding
+.It Ic clear
-Disable X11 forwarding (permitted by default).
+Clear all enabled permissions.
+This is useful for clearing the default set of permissions so permissions may
+be added individually.
+.It Ic force-command Ns = Ns Ar command
+Forces the execution of
+.Ar command
+instead of any shell or command specified by the user when
+the certificate is used for authentication.
 .It Ic no-agent-forwarding
 Disable
 .Xr ssh-agent 1
@@ -323,12 +330,8 @@ Disable execution of
 by
 .Xr sshd 8
 (permitted by default).
-.It Ic clear
+.It Ic no-x11-forwarding
-Clear all enabled permissions.
+Disable X11 forwarding (permitted by default).
-This is useful for clearing the default set of permissions so permissions may
-be added individually.
-.It Ic permit-x11-forwarding
-Allows X11 forwarding.
 .It Ic permit-agent-forwarding
 Allows
 .Xr ssh-agent 1
@@ -342,14 +345,10 @@ Allows execution of
 .Pa ~/.ssh/rc
 by
 .Xr sshd 8 .
-.It Ic force-command=command
+.It Ic permit-x11-forwarding
-Forces the execution of
+Allows X11 forwarding.
-.Ar command
+.It Ic source-address Ns = Ns Ar address_list
-instead of any shell or command specified by the user when
+Restrict the source addresses from which the certificate is considered valid.
-the certificate is used for authentication.
-.It Ic source-address=address_list
-Restrict the source addresses from which the certificate is considered valid
-from.
 The
 .Ar address_list
 is a comma-separated list of one or more address/netmask pairs in CIDR
@@ -414,7 +413,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
 of a minus sign followed by a relative time in the format described in the
 .Sx TIME FORMATS
 section of
-.Xr ssh_config 5 .
+.Xr sshd_config 5 .
 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
 a relative time starting with a plus character.
 .Pp
@@ -519,7 +518,7 @@ To generate a user certificate:
 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
 .Pp
 The resultant certificate will be placed in
-.Pa /path/to/user_key_cert.pub .
+.Pa /path/to/user_key-cert.pub .
 A host certificate requires the
 .Fl h
 option:
@@ -527,7 +526,7 @@ option:
 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
 .Pp
 The host certificate will be output to
-.Pa /path/to/host_key_cert.pub .
+.Pa /path/to/host_key-cert.pub .
 In both cases,
 .Ar key_id
 is a "key identifier" that is logged by the server when the certificate
@@ -539,7 +538,7 @@ By default, generated certificates are valid for all users or hosts.
 To generate a certificate for a specified set of principals:
 .Pp
 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
-.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
+.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
 .Pp
 Additional limitations on the validity and use of user certificates may
 be specified through certificate constraints.
author	Colin Watson <cjwatson@debian.org>	2010-04-16 10:04:09 +0100
committer	Colin Watson <cjwatson@debian.org>	2010-04-16 10:04:09 +0100
commit	78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (patch)
tree	13e783343edf688afffb4a8e02dc9685342b98a6 /ssh-keygen.1
parent	d1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)
parent	ff0095389ba9a9e4599e6051c8d5bae6777c4d64 (diff)

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 6557f9336..3e03a9bd0 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
2	.\"	2	.\"
3	.\" -- nroff --	3	.\" -- nroff --
4	.\"	4	.\"
@@ -37,7 +37,7 @@
37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39	.\"	39	.\"
40	.Dd $Mdocdate: March 8 2010 $	40	.Dd $Mdocdate: March 13 2010 $
41	.Dt SSH-KEYGEN 1	41	.Dt SSH-KEYGEN 1
42	.Os	42	.Os
43	.Sh NAME	43	.Sh NAME
@@ -307,8 +307,15 @@ Please see the
307	section for details.	307	section for details.
308	The constraints that are valid for user certificates are:	308	The constraints that are valid for user certificates are:
309	.Bl -tag -width Ds	309	.Bl -tag -width Ds
310	.It Ic no-x11-forwarding	310	.It Ic clear
311	Disable X11 forwarding (permitted by default).	311	Clear all enabled permissions.
		312	This is useful for clearing the default set of permissions so permissions may
		313	be added individually.
		314	.It Ic force-command Ns = Ns Ar command
		315	Forces the execution of
		316	.Ar command
		317	instead of any shell or command specified by the user when
		318	the certificate is used for authentication.
312	.It Ic no-agent-forwarding	319	.It Ic no-agent-forwarding
313	Disable	320	Disable
314	.Xr ssh-agent 1	321	.Xr ssh-agent 1
@@ -323,12 +330,8 @@ Disable execution of
323	by	330	by
324	.Xr sshd 8	331	.Xr sshd 8
325	(permitted by default).	332	(permitted by default).
326	.It Ic clear	333	.It Ic no-x11-forwarding
327	Clear all enabled permissions.	334	Disable X11 forwarding (permitted by default).
328	This is useful for clearing the default set of permissions so permissions may
329	be added individually.
330	.It Ic permit-x11-forwarding
331	Allows X11 forwarding.
332	.It Ic permit-agent-forwarding	335	.It Ic permit-agent-forwarding
333	Allows	336	Allows
334	.Xr ssh-agent 1	337	.Xr ssh-agent 1
@@ -342,14 +345,10 @@ Allows execution of
342	.Pa ~/.ssh/rc	345	.Pa ~/.ssh/rc
343	by	346	by
344	.Xr sshd 8 .	347	.Xr sshd 8 .
345	.It Ic force-command=command	348	.It Ic permit-x11-forwarding
346	Forces the execution of	349	Allows X11 forwarding.
347	.Ar command	350	.It Ic source-address Ns = Ns Ar address_list
348	instead of any shell or command specified by the user when	351	Restrict the source addresses from which the certificate is considered valid.
349	the certificate is used for authentication.
350	.It Ic source-address=address_list
351	Restrict the source addresses from which the certificate is considered valid
352	from.
353	The	352	The
354	.Ar address_list	353	.Ar address_list
355	is a comma-separated list of one or more address/netmask pairs in CIDR	354	is a comma-separated list of one or more address/netmask pairs in CIDR
@@ -414,7 +413,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
414	of a minus sign followed by a relative time in the format described in the	413	of a minus sign followed by a relative time in the format described in the
415	.Sx TIME FORMATS	414	.Sx TIME FORMATS
416	section of	415	section of
417	.Xr ssh_config 5 .	416	.Xr sshd_config 5 .
418	The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or	417	The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
419	a relative time starting with a plus character.	418	a relative time starting with a plus character.
420	.Pp	419	.Pp
@@ -519,7 +518,7 @@ To generate a user certificate:
519	.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub	518	.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
520	.Pp	519	.Pp
521	The resultant certificate will be placed in	520	The resultant certificate will be placed in
522	.Pa /path/to/user_key_cert.pub .	521	.Pa /path/to/user_key-cert.pub .
523	A host certificate requires the	522	A host certificate requires the
524	.Fl h	523	.Fl h
525	option:	524	option:
@@ -527,7 +526,7 @@ option:
527	.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub	526	.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
528	.Pp	527	.Pp
529	The host certificate will be output to	528	The host certificate will be output to
530	.Pa /path/to/host_key_cert.pub .	529	.Pa /path/to/host_key-cert.pub .
531	In both cases,	530	In both cases,
532	.Ar key_id	531	.Ar key_id
533	is a "key identifier" that is logged by the server when the certificate	532	is a "key identifier" that is logged by the server when the certificate
@@ -539,7 +538,7 @@ By default, generated certificates are valid for all users or hosts.
539	To generate a certificate for a specified set of principals:	538	To generate a certificate for a specified set of principals:
540	.Pp	539	.Pp
541	.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub	540	.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
542	.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub	541	.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
543	.Pp	542	.Pp
544	Additional limitations on the validity and use of user certificates may	543	Additional limitations on the validity and use of user certificates may
545	be specified through certificate constraints.	544	be specified through certificate constraints.