upstream commit

add ssh_config CertificateFile option to explicitly list a certificate; patch from Meghana Bhat on bz#2436; ok markus@ Upstream-ID: 58648ec53c510b41c1f46d8fe293aadc87229ab8
author: djm@openbsd.org <djm@openbsd.org> 2015-09-24 06:15:11 +0000
committer: Damien Miller <djm@mindrot.org> 2015-10-06 12:21:54 +1100
commit: 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8 (patch)
tree: 7ef647dabf413a83da2f0c26917a8e0b5e1d2145 /ssh_config.5
parent: e3cbb06ade83c72b640a53728d362bbefa0008e2 (diff)
1 files changed, 50 insertions, 4 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 54c42ab80..39cf932d3 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.220 2015/09/22 08:33:23 sobrado Exp $
+.\" $OpenBSD: ssh_config.5,v 1.221 2015/09/24 06:15:11 djm Exp $
-.Dd $Mdocdate: September 22 2015 $
+.Dd $Mdocdate: September 24 2015 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -325,6 +325,41 @@ to be canonicalized to names in the
 or
 .Dq *.c.example.com
 domains.
+.It Cm CertificateFile
+Specifies a file from which the user's certificate is read.
+A corresponding private key must be provided separately in order
+to use this certificate either
+from an
+.Cm IdentityFile
+directive or
+.Fl i
+flag to
+.Xr ssh 1 ,
+via
+.Xr ssh-agent 1 ,
+or via a
+.Cm PKCS11Provider .
+.Pp
+The file name may use the tilde
+syntax to refer to a user's home directory or one of the following
+escape characters:
+.Ql %d
+(local user's home directory),
+.Ql %u
+(local user name),
+.Ql %l
+(local host name),
+.Ql %h
+(remote host name) or
+.Ql %r
+(remote user name).
+.Pp
+It is possible to have multiple certificate files specified in
+configuration files; these certificates will be tried in sequence.
+Multiple
+.Cm CertificateFile
+directives will add to the list of certificates used for
+authentication.
 .It Cm ChallengeResponseAuthentication
 Specifies whether to use challenge-response authentication.
 The argument to this keyword must be
@@ -869,9 +904,13 @@ specifications).
 .It Cm IdentitiesOnly
 Specifies that
 .Xr ssh 1
-should only use the authentication identity files configured in the
+should only use the authentication identity and certificate files explicitly
+configured in the
 .Nm
-files,
+files
+or passed on the
+.Xr ssh 1
+command-line,
 even if
 .Xr ssh-agent 1
 or a
@@ -901,6 +940,8 @@ Additionally, any identities represented by the authentication agent
 will be used for authentication unless
 .Cm IdentitiesOnly
 is set.
+If no certificates have been explicitly specified by
+.Cm CertificateFile ,
 .Xr ssh 1
 will try to load certificate information from the filename obtained by
 appending
@@ -934,6 +975,11 @@ differs from that of other configuration directives).
 may be used in conjunction with
 .Cm IdentitiesOnly
 to select which identities in an agent are offered during authentication.
+.Cm IdentityFile
+may also be used in conjunction with
+.Cm CertificateFile
+in order to provide any certificate also needed for authentication with
+the identity.
 .It Cm IgnoreUnknown
 Specifies a pattern-list of unknown options to be ignored if they are
 encountered in configuration parsing.
author	djm@openbsd.org <djm@openbsd.org>	2015-09-24 06:15:11 +0000
committer	Damien Miller <djm@mindrot.org>	2015-10-06 12:21:54 +1100
commit	4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8 (patch)
tree	7ef647dabf413a83da2f0c26917a8e0b5e1d2145 /ssh_config.5
parent	e3cbb06ade83c72b640a53728d362bbefa0008e2 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 54c42ab80..39cf932d3 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.220 2015/09/22 08:33:23 sobrado Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.221 2015/09/24 06:15:11 djm Exp $
37	.Dd $Mdocdate: September 22 2015 $	37	.Dd $Mdocdate: September 24 2015 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -325,6 +325,41 @@ to be canonicalized to names in the
325	or	325	or
326	.Dq *.c.example.com	326	.Dq *.c.example.com
327	domains.	327	domains.
		328	.It Cm CertificateFile
		329	Specifies a file from which the user's certificate is read.
		330	A corresponding private key must be provided separately in order
		331	to use this certificate either
		332	from an
		333	.Cm IdentityFile
		334	directive or
		335	.Fl i
		336	flag to
		337	.Xr ssh 1 ,
		338	via
		339	.Xr ssh-agent 1 ,
		340	or via a
		341	.Cm PKCS11Provider .
		342	.Pp
		343	The file name may use the tilde
		344	syntax to refer to a user's home directory or one of the following
		345	escape characters:
		346	.Ql %d
		347	(local user's home directory),
		348	.Ql %u
		349	(local user name),
		350	.Ql %l
		351	(local host name),
		352	.Ql %h
		353	(remote host name) or
		354	.Ql %r
		355	(remote user name).
		356	.Pp
		357	It is possible to have multiple certificate files specified in
		358	configuration files; these certificates will be tried in sequence.
		359	Multiple
		360	.Cm CertificateFile
		361	directives will add to the list of certificates used for
		362	authentication.
328	.It Cm ChallengeResponseAuthentication	363	.It Cm ChallengeResponseAuthentication
329	Specifies whether to use challenge-response authentication.	364	Specifies whether to use challenge-response authentication.
330	The argument to this keyword must be	365	The argument to this keyword must be
@@ -869,9 +904,13 @@ specifications).
869	.It Cm IdentitiesOnly	904	.It Cm IdentitiesOnly
870	Specifies that	905	Specifies that
871	.Xr ssh 1	906	.Xr ssh 1
872	should only use the authentication identity files configured in the	907	should only use the authentication identity and certificate files explicitly
		908	configured in the
873	.Nm	909	.Nm
874	files,	910	files
		911	or passed on the
		912	.Xr ssh 1
		913	command-line,
875	even if	914	even if
876	.Xr ssh-agent 1	915	.Xr ssh-agent 1
877	or a	916	or a
@@ -901,6 +940,8 @@ Additionally, any identities represented by the authentication agent
901	will be used for authentication unless	940	will be used for authentication unless
902	.Cm IdentitiesOnly	941	.Cm IdentitiesOnly
903	is set.	942	is set.
		943	If no certificates have been explicitly specified by
		944	.Cm CertificateFile ,
904	.Xr ssh 1	945	.Xr ssh 1
905	will try to load certificate information from the filename obtained by	946	will try to load certificate information from the filename obtained by
906	appending	947	appending
@@ -934,6 +975,11 @@ differs from that of other configuration directives).
934	may be used in conjunction with	975	may be used in conjunction with
935	.Cm IdentitiesOnly	976	.Cm IdentitiesOnly
936	to select which identities in an agent are offered during authentication.	977	to select which identities in an agent are offered during authentication.
		978	.Cm IdentityFile
		979	may also be used in conjunction with
		980	.Cm CertificateFile
		981	in order to provide any certificate also needed for authentication with
		982	the identity.
937	.It Cm IgnoreUnknown	983	.It Cm IgnoreUnknown
938	Specifies a pattern-list of unknown options to be ignored if they are	984	Specifies a pattern-list of unknown options to be ignored if they are
939	encountered in configuration parsing.	985	encountered in configuration parsing.