upstream: Fill in missing man page bits for U2F security key support:

Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4
author: naddy@openbsd.org <naddy@openbsd.org> 2019-11-07 08:38:38 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-08 14:09:32 +1100
commit: aa4c640dc362816d63584a16e786d5e314e24390 (patch)
tree: ff9a6015ea0de5579d49d66d42590d93887fd7aa /ssh_config.5
parent: b236b27d6dada7f0542214003632b4e9b7aa1380 (diff)
1 files changed, 23 insertions, 8 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index 02a87892d..ad016470c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.305 2019/11/07 08:38:38 naddy Exp $
-.Dd $Mdocdate: September 13 2019 $
+.Dd $Mdocdate: November 7 2019 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -381,7 +381,9 @@ flag to
 via
 .Xr ssh-agent 1 ,
 or via a
-.Cm PKCS11Provider .
+.Cm PKCS11Provider
+or
+.Cm SecurityKeyProvider .
 .Pp
 Arguments to
 .Cm CertificateFile
@@ -808,7 +810,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,
+rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -840,7 +843,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,
+rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -883,6 +887,8 @@ even if
 .Xr ssh-agent 1
 or a
 .Cm PKCS11Provider
+or
+.Cm SecurityKeyProvider
 offers more identities.
 The argument to this keyword must be
 .Cm yes
@@ -919,11 +925,12 @@ or the tokens described in the
 .Sx TOKENS
 section.
 .It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
+Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA,
-identity is read.
+Ed25519 or RSA authentication identity is read.
 The default is
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ecdsa_sk ,
 .Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/id_rsa .
@@ -1315,12 +1322,15 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
+sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,
+rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
+sk-ecdsa-sha2-nistp256@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
@@ -1437,6 +1447,11 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
+.It Cm SecurityKeyProvider
+Specifies a path to a security key provider library that will be used when
+loading any security key-hosted keys, overriding the default of using the
+.Ev SSH_SK_PROVIDER
+environment variable to specify a provider.
 .It Cm SendEnv
 Specifies what variables from the local
 .Xr environ 7
author	naddy@openbsd.org <naddy@openbsd.org>	2019-11-07 08:38:38 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-08 14:09:32 +1100
commit	aa4c640dc362816d63584a16e786d5e314e24390 (patch)
tree	ff9a6015ea0de5579d49d66d42590d93887fd7aa /ssh_config.5
parent	b236b27d6dada7f0542214003632b4e9b7aa1380 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index 02a87892d..ad016470c 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.305 2019/11/07 08:38:38 naddy Exp $
37	.Dd $Mdocdate: September 13 2019 $	37	.Dd $Mdocdate: November 7 2019 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -381,7 +381,9 @@ flag to
381	via	381	via
382	.Xr ssh-agent 1 ,	382	.Xr ssh-agent 1 ,
383	or via a	383	or via a
384	.Cm PKCS11Provider .	384	.Cm PKCS11Provider
		385	or
		386	.Cm SecurityKeyProvider .
385	.Pp	387	.Pp
386	Arguments to	388	Arguments to
387	.Cm CertificateFile	389	.Cm CertificateFile
@@ -808,7 +810,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
808	ecdsa-sha2-nistp384-cert-v01@openssh.com,	810	ecdsa-sha2-nistp384-cert-v01@openssh.com,
809	ecdsa-sha2-nistp521-cert-v01@openssh.com,	811	ecdsa-sha2-nistp521-cert-v01@openssh.com,
810	ssh-ed25519-cert-v01@openssh.com,	812	ssh-ed25519-cert-v01@openssh.com,
811	rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,	813	rsa-sha2-512-cert-v01@openssh.com,
		814	rsa-sha2-256-cert-v01@openssh.com,
812	ssh-rsa-cert-v01@openssh.com,	815	ssh-rsa-cert-v01@openssh.com,
813	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	816	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
814	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	817	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -840,7 +843,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
840	ecdsa-sha2-nistp384-cert-v01@openssh.com,	843	ecdsa-sha2-nistp384-cert-v01@openssh.com,
841	ecdsa-sha2-nistp521-cert-v01@openssh.com,	844	ecdsa-sha2-nistp521-cert-v01@openssh.com,
842	ssh-ed25519-cert-v01@openssh.com,	845	ssh-ed25519-cert-v01@openssh.com,
843	rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,	846	rsa-sha2-512-cert-v01@openssh.com,
		847	rsa-sha2-256-cert-v01@openssh.com,
844	ssh-rsa-cert-v01@openssh.com,	848	ssh-rsa-cert-v01@openssh.com,
845	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	849	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
846	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	850	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -883,6 +887,8 @@ even if
883	.Xr ssh-agent 1	887	.Xr ssh-agent 1
884	or a	888	or a
885	.Cm PKCS11Provider	889	.Cm PKCS11Provider
		890	or
		891	.Cm SecurityKeyProvider
886	offers more identities.	892	offers more identities.
887	The argument to this keyword must be	893	The argument to this keyword must be
888	.Cm yes	894	.Cm yes
@@ -919,11 +925,12 @@ or the tokens described in the
919	.Sx TOKENS	925	.Sx TOKENS
920	section.	926	section.
921	.It Cm IdentityFile	927	.It Cm IdentityFile
922	Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication	928	Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA,
923	identity is read.	929	Ed25519 or RSA authentication identity is read.
924	The default is	930	The default is
925	.Pa ~/.ssh/id_dsa ,	931	.Pa ~/.ssh/id_dsa ,
926	.Pa ~/.ssh/id_ecdsa ,	932	.Pa ~/.ssh/id_ecdsa ,
		933	.Pa ~/.ssh/id_ecdsa_sk ,
927	.Pa ~/.ssh/id_ed25519	934	.Pa ~/.ssh/id_ed25519
928	and	935	and
929	.Pa ~/.ssh/id_rsa .	936	.Pa ~/.ssh/id_rsa .
@@ -1315,12 +1322,15 @@ character, then the specified key types will be placed at the head of the
1315	default set.	1322	default set.
1316	The default for this option is:	1323	The default for this option is:
1317	.Bd -literal -offset 3n	1324	.Bd -literal -offset 3n
		1325	sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
1318	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1326	ecdsa-sha2-nistp256-cert-v01@openssh.com,
1319	ecdsa-sha2-nistp384-cert-v01@openssh.com,	1327	ecdsa-sha2-nistp384-cert-v01@openssh.com,
1320	ecdsa-sha2-nistp521-cert-v01@openssh.com,	1328	ecdsa-sha2-nistp521-cert-v01@openssh.com,
1321	ssh-ed25519-cert-v01@openssh.com,	1329	ssh-ed25519-cert-v01@openssh.com,
1322	rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,	1330	rsa-sha2-512-cert-v01@openssh.com,
		1331	rsa-sha2-256-cert-v01@openssh.com,
1323	ssh-rsa-cert-v01@openssh.com,	1332	ssh-rsa-cert-v01@openssh.com,
		1333	sk-ecdsa-sha2-nistp256@openssh.com,
1324	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,	1334	ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
1325	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa	1335	ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1326	.Ed	1336	.Ed
@@ -1437,6 +1447,11 @@ an OpenSSH Key Revocation List (KRL) as generated by
1437	.Xr ssh-keygen 1 .	1447	.Xr ssh-keygen 1 .
1438	For more information on KRLs, see the KEY REVOCATION LISTS section in	1448	For more information on KRLs, see the KEY REVOCATION LISTS section in
1439	.Xr ssh-keygen 1 .	1449	.Xr ssh-keygen 1 .
		1450	.It Cm SecurityKeyProvider
		1451	Specifies a path to a security key provider library that will be used when
		1452	loading any security key-hosted keys, overriding the default of using the
		1453	.Ev SSH_SK_PROVIDER
		1454	environment variable to specify a provider.
1440	.It Cm SendEnv	1455	.It Cm SendEnv
1441	Specifies what variables from the local	1456	Specifies what variables from the local
1442	.Xr environ 7	1457	.Xr environ 7