1 files changed, 10 insertions, 10 deletions

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index c6a976183..3494fbceb 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.197 2020/01/28 08:01:34 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.198 2020/02/02 07:36:50 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 28 2020 $
+.Dd $Mdocdate: February 2 2020 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -472,6 +472,14 @@ Those supported at present are:
 Override the default FIDO application/origin string of
 .Dq ssh: .
 This may be useful when generating host or domain-specific resident keys.
+.It Cm challenge=path
+Specifies a path to a challenge string that will be passed to the
+FIDO token during key generation.
+The challenge string is optional, but may be used as part of an out-of-band
+protocol for key enrollment.
+If no
+.Cm challenge
+is specified, a random challenge is used.
 .It Cm device
 Explicitly specify a
 .Xr fido 4
@@ -483,14 +491,6 @@ Note that
 .Xr sshd 8
 will refuse such signatures by default, unless overridden via
 an authorized_keys option.
-.It Cm challenge=path
-Specifies a path to a challenge string that will be passed to the
-FIDO token during key generation.
-The challenge string is optional, but may be used as part of an out-of-band
-protocol for key enrollment.
-If no
-.Cm challenge
-is specified, a random challenge is used.
 .It Cm resident
 Indicate that the key should be stored on the FIDO authenticator itself.
 Resident keys may be supported on FIDO2 tokens and typically require that