1 files changed, 17 insertions, 19 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 92c516588..2e9894280 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.189 2020/01/06 02:00:46 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.190 2020/01/06 07:43:28 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -460,39 +460,37 @@ listed in the
 .Sx MODULI GENERATION
 section may be specified.
 .Pp
-When generating a key that will be hosted on a FIDO authenticator, this
+When generating a key that will be hosted on a FIDO authenticator,
-flag may be used to specify key-specific options.
+this flag may be used to specify key-specific options.
-The FIDO authenticator options are supported at present are:
+Those supported at present are:
-.Pp
+.Bl -tag -width Ds
-.Cm application
+.It Cm application
-overrides the default FIDO application/origin string of
+Override the default FIDO application/origin string of
 .Dq ssh: .
-This option may be useful when generating host or domain-specific resident
+This may be useful when generating host or domain-specific resident keys.
-keys.
+.It Cm device
-.Cm device
+Explicitly specify a
-explicitly specify a device to generate the key on, rather than accepting
-the authenticator middleware's automatic selection.
 .Xr fido 4
 device to use, rather than letting the token middleware select one.
-.Cm no-touch-required
+.It Cm no-touch-required
-indicates that the generated private key should not require touch
+Indicate that the generated private key should not require touch
 events (user presence) when making signatures.
 Note that
 .Xr sshd 8
 will refuse such signatures by default, unless overridden via
 an authorized_keys option.
-.Pp
+.It Cm resident
-.Cm resident
+Indicate that the key should be stored on the FIDO authenticator itself.
-indicates that the key should be stored on the FIDO authenticator itself.
 Resident keys may be supported on FIDO2 tokens and typically require that
 a PIN be set on the token prior to generation.
 Resident keys may be loaded off the token using
 .Xr ssh-add 1 .
-.Cm user
+.It Cm user
-allows specification of a username to be associated with a resident key,
+A username to be associated with a resident key,
 overriding the empty default username.
 Specifying a username may be useful when generating multiple resident keys
 for the same application name.
+.El
 .Pp
 The
 .Fl O

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 92c516588..2e9894280 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.189 2020/01/06 02:00:46 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.190 2020/01/06 07:43:28 jmc Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -460,39 +460,37 @@ listed in the
460	.Sx MODULI GENERATION	460	.Sx MODULI GENERATION
461	section may be specified.	461	section may be specified.
462	.Pp	462	.Pp
463	When generating a key that will be hosted on a FIDO authenticator, this	463	When generating a key that will be hosted on a FIDO authenticator,
464	flag may be used to specify key-specific options.	464	this flag may be used to specify key-specific options.
465	The FIDO authenticator options are supported at present are:	465	Those supported at present are:
466	.Pp	466	.Bl -tag -width Ds
467	.Cm application	467	.It Cm application
468	overrides the default FIDO application/origin string of	468	Override the default FIDO application/origin string of
469	.Dq ssh: .	469	.Dq ssh: .
470	This option may be useful when generating host or domain-specific resident	470	This may be useful when generating host or domain-specific resident keys.
471	keys.	471	.It Cm device
472	.Cm device	472	Explicitly specify a
473	explicitly specify a device to generate the key on, rather than accepting
474	the authenticator middleware's automatic selection.
475	.Xr fido 4	473	.Xr fido 4
476	device to use, rather than letting the token middleware select one.	474	device to use, rather than letting the token middleware select one.
477	.Cm no-touch-required	475	.It Cm no-touch-required
478	indicates that the generated private key should not require touch	476	Indicate that the generated private key should not require touch
479	events (user presence) when making signatures.	477	events (user presence) when making signatures.
480	Note that	478	Note that
481	.Xr sshd 8	479	.Xr sshd 8
482	will refuse such signatures by default, unless overridden via	480	will refuse such signatures by default, unless overridden via
483	an authorized_keys option.	481	an authorized_keys option.
484	.Pp	482	.It Cm resident
485	.Cm resident	483	Indicate that the key should be stored on the FIDO authenticator itself.
486	indicates that the key should be stored on the FIDO authenticator itself.
487	Resident keys may be supported on FIDO2 tokens and typically require that	484	Resident keys may be supported on FIDO2 tokens and typically require that
488	a PIN be set on the token prior to generation.	485	a PIN be set on the token prior to generation.
489	Resident keys may be loaded off the token using	486	Resident keys may be loaded off the token using
490	.Xr ssh-add 1 .	487	.Xr ssh-add 1 .
491	.Cm user	488	.It Cm user
492	allows specification of a username to be associated with a resident key,	489	A username to be associated with a resident key,
493	overriding the empty default username.	490	overriding the empty default username.
494	Specifying a username may be useful when generating multiple resident keys	491	Specifying a username may be useful when generating multiple resident keys
495	for the same application name.	492	for the same application name.
		493	.El
496	.Pp	494	.Pp
497	The	495	The
498	.Fl O	496	.Fl O