1 files changed, 65 insertions, 24 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 64638aa9c..0845b4066 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -37,15 +37,15 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 13 2010 $
+.Dd $Mdocdate: August 4 2010 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
 .Nm ssh-keygen
 .Nd authentication key generation, management and conversion
 .Sh SYNOPSIS
-.Nm ssh-keygen
 .Bk -words
+.Nm ssh-keygen
 .Op Fl q
 .Op Fl b Ar bits
 .Fl t Ar type
@@ -59,9 +59,11 @@
 .Op Fl f Ar keyfile
 .Nm ssh-keygen
 .Fl i
+.Op Fl m Ar key_format
 .Op Fl f Ar input_keyfile
 .Nm ssh-keygen
 .Fl e
+.Op Fl m Ar key_format
 .Op Fl f Ar input_keyfile
 .Nm ssh-keygen
 .Fl y
@@ -110,8 +112,9 @@
 .Fl I Ar certificate_identity
 .Op Fl h
 .Op Fl n Ar principals
-.Op Fl O Ar constraint
+.Op Fl O Ar option
 .Op Fl V Ar validity_interval
+.Op Fl z Ar serial_number
 .Ar
 .Nm ssh-keygen
 .Fl L
@@ -210,13 +213,20 @@ the passphrase if the key has one, and for the new comment.
 .It Fl D Ar pkcs11
 Download the RSA public keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
+When used in combination with
+.Fl s ,
+this option indicates that a CA key resides in a PKCS#11 token (see the
+.Sx CERTIFICATES
+section for details).
 .It Fl e
 This option will read a private or public OpenSSH key file and
-print the key in
+print to stdout the key in one of the formats specified by the
-RFC 4716 SSH Public Key File Format
+.Fl m
-to stdout.
+option.
-This option allows exporting keys for use by several commercial
+The default export format is
-SSH implementations.
+.Dq RFC4716 .
+This option allows exporting OpenSSH keys for use by other programs, including
+several commercial SSH implementations.
 .It Fl F Ar hostname
 Search for the specified
 .Ar hostname
@@ -267,13 +277,14 @@ Please see the
 section for details.
 .It Fl i
 This option will read an unencrypted private (or public) key file
-in SSH2-compatible format and print an OpenSSH compatible private
+in the format specified by the
+.Fl m
+option and print an OpenSSH compatible private
 (or public) key to stdout.
-.Nm
+This option allows importing keys from other software, including several
-also reads the
+commercial SSH implementations.
-RFC 4716 SSH Public Key File Format.
+The default import format is
-This option allows importing keys from several commercial
+.Dq RFC4716 .
-SSH implementations.
 .It Fl L
 Prints the contents of a certificate.
 .It Fl l
@@ -288,6 +299,22 @@ an ASCII art representation of the key is supplied with the fingerprint.
 .It Fl M Ar memory
 Specify the amount of memory to use (in megabytes) when generating
 candidate moduli for DH-GEX.
+.It Fl m Ar key_format
+Specify a key format for the
+.Fl i
+(import) or
+.Fl e
+(export) conversion options.
+The supported key formats are:
+.Dq RFC4716
+(RFC 4716/SSH2 public or private key),
+.Dq PKCS8
+(PEM PKCS8 public key)
+or
+.Dq PEM
+(PEM public key).
+The default conversion format is
+.Dq RFC4716 .
 .It Fl N Ar new_passphrase
 Provides the new passphrase.
 .It Fl n Ar principals
@@ -297,13 +324,13 @@ Multiple principals may be specified, separated by commas.
 Please see the
 .Sx CERTIFICATES
 section for details.
-.It Fl O Ar constraint
+.It Fl O Ar option
-Specify a certificate constraint when signing a key.
+Specify a certificate option when signing a key.
 This option may be specified multiple times.
 Please see the
 .Sx CERTIFICATES
 section for details.
-The constraints that are valid for user certificates are:
+The options that are valid for user certificates are:
 .Bl -tag -width Ds
 .It Ic clear
 Clear all enabled permissions.
@@ -353,7 +380,7 @@ is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
 .El
 .Pp
-At present, no constraints are valid for host keys.
+At present, no options are valid for host keys.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
@@ -437,6 +464,10 @@ Specify desired generator when testing candidate moduli for DH-GEX.
 .It Fl y
 This option will read a private
 OpenSSH format file and print an OpenSSH public key to stdout.
+.It Fl z Ar serial_number
+Specifies a serial number to be embedded in the certificate to distinguish
+this certificate from others from the same CA.
+The default serial number is zero.
 .El
 .Sh MODULI GENERATION
 .Nm
@@ -497,7 +528,7 @@ that both ends of a connection share common moduli.
 supports signing of keys to produce certificates that may be used for
 user or host authentication.
 Certificates consist of a public key, some identity information, zero or
-more principal (user or host) names and an optional set of constraints that
+more principal (user or host) names and a set of options that
 are signed by a Certification Authority (CA) key.
 Clients or servers may then trust only the CA key and verify its signature
 on a certificate rather than trusting many user/host keys.
@@ -523,7 +554,17 @@ option:
 .Pp
 The host certificate will be output to
 .Pa /path/to/host_key-cert.pub .
-In both cases,
+.Pp
+It is possible to sign using a CA key stored in a PKCS#11 token by
+providing the token library using
+.Fl D
+and identifying the CA key by providing its public half as an argument
+to
+.Fl s :
+.Pp
+.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
+.Pp
+In all cases,
 .Ar key_id
 is a "key identifier" that is logged by the server when the certificate
 is used for authentication.
@@ -537,11 +578,11 @@ To generate a certificate for a specified set of principals:
 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
 .Pp
 Additional limitations on the validity and use of user certificates may
-be specified through certificate constraints.
+be specified through certificate options.
-A constrained certificate may disable features of the SSH session, may be
+A certificate option may disable features of the SSH session, may be
 valid only when presented from particular source addresses or may
 force the use of a specific command.
-For a list of valid certificate constraints, see the documentation for the
+For a list of valid certificate options, see the documentation for the
 .Fl O
 option above.
 .Pp

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 64638aa9c..0845b4066 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $
2	.\"	2	.\"
3	.\" -- nroff --	3	.\" -- nroff --
4	.\"	4	.\"
@@ -37,15 +37,15 @@
37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39	.\"	39	.\"
40	.Dd $Mdocdate: March 13 2010 $	40	.Dd $Mdocdate: August 4 2010 $
41	.Dt SSH-KEYGEN 1	41	.Dt SSH-KEYGEN 1
42	.Os	42	.Os
43	.Sh NAME	43	.Sh NAME
44	.Nm ssh-keygen	44	.Nm ssh-keygen
45	.Nd authentication key generation, management and conversion	45	.Nd authentication key generation, management and conversion
46	.Sh SYNOPSIS	46	.Sh SYNOPSIS
47	.Nm ssh-keygen
48	.Bk -words	47	.Bk -words
		48	.Nm ssh-keygen
49	.Op Fl q	49	.Op Fl q
50	.Op Fl b Ar bits	50	.Op Fl b Ar bits
51	.Fl t Ar type	51	.Fl t Ar type
@@ -59,9 +59,11 @@
59	.Op Fl f Ar keyfile	59	.Op Fl f Ar keyfile
60	.Nm ssh-keygen	60	.Nm ssh-keygen
61	.Fl i	61	.Fl i
		62	.Op Fl m Ar key_format
62	.Op Fl f Ar input_keyfile	63	.Op Fl f Ar input_keyfile
63	.Nm ssh-keygen	64	.Nm ssh-keygen
64	.Fl e	65	.Fl e
		66	.Op Fl m Ar key_format
65	.Op Fl f Ar input_keyfile	67	.Op Fl f Ar input_keyfile
66	.Nm ssh-keygen	68	.Nm ssh-keygen
67	.Fl y	69	.Fl y
@@ -110,8 +112,9 @@
110	.Fl I Ar certificate_identity	112	.Fl I Ar certificate_identity
111	.Op Fl h	113	.Op Fl h
112	.Op Fl n Ar principals	114	.Op Fl n Ar principals
113	.Op Fl O Ar constraint	115	.Op Fl O Ar option
114	.Op Fl V Ar validity_interval	116	.Op Fl V Ar validity_interval
		117	.Op Fl z Ar serial_number
115	.Ar	118	.Ar
116	.Nm ssh-keygen	119	.Nm ssh-keygen
117	.Fl L	120	.Fl L
@@ -210,13 +213,20 @@ the passphrase if the key has one, and for the new comment.
210	.It Fl D Ar pkcs11	213	.It Fl D Ar pkcs11
211	Download the RSA public keys provided by the PKCS#11 shared library	214	Download the RSA public keys provided by the PKCS#11 shared library
212	.Ar pkcs11 .	215	.Ar pkcs11 .
		216	When used in combination with
		217	.Fl s ,
		218	this option indicates that a CA key resides in a PKCS#11 token (see the
		219	.Sx CERTIFICATES
		220	section for details).
213	.It Fl e	221	.It Fl e
214	This option will read a private or public OpenSSH key file and	222	This option will read a private or public OpenSSH key file and
215	print the key in	223	print to stdout the key in one of the formats specified by the
216	RFC 4716 SSH Public Key File Format	224	.Fl m
217	to stdout.	225	option.
218	This option allows exporting keys for use by several commercial	226	The default export format is
219	SSH implementations.	227	.Dq RFC4716 .
		228	This option allows exporting OpenSSH keys for use by other programs, including
		229	several commercial SSH implementations.
220	.It Fl F Ar hostname	230	.It Fl F Ar hostname
221	Search for the specified	231	Search for the specified
222	.Ar hostname	232	.Ar hostname
@@ -267,13 +277,14 @@ Please see the
267	section for details.	277	section for details.
268	.It Fl i	278	.It Fl i
269	This option will read an unencrypted private (or public) key file	279	This option will read an unencrypted private (or public) key file
270	in SSH2-compatible format and print an OpenSSH compatible private	280	in the format specified by the
		281	.Fl m
		282	option and print an OpenSSH compatible private
271	(or public) key to stdout.	283	(or public) key to stdout.
272	.Nm	284	This option allows importing keys from other software, including several
273	also reads the	285	commercial SSH implementations.
274	RFC 4716 SSH Public Key File Format.	286	The default import format is
275	This option allows importing keys from several commercial	287	.Dq RFC4716 .
276	SSH implementations.
277	.It Fl L	288	.It Fl L
278	Prints the contents of a certificate.	289	Prints the contents of a certificate.
279	.It Fl l	290	.It Fl l
@@ -288,6 +299,22 @@ an ASCII art representation of the key is supplied with the fingerprint.
288	.It Fl M Ar memory	299	.It Fl M Ar memory
289	Specify the amount of memory to use (in megabytes) when generating	300	Specify the amount of memory to use (in megabytes) when generating
290	candidate moduli for DH-GEX.	301	candidate moduli for DH-GEX.
		302	.It Fl m Ar key_format
		303	Specify a key format for the
		304	.Fl i
		305	(import) or
		306	.Fl e
		307	(export) conversion options.
		308	The supported key formats are:
		309	.Dq RFC4716
		310	(RFC 4716/SSH2 public or private key),
		311	.Dq PKCS8
		312	(PEM PKCS8 public key)
		313	or
		314	.Dq PEM
		315	(PEM public key).
		316	The default conversion format is
		317	.Dq RFC4716 .
291	.It Fl N Ar new_passphrase	318	.It Fl N Ar new_passphrase
292	Provides the new passphrase.	319	Provides the new passphrase.
293	.It Fl n Ar principals	320	.It Fl n Ar principals
@@ -297,13 +324,13 @@ Multiple principals may be specified, separated by commas.
297	Please see the	324	Please see the
298	.Sx CERTIFICATES	325	.Sx CERTIFICATES
299	section for details.	326	section for details.
300	.It Fl O Ar constraint	327	.It Fl O Ar option
301	Specify a certificate constraint when signing a key.	328	Specify a certificate option when signing a key.
302	This option may be specified multiple times.	329	This option may be specified multiple times.
303	Please see the	330	Please see the
304	.Sx CERTIFICATES	331	.Sx CERTIFICATES
305	section for details.	332	section for details.
306	The constraints that are valid for user certificates are:	333	The options that are valid for user certificates are:
307	.Bl -tag -width Ds	334	.Bl -tag -width Ds
308	.It Ic clear	335	.It Ic clear
309	Clear all enabled permissions.	336	Clear all enabled permissions.
@@ -353,7 +380,7 @@ is a comma-separated list of one or more address/netmask pairs in CIDR
353	format.	380	format.
354	.El	381	.El
355	.Pp	382	.Pp
356	At present, no constraints are valid for host keys.	383	At present, no options are valid for host keys.
357	.It Fl P Ar passphrase	384	.It Fl P Ar passphrase
358	Provides the (old) passphrase.	385	Provides the (old) passphrase.
359	.It Fl p	386	.It Fl p
@@ -437,6 +464,10 @@ Specify desired generator when testing candidate moduli for DH-GEX.
437	.It Fl y	464	.It Fl y
438	This option will read a private	465	This option will read a private
439	OpenSSH format file and print an OpenSSH public key to stdout.	466	OpenSSH format file and print an OpenSSH public key to stdout.
		467	.It Fl z Ar serial_number
		468	Specifies a serial number to be embedded in the certificate to distinguish
		469	this certificate from others from the same CA.
		470	The default serial number is zero.
440	.El	471	.El
441	.Sh MODULI GENERATION	472	.Sh MODULI GENERATION
442	.Nm	473	.Nm
@@ -497,7 +528,7 @@ that both ends of a connection share common moduli.
497	supports signing of keys to produce certificates that may be used for	528	supports signing of keys to produce certificates that may be used for
498	user or host authentication.	529	user or host authentication.
499	Certificates consist of a public key, some identity information, zero or	530	Certificates consist of a public key, some identity information, zero or
500	more principal (user or host) names and an optional set of constraints that	531	more principal (user or host) names and a set of options that
501	are signed by a Certification Authority (CA) key.	532	are signed by a Certification Authority (CA) key.
502	Clients or servers may then trust only the CA key and verify its signature	533	Clients or servers may then trust only the CA key and verify its signature
503	on a certificate rather than trusting many user/host keys.	534	on a certificate rather than trusting many user/host keys.
@@ -523,7 +554,17 @@ option:
523	.Pp	554	.Pp
524	The host certificate will be output to	555	The host certificate will be output to
525	.Pa /path/to/host_key-cert.pub .	556	.Pa /path/to/host_key-cert.pub .
526	In both cases,	557	.Pp
		558	It is possible to sign using a CA key stored in a PKCS#11 token by
		559	providing the token library using
		560	.Fl D
		561	and identifying the CA key by providing its public half as an argument
		562	to
		563	.Fl s :
		564	.Pp
		565	.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
		566	.Pp
		567	In all cases,
527	.Ar key_id	568	.Ar key_id
528	is a "key identifier" that is logged by the server when the certificate	569	is a "key identifier" that is logged by the server when the certificate
529	is used for authentication.	570	is used for authentication.
@@ -537,11 +578,11 @@ To generate a certificate for a specified set of principals:
537	.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"	578	.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
538	.Pp	579	.Pp
539	Additional limitations on the validity and use of user certificates may	580	Additional limitations on the validity and use of user certificates may
540	be specified through certificate constraints.	581	be specified through certificate options.
541	A constrained certificate may disable features of the SSH session, may be	582	A certificate option may disable features of the SSH session, may be
542	valid only when presented from particular source addresses or may	583	valid only when presented from particular source addresses or may
543	force the use of a specific command.	584	force the use of a specific command.
544	For a list of valid certificate constraints, see the documentation for the	585	For a list of valid certificate options, see the documentation for the
545	.Fl O	586	.Fl O
546	option above.	587	option above.
547	.Pp	588	.Pp