1 files changed, 8 insertions, 16 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 39767e621..33e0bbcc1 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 12 2018 $
+.Dd $Mdocdate: August 8 2018 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -229,10 +229,8 @@ has also been specified, its argument is used as a prefix to the
 default path for the resulting host key files.
 This is used by system administration scripts to generate new host keys.
 .It Fl a Ar rounds
-When saving a new-format private key (i.e. an ed25519 key or when the
+When saving a private key this option specifies the number of KDF
-.Fl o
+(key derivation function) rounds used.
-flag is set), this option specifies the number of KDF (key derivation function)
-rounds used.
 Higher numbers result in slower passphrase verification and increased
 resistance to brute-force password cracking (should the keys be stolen).
 .Pp
@@ -260,8 +258,6 @@ flag will be ignored.
 Provides a new comment.
 .It Fl c
 Requests changing the comment in the private and public key files.
-This operation is only supported for keys stored in the
-newer OpenSSH format.
 The program will prompt for the file containing the private keys, for
 the passphrase if the key has one, and for the new comment.
 .It Fl D Ar pkcs11
@@ -406,6 +402,10 @@ or
 (PEM public key).
 The default conversion format is
 .Dq RFC4716 .
+Setting a format of
+.Dq PEM
+when generating or updating a supported private key type will cause the
+key to be stored in the legacy PEM private key format.
 .It Fl N Ar new_passphrase
 Provides the new passphrase.
 .It Fl n Ar principals
@@ -500,14 +500,6 @@ The
 is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
 .El
-.It Fl o
-Causes
-.Nm
-to save private keys using the new OpenSSH format rather than
-the more compatible PEM format.
-The new format has increased resistance to brute-force password cracking
-but is not supported by versions of OpenSSH prior to 6.5.
-Ed25519 keys always use the new private key format.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 39767e621..33e0bbcc1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: March 12 2018 $	38	.Dd $Mdocdate: August 8 2018 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -229,10 +229,8 @@ has also been specified, its argument is used as a prefix to the
229	default path for the resulting host key files.	229	default path for the resulting host key files.
230	This is used by system administration scripts to generate new host keys.	230	This is used by system administration scripts to generate new host keys.
231	.It Fl a Ar rounds	231	.It Fl a Ar rounds
232	When saving a new-format private key (i.e. an ed25519 key or when the	232	When saving a private key this option specifies the number of KDF
233	.Fl o	233	(key derivation function) rounds used.
234	flag is set), this option specifies the number of KDF (key derivation function)
235	rounds used.
236	Higher numbers result in slower passphrase verification and increased	234	Higher numbers result in slower passphrase verification and increased
237	resistance to brute-force password cracking (should the keys be stolen).	235	resistance to brute-force password cracking (should the keys be stolen).
238	.Pp	236	.Pp
@@ -260,8 +258,6 @@ flag will be ignored.
260	Provides a new comment.	258	Provides a new comment.
261	.It Fl c	259	.It Fl c
262	Requests changing the comment in the private and public key files.	260	Requests changing the comment in the private and public key files.
263	This operation is only supported for keys stored in the
264	newer OpenSSH format.
265	The program will prompt for the file containing the private keys, for	261	The program will prompt for the file containing the private keys, for
266	the passphrase if the key has one, and for the new comment.	262	the passphrase if the key has one, and for the new comment.
267	.It Fl D Ar pkcs11	263	.It Fl D Ar pkcs11
@@ -406,6 +402,10 @@ or
406	(PEM public key).	402	(PEM public key).
407	The default conversion format is	403	The default conversion format is
408	.Dq RFC4716 .	404	.Dq RFC4716 .
		405	Setting a format of
		406	.Dq PEM
		407	when generating or updating a supported private key type will cause the
		408	key to be stored in the legacy PEM private key format.
409	.It Fl N Ar new_passphrase	409	.It Fl N Ar new_passphrase
410	Provides the new passphrase.	410	Provides the new passphrase.
411	.It Fl n Ar principals	411	.It Fl n Ar principals
@@ -500,14 +500,6 @@ The
500	is a comma-separated list of one or more address/netmask pairs in CIDR	500	is a comma-separated list of one or more address/netmask pairs in CIDR
501	format.	501	format.
502	.El	502	.El
503	.It Fl o
504	Causes
505	.Nm
506	to save private keys using the new OpenSSH format rather than
507	the more compatible PEM format.
508	The new format has increased resistance to brute-force password cracking
509	but is not supported by versions of OpenSSH prior to 6.5.
510	Ed25519 keys always use the new private key format.
511	.It Fl P Ar passphrase	503	.It Fl P Ar passphrase
512	Provides the (old) passphrase.	504	Provides the (old) passphrase.
513	.It Fl p	505	.It Fl p