1 files changed, 19 insertions, 10 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index dfbc65ddb..39767e621 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.144 2017/07/08 18:32:54 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 8 2017 $
+.Dd $Mdocdate: March 12 2018 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -421,6 +421,8 @@ This option may be specified multiple times.
 See also the
 .Sx CERTIFICATES
 section for further details.
+.Pp
+At present, no standard options are valid for host keys.
 The options that are valid for user certificates are:
 .Pp
 .Bl -tag -width Ds -compact
@@ -444,8 +446,6 @@ contents (usually indicating a flag).
 Extensions may be ignored by a client or server that does not recognise them,
 whereas unknown critical options will cause the certificate to be refused.
 .Pp
-At present, no standard options are valid for host keys.
-.Pp
 .It Ic force-command Ns = Ns Ar command
 Forces the execution of
 .Ar command
@@ -490,7 +490,7 @@ Allows execution of
 by
 .Xr sshd 8 .
 .Pp
-.It Ic permit-x11-forwarding
+.It Ic permit-X11-forwarding
 Allows X11 forwarding.
 .Pp
 .It Ic source-address Ns = Ns Ar address_list
@@ -580,13 +580,20 @@ Specify a validity interval when signing a certificate.
 A validity interval may consist of a single time, indicating that the
 certificate is valid beginning now and expiring at that time, or may consist
 of two times separated by a colon to indicate an explicit time interval.
-The start time may be specified as a date in YYYYMMDD format, a time
+.Pp
-in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
+The start time may be specified as the string
-of a minus sign followed by a relative time in the format described in the
+.Dq always
+to indicate the certificate has no specified start time,
+a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format,
+a relative time (to the current time) consisting of a minus sign followed by
+an interval in the format described in the
 TIME FORMATS section of
 .Xr sshd_config 5 .
-The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
+.Pp
-a relative time starting with a plus character.
+The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time,
+a relative time starting with a plus character or the string
+.Dq forever
+to indicate that the certificate has no expirty date.
 .Pp
 For example:
 .Dq +52w1d
@@ -597,6 +604,8 @@ For example:
 (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
 .Dq -1d:20110101
 (valid from yesterday to midnight, January 1st, 2011).
+.Dq -1m:forever
+(valid from one minute ago and never expiring).
 .It Fl v
 Verbose mode.
 Causes

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index dfbc65ddb..39767e621 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.144 2017/07/08 18:32:54 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: July 8 2017 $	38	.Dd $Mdocdate: March 12 2018 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -421,6 +421,8 @@ This option may be specified multiple times.
421	See also the	421	See also the
422	.Sx CERTIFICATES	422	.Sx CERTIFICATES
423	section for further details.	423	section for further details.
		424	.Pp
		425	At present, no standard options are valid for host keys.
424	The options that are valid for user certificates are:	426	The options that are valid for user certificates are:
425	.Pp	427	.Pp
426	.Bl -tag -width Ds -compact	428	.Bl -tag -width Ds -compact
@@ -444,8 +446,6 @@ contents (usually indicating a flag).
444	Extensions may be ignored by a client or server that does not recognise them,	446	Extensions may be ignored by a client or server that does not recognise them,
445	whereas unknown critical options will cause the certificate to be refused.	447	whereas unknown critical options will cause the certificate to be refused.
446	.Pp	448	.Pp
447	At present, no standard options are valid for host keys.
448	.Pp
449	.It Ic force-command Ns = Ns Ar command	449	.It Ic force-command Ns = Ns Ar command
450	Forces the execution of	450	Forces the execution of
451	.Ar command	451	.Ar command
@@ -490,7 +490,7 @@ Allows execution of
490	by	490	by
491	.Xr sshd 8 .	491	.Xr sshd 8 .
492	.Pp	492	.Pp
493	.It Ic permit-x11-forwarding	493	.It Ic permit-X11-forwarding
494	Allows X11 forwarding.	494	Allows X11 forwarding.
495	.Pp	495	.Pp
496	.It Ic source-address Ns = Ns Ar address_list	496	.It Ic source-address Ns = Ns Ar address_list
@@ -580,13 +580,20 @@ Specify a validity interval when signing a certificate.
580	A validity interval may consist of a single time, indicating that the	580	A validity interval may consist of a single time, indicating that the
581	certificate is valid beginning now and expiring at that time, or may consist	581	certificate is valid beginning now and expiring at that time, or may consist
582	of two times separated by a colon to indicate an explicit time interval.	582	of two times separated by a colon to indicate an explicit time interval.
583	The start time may be specified as a date in YYYYMMDD format, a time	583	.Pp
584	in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting	584	The start time may be specified as the string
585	of a minus sign followed by a relative time in the format described in the	585	.Dq always
		586	to indicate the certificate has no specified start time,
		587	a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format,
		588	a relative time (to the current time) consisting of a minus sign followed by
		589	an interval in the format described in the
586	TIME FORMATS section of	590	TIME FORMATS section of
587	.Xr sshd_config 5 .	591	.Xr sshd_config 5 .
588	The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or	592	.Pp
589	a relative time starting with a plus character.	593	The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time,
		594	a relative time starting with a plus character or the string
		595	.Dq forever
		596	to indicate that the certificate has no expirty date.
590	.Pp	597	.Pp
591	For example:	598	For example:
592	.Dq +52w1d	599	.Dq +52w1d
@@ -597,6 +604,8 @@ For example:
597	(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),	604	(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
598	.Dq -1d:20110101	605	.Dq -1d:20110101
599	(valid from yesterday to midnight, January 1st, 2011).	606	(valid from yesterday to midnight, January 1st, 2011).
		607	.Dq -1m:forever
		608	(valid from one minute ago and never expiring).
600	.It Fl v	609	.It Fl v
601	Verbose mode.	610	Verbose mode.
602	Causes	611	Causes