1 files changed, 10 insertions, 10 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index c6a976183..3494fbceb 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.197 2020/01/28 08:01:34 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.198 2020/02/02 07:36:50 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 28 2020 $
+.Dd $Mdocdate: February 2 2020 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -472,6 +472,14 @@ Those supported at present are:
 Override the default FIDO application/origin string of
 .Dq ssh: .
 This may be useful when generating host or domain-specific resident keys.
+.It Cm challenge=path
+Specifies a path to a challenge string that will be passed to the
+FIDO token during key generation.
+The challenge string is optional, but may be used as part of an out-of-band
+protocol for key enrollment.
+If no
+.Cm challenge
+is specified, a random challenge is used.
 .It Cm device
 Explicitly specify a
 .Xr fido 4
@@ -483,14 +491,6 @@ Note that
 .Xr sshd 8
 will refuse such signatures by default, unless overridden via
 an authorized_keys option.
-.It Cm challenge=path
-Specifies a path to a challenge string that will be passed to the
-FIDO token during key generation.
-The challenge string is optional, but may be used as part of an out-of-band
-protocol for key enrollment.
-If no
-.Cm challenge
-is specified, a random challenge is used.
 .It Cm resident
 Indicate that the key should be stored on the FIDO authenticator itself.
 Resident keys may be supported on FIDO2 tokens and typically require that

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c6a976183..3494fbceb 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.197 2020/01/28 08:01:34 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.198 2020/02/02 07:36:50 jmc Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: January 28 2020 $	38	.Dd $Mdocdate: February 2 2020 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -472,6 +472,14 @@ Those supported at present are:
472	Override the default FIDO application/origin string of	472	Override the default FIDO application/origin string of
473	.Dq ssh: .	473	.Dq ssh: .
474	This may be useful when generating host or domain-specific resident keys.	474	This may be useful when generating host or domain-specific resident keys.
		475	.It Cm challenge=path
		476	Specifies a path to a challenge string that will be passed to the
		477	FIDO token during key generation.
		478	The challenge string is optional, but may be used as part of an out-of-band
		479	protocol for key enrollment.
		480	If no
		481	.Cm challenge
		482	is specified, a random challenge is used.
475	.It Cm device	483	.It Cm device
476	Explicitly specify a	484	Explicitly specify a
477	.Xr fido 4	485	.Xr fido 4
@@ -483,14 +491,6 @@ Note that
483	.Xr sshd 8	491	.Xr sshd 8
484	will refuse such signatures by default, unless overridden via	492	will refuse such signatures by default, unless overridden via
485	an authorized_keys option.	493	an authorized_keys option.
486	.It Cm challenge=path
487	Specifies a path to a challenge string that will be passed to the
488	FIDO token during key generation.
489	The challenge string is optional, but may be used as part of an out-of-band
490	protocol for key enrollment.
491	If no
492	.Cm challenge
493	is specified, a random challenge is used.
494	.It Cm resident	494	.It Cm resident
495	Indicate that the key should be stored on the FIDO authenticator itself.	495	Indicate that the key should be stored on the FIDO authenticator itself.
496	Resident keys may be supported on FIDO2 tokens and typically require that	496	Resident keys may be supported on FIDO2 tokens and typically require that