1 files changed, 21 insertions, 22 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 9dec5a098..64638aa9c 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -37,7 +37,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 8 2010 $
+.Dd $Mdocdate: March 13 2010 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -305,8 +305,15 @@ Please see the
 section for details.
 The constraints that are valid for user certificates are:
 .Bl -tag -width Ds
-.It Ic no-x11-forwarding
+.It Ic clear
-Disable X11 forwarding (permitted by default).
+Clear all enabled permissions.
+This is useful for clearing the default set of permissions so permissions may
+be added individually.
+.It Ic force-command Ns = Ns Ar command
+Forces the execution of
+.Ar command
+instead of any shell or command specified by the user when
+the certificate is used for authentication.
 .It Ic no-agent-forwarding
 Disable
 .Xr ssh-agent 1
@@ -321,12 +328,8 @@ Disable execution of
 by
 .Xr sshd 8
 (permitted by default).
-.It Ic clear
+.It Ic no-x11-forwarding
-Clear all enabled permissions.
+Disable X11 forwarding (permitted by default).
-This is useful for clearing the default set of permissions so permissions may
-be added individually.
-.It Ic permit-x11-forwarding
-Allows X11 forwarding.
 .It Ic permit-agent-forwarding
 Allows
 .Xr ssh-agent 1
@@ -340,14 +343,10 @@ Allows execution of
 .Pa ~/.ssh/rc
 by
 .Xr sshd 8 .
-.It Ic force-command=command
+.It Ic permit-x11-forwarding
-Forces the execution of
+Allows X11 forwarding.
-.Ar command
+.It Ic source-address Ns = Ns Ar address_list
-instead of any shell or command specified by the user when
+Restrict the source addresses from which the certificate is considered valid.
-the certificate is used for authentication.
-.It Ic source-address=address_list
-Restrict the source addresses from which the certificate is considered valid
-from.
 The
 .Ar address_list
 is a comma-separated list of one or more address/netmask pairs in CIDR
@@ -410,7 +409,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
 of a minus sign followed by a relative time in the format described in the
 .Sx TIME FORMATS
 section of
-.Xr ssh_config 5 .
+.Xr sshd_config 5 .
 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
 a relative time starting with a plus character.
 .Pp
@@ -515,7 +514,7 @@ To generate a user certificate:
 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
 .Pp
 The resultant certificate will be placed in
-.Pa /path/to/user_key_cert.pub .
+.Pa /path/to/user_key-cert.pub .
 A host certificate requires the
 .Fl h
 option:
@@ -523,7 +522,7 @@ option:
 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
 .Pp
 The host certificate will be output to
-.Pa /path/to/host_key_cert.pub .
+.Pa /path/to/host_key-cert.pub .
 In both cases,
 .Ar key_id
 is a "key identifier" that is logged by the server when the certificate
@@ -535,7 +534,7 @@ By default, generated certificates are valid for all users or hosts.
 To generate a certificate for a specified set of principals:
 .Pp
 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
-.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
+.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
 .Pp
 Additional limitations on the validity and use of user certificates may
 be specified through certificate constraints.

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9dec5a098..64638aa9c 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
2	.\"	2	.\"
3	.\" -- nroff --	3	.\" -- nroff --
4	.\"	4	.\"
@@ -37,7 +37,7 @@
37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	37	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	38	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39	.\"	39	.\"
40	.Dd $Mdocdate: March 8 2010 $	40	.Dd $Mdocdate: March 13 2010 $
41	.Dt SSH-KEYGEN 1	41	.Dt SSH-KEYGEN 1
42	.Os	42	.Os
43	.Sh NAME	43	.Sh NAME
@@ -305,8 +305,15 @@ Please see the
305	section for details.	305	section for details.
306	The constraints that are valid for user certificates are:	306	The constraints that are valid for user certificates are:
307	.Bl -tag -width Ds	307	.Bl -tag -width Ds
308	.It Ic no-x11-forwarding	308	.It Ic clear
309	Disable X11 forwarding (permitted by default).	309	Clear all enabled permissions.
		310	This is useful for clearing the default set of permissions so permissions may
		311	be added individually.
		312	.It Ic force-command Ns = Ns Ar command
		313	Forces the execution of
		314	.Ar command
		315	instead of any shell or command specified by the user when
		316	the certificate is used for authentication.
310	.It Ic no-agent-forwarding	317	.It Ic no-agent-forwarding
311	Disable	318	Disable
312	.Xr ssh-agent 1	319	.Xr ssh-agent 1
@@ -321,12 +328,8 @@ Disable execution of
321	by	328	by
322	.Xr sshd 8	329	.Xr sshd 8
323	(permitted by default).	330	(permitted by default).
324	.It Ic clear	331	.It Ic no-x11-forwarding
325	Clear all enabled permissions.	332	Disable X11 forwarding (permitted by default).
326	This is useful for clearing the default set of permissions so permissions may
327	be added individually.
328	.It Ic permit-x11-forwarding
329	Allows X11 forwarding.
330	.It Ic permit-agent-forwarding	333	.It Ic permit-agent-forwarding
331	Allows	334	Allows
332	.Xr ssh-agent 1	335	.Xr ssh-agent 1
@@ -340,14 +343,10 @@ Allows execution of
340	.Pa ~/.ssh/rc	343	.Pa ~/.ssh/rc
341	by	344	by
342	.Xr sshd 8 .	345	.Xr sshd 8 .
343	.It Ic force-command=command	346	.It Ic permit-x11-forwarding
344	Forces the execution of	347	Allows X11 forwarding.
345	.Ar command	348	.It Ic source-address Ns = Ns Ar address_list
346	instead of any shell or command specified by the user when	349	Restrict the source addresses from which the certificate is considered valid.
347	the certificate is used for authentication.
348	.It Ic source-address=address_list
349	Restrict the source addresses from which the certificate is considered valid
350	from.
351	The	350	The
352	.Ar address_list	351	.Ar address_list
353	is a comma-separated list of one or more address/netmask pairs in CIDR	352	is a comma-separated list of one or more address/netmask pairs in CIDR
@@ -410,7 +409,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
410	of a minus sign followed by a relative time in the format described in the	409	of a minus sign followed by a relative time in the format described in the
411	.Sx TIME FORMATS	410	.Sx TIME FORMATS
412	section of	411	section of
413	.Xr ssh_config 5 .	412	.Xr sshd_config 5 .
414	The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or	413	The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
415	a relative time starting with a plus character.	414	a relative time starting with a plus character.
416	.Pp	415	.Pp
@@ -515,7 +514,7 @@ To generate a user certificate:
515	.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub	514	.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
516	.Pp	515	.Pp
517	The resultant certificate will be placed in	516	The resultant certificate will be placed in
518	.Pa /path/to/user_key_cert.pub .	517	.Pa /path/to/user_key-cert.pub .
519	A host certificate requires the	518	A host certificate requires the
520	.Fl h	519	.Fl h
521	option:	520	option:
@@ -523,7 +522,7 @@ option:
523	.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub	522	.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
524	.Pp	523	.Pp
525	The host certificate will be output to	524	The host certificate will be output to
526	.Pa /path/to/host_key_cert.pub .	525	.Pa /path/to/host_key-cert.pub .
527	In both cases,	526	In both cases,
528	.Ar key_id	527	.Ar key_id
529	is a "key identifier" that is logged by the server when the certificate	528	is a "key identifier" that is logged by the server when the certificate
@@ -535,7 +534,7 @@ By default, generated certificates are valid for all users or hosts.
535	To generate a certificate for a specified set of principals:	534	To generate a certificate for a specified set of principals:
536	.Pp	535	.Pp
537	.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub	536	.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
538	.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub	537	.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
539	.Pp	538	.Pp
540	Additional limitations on the validity and use of user certificates may	539	Additional limitations on the validity and use of user certificates may
541	be specified through certificate constraints.	540	be specified through certificate constraints.