1 files changed, 40 insertions, 14 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index bfa2eb5f3..124456577 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.150 2018/09/12 06:18:59 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.157 2019/03/05 16:17:12 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 12 2018 $
+.Dd $Mdocdate: March 5 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -50,11 +50,13 @@
 .Op Fl N Ar new_passphrase
 .Op Fl C Ar comment
 .Op Fl f Ar output_keyfile
+.Op Fl m Ar format
 .Nm ssh-keygen
 .Fl p
 .Op Fl P Ar old_passphrase
 .Op Fl N Ar new_passphrase
 .Op Fl f Ar keyfile
+.Op Fl m Ar format
 .Nm ssh-keygen
 .Fl i
 .Op Fl m Ar key_format
@@ -205,16 +207,28 @@ There is no way to recover a lost passphrase.
 If the passphrase is lost or forgotten, a new key must be generated
 and the corresponding public key copied to other machines.
 .Pp
-For keys stored in the newer OpenSSH format,
+.Nm
-there is also a comment field in the key file that is only for
+will by default write keys in an OpenSSH-specific format.
-convenience to the user to help identify the key.
+This format is preferred as it offers better protection for
-The comment can tell what the key is for, or whatever is useful.
+keys at rest as well as allowing storage of key comments within
+the private key file itself.
+The key comment may be useful to help identify the key.
 The comment is initialized to
 .Dq user@host
 when the key is created, but can be changed using the
 .Fl c
 option.
 .Pp
+It is still possible for
+.Nm
+to write the previously-used PEM format private keys using the
+.Fl m
+flag.
+This may be used when generating new keys, and existing new-format
+keys may be converted using this option in conjunction with the
+.Fl p
+(change passphrase) flag.
+.Pp
 After a key is generated, instructions below detail where the keys
 should be placed to be activated.
 .Pp
@@ -265,7 +279,7 @@ Requests changing the comment in the private and public key files.
 The program will prompt for the file containing the private keys, for
 the passphrase if the key has one, and for the new comment.
 .It Fl D Ar pkcs11
-Download the RSA public keys provided by the PKCS#11 shared library
+Download the public keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
 When used in combination with
 .Fl s ,
@@ -282,16 +296,17 @@ The default is
 .Dq sha256 .
 .It Fl e
 This option will read a private or public OpenSSH key file and
-print to stdout the key in one of the formats specified by the
+print to stdout a public key in one of the formats specified by the
 .Fl m
 option.
 The default export format is
 .Dq RFC4716 .
 This option allows exporting OpenSSH keys for use by other programs, including
 several commercial SSH implementations.
-.It Fl F Ar hostname
+.It Fl F Ar hostname | [hostname]:port
 Search for the specified
 .Ar hostname
+(with optional port number)
 in a
 .Pa known_hosts
 file, listing any occurrences found.
@@ -391,11 +406,15 @@ fingerprint.
 Specify the amount of memory to use (in megabytes) when generating
 candidate moduli for DH-GEX.
 .It Fl m Ar key_format
-Specify a key format for the
+Specify a key format for key generation, the
 .Fl i
-(import) or
+(import),
 .Fl e
-(export) conversion options.
+(export) conversion options, and the
+.Fl p
+change passphrase operation.
+The latter may be used to convert between OpenSSH private key and PEM
+private key formats.
 The supported key formats are:
 .Dq RFC4716
 (RFC 4716/SSH2 public or private key),
@@ -517,9 +536,10 @@ Test whether keys have been revoked in a KRL.
 .It Fl q
 Silence
 .Nm ssh-keygen .
-.It Fl R Ar hostname
+.It Fl R Ar hostname | [hostname]:port
-Removes all keys belonging to
+Removes all keys belonging to the specified
 .Ar hostname
+(with optional port number)
 from a
 .Pa known_hosts
 file.
@@ -620,6 +640,12 @@ OpenSSH format file and print an OpenSSH public key to stdout.
 .It Fl z Ar serial_number
 Specifies a serial number to be embedded in the certificate to distinguish
 this certificate from others from the same CA.
+If the
+.Ar serial_number
+is prefixed with a
+.Sq +
+character, then the serial number will be incremented for each certificate
+signed on a single command-line.
 The default serial number is zero.
 .Pp
 When generating a KRL, the

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index bfa2eb5f3..124456577 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.150 2018/09/12 06:18:59 djm Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.157 2019/03/05 16:17:12 naddy Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: September 12 2018 $	38	.Dd $Mdocdate: March 5 2019 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -50,11 +50,13 @@
50	.Op Fl N Ar new_passphrase	50	.Op Fl N Ar new_passphrase
51	.Op Fl C Ar comment	51	.Op Fl C Ar comment
52	.Op Fl f Ar output_keyfile	52	.Op Fl f Ar output_keyfile
		53	.Op Fl m Ar format
53	.Nm ssh-keygen	54	.Nm ssh-keygen
54	.Fl p	55	.Fl p
55	.Op Fl P Ar old_passphrase	56	.Op Fl P Ar old_passphrase
56	.Op Fl N Ar new_passphrase	57	.Op Fl N Ar new_passphrase
57	.Op Fl f Ar keyfile	58	.Op Fl f Ar keyfile
		59	.Op Fl m Ar format
58	.Nm ssh-keygen	60	.Nm ssh-keygen
59	.Fl i	61	.Fl i
60	.Op Fl m Ar key_format	62	.Op Fl m Ar key_format
@@ -205,16 +207,28 @@ There is no way to recover a lost passphrase.
205	If the passphrase is lost or forgotten, a new key must be generated	207	If the passphrase is lost or forgotten, a new key must be generated
206	and the corresponding public key copied to other machines.	208	and the corresponding public key copied to other machines.
207	.Pp	209	.Pp
208	For keys stored in the newer OpenSSH format,	210	.Nm
209	there is also a comment field in the key file that is only for	211	will by default write keys in an OpenSSH-specific format.
210	convenience to the user to help identify the key.	212	This format is preferred as it offers better protection for
211	The comment can tell what the key is for, or whatever is useful.	213	keys at rest as well as allowing storage of key comments within
		214	the private key file itself.
		215	The key comment may be useful to help identify the key.
212	The comment is initialized to	216	The comment is initialized to
213	.Dq user@host	217	.Dq user@host
214	when the key is created, but can be changed using the	218	when the key is created, but can be changed using the
215	.Fl c	219	.Fl c
216	option.	220	option.
217	.Pp	221	.Pp
		222	It is still possible for
		223	.Nm
		224	to write the previously-used PEM format private keys using the
		225	.Fl m
		226	flag.
		227	This may be used when generating new keys, and existing new-format
		228	keys may be converted using this option in conjunction with the
		229	.Fl p
		230	(change passphrase) flag.
		231	.Pp
218	After a key is generated, instructions below detail where the keys	232	After a key is generated, instructions below detail where the keys
219	should be placed to be activated.	233	should be placed to be activated.
220	.Pp	234	.Pp
@@ -265,7 +279,7 @@ Requests changing the comment in the private and public key files.
265	The program will prompt for the file containing the private keys, for	279	The program will prompt for the file containing the private keys, for
266	the passphrase if the key has one, and for the new comment.	280	the passphrase if the key has one, and for the new comment.
267	.It Fl D Ar pkcs11	281	.It Fl D Ar pkcs11
268	Download the RSA public keys provided by the PKCS#11 shared library	282	Download the public keys provided by the PKCS#11 shared library
269	.Ar pkcs11 .	283	.Ar pkcs11 .
270	When used in combination with	284	When used in combination with
271	.Fl s ,	285	.Fl s ,
@@ -282,16 +296,17 @@ The default is
282	.Dq sha256 .	296	.Dq sha256 .
283	.It Fl e	297	.It Fl e
284	This option will read a private or public OpenSSH key file and	298	This option will read a private or public OpenSSH key file and
285	print to stdout the key in one of the formats specified by the	299	print to stdout a public key in one of the formats specified by the
286	.Fl m	300	.Fl m
287	option.	301	option.
288	The default export format is	302	The default export format is
289	.Dq RFC4716 .	303	.Dq RFC4716 .
290	This option allows exporting OpenSSH keys for use by other programs, including	304	This option allows exporting OpenSSH keys for use by other programs, including
291	several commercial SSH implementations.	305	several commercial SSH implementations.
292	.It Fl F Ar hostname	306	.It Fl F Ar hostname \| [hostname]:port
293	Search for the specified	307	Search for the specified
294	.Ar hostname	308	.Ar hostname
		309	(with optional port number)
295	in a	310	in a
296	.Pa known_hosts	311	.Pa known_hosts
297	file, listing any occurrences found.	312	file, listing any occurrences found.
@@ -391,11 +406,15 @@ fingerprint.
391	Specify the amount of memory to use (in megabytes) when generating	406	Specify the amount of memory to use (in megabytes) when generating
392	candidate moduli for DH-GEX.	407	candidate moduli for DH-GEX.
393	.It Fl m Ar key_format	408	.It Fl m Ar key_format
394	Specify a key format for the	409	Specify a key format for key generation, the
395	.Fl i	410	.Fl i
396	(import) or	411	(import),
397	.Fl e	412	.Fl e
398	(export) conversion options.	413	(export) conversion options, and the
		414	.Fl p
		415	change passphrase operation.
		416	The latter may be used to convert between OpenSSH private key and PEM
		417	private key formats.
399	The supported key formats are:	418	The supported key formats are:
400	.Dq RFC4716	419	.Dq RFC4716
401	(RFC 4716/SSH2 public or private key),	420	(RFC 4716/SSH2 public or private key),
@@ -517,9 +536,10 @@ Test whether keys have been revoked in a KRL.
517	.It Fl q	536	.It Fl q
518	Silence	537	Silence
519	.Nm ssh-keygen .	538	.Nm ssh-keygen .
520	.It Fl R Ar hostname	539	.It Fl R Ar hostname \| [hostname]:port
521	Removes all keys belonging to	540	Removes all keys belonging to the specified
522	.Ar hostname	541	.Ar hostname
		542	(with optional port number)
523	from a	543	from a
524	.Pa known_hosts	544	.Pa known_hosts
525	file.	545	file.
@@ -620,6 +640,12 @@ OpenSSH format file and print an OpenSSH public key to stdout.
620	.It Fl z Ar serial_number	640	.It Fl z Ar serial_number
621	Specifies a serial number to be embedded in the certificate to distinguish	641	Specifies a serial number to be embedded in the certificate to distinguish
622	this certificate from others from the same CA.	642	this certificate from others from the same CA.
		643	If the
		644	.Ar serial_number
		645	is prefixed with a
		646	.Sq +
		647	character, then the serial number will be incremented for each certificate
		648	signed on a single command-line.
623	The default serial number is zero.	649	The default serial number is zero.
624	.Pp	650	.Pp
625	When generating a KRL, the	651	When generating a KRL, the