diff options
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 188 |
1 files changed, 93 insertions, 95 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 038e2c578..67a57b9f7 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: December 27 2019 $ | 38 | .Dd $Mdocdate: December 30 2019 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -458,97 +458,10 @@ Please see the | |||
458 | section for details. | 458 | section for details. |
459 | .It Fl O Ar option | 459 | .It Fl O Ar option |
460 | Specify a certificate option when signing a key. | 460 | Specify a certificate option when signing a key. |
461 | This option may be specified multiple times. | 461 | See the |
462 | See also the | ||
463 | .Sx CERTIFICATES | 462 | .Sx CERTIFICATES |
464 | section for further details. | 463 | section for a list of available certificate options. |
465 | .Pp | 464 | This option may be specified multiple times. |
466 | At present, no standard options are valid for host keys. | ||
467 | The options that are valid for user certificates are: | ||
468 | .Pp | ||
469 | .Bl -tag -width Ds -compact | ||
470 | .It Ic clear | ||
471 | Clear all enabled permissions. | ||
472 | This is useful for clearing the default set of permissions so permissions may | ||
473 | be added individually. | ||
474 | .Pp | ||
475 | .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents | ||
476 | .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents | ||
477 | Includes an arbitrary certificate critical option or extension. | ||
478 | The specified | ||
479 | .Ar name | ||
480 | should include a domain suffix, e.g.\& | ||
481 | .Dq name@example.com . | ||
482 | If | ||
483 | .Ar contents | ||
484 | is specified then it is included as the contents of the extension/option | ||
485 | encoded as a string, otherwise the extension/option is created with no | ||
486 | contents (usually indicating a flag). | ||
487 | Extensions may be ignored by a client or server that does not recognise them, | ||
488 | whereas unknown critical options will cause the certificate to be refused. | ||
489 | .Pp | ||
490 | .It Ic force-command Ns = Ns Ar command | ||
491 | Forces the execution of | ||
492 | .Ar command | ||
493 | instead of any shell or command specified by the user when | ||
494 | the certificate is used for authentication. | ||
495 | .Pp | ||
496 | .It Ic no-agent-forwarding | ||
497 | Disable | ||
498 | .Xr ssh-agent 1 | ||
499 | forwarding (permitted by default). | ||
500 | .Pp | ||
501 | .It Ic no-port-forwarding | ||
502 | Disable port forwarding (permitted by default). | ||
503 | .Pp | ||
504 | .It Ic no-pty | ||
505 | Disable PTY allocation (permitted by default). | ||
506 | .Pp | ||
507 | .It Ic no-user-rc | ||
508 | Disable execution of | ||
509 | .Pa ~/.ssh/rc | ||
510 | by | ||
511 | .Xr sshd 8 | ||
512 | (permitted by default). | ||
513 | .Pp | ||
514 | .It Ic no-x11-forwarding | ||
515 | Disable X11 forwarding (permitted by default). | ||
516 | .Pp | ||
517 | .It Ic permit-agent-forwarding | ||
518 | Allows | ||
519 | .Xr ssh-agent 1 | ||
520 | forwarding. | ||
521 | .Pp | ||
522 | .It Ic permit-port-forwarding | ||
523 | Allows port forwarding. | ||
524 | .Pp | ||
525 | .It Ic permit-pty | ||
526 | Allows PTY allocation. | ||
527 | .Pp | ||
528 | .It Ic permit-user-rc | ||
529 | Allows execution of | ||
530 | .Pa ~/.ssh/rc | ||
531 | by | ||
532 | .Xr sshd 8 . | ||
533 | .Pp | ||
534 | .It Ic permit-X11-forwarding | ||
535 | Allows X11 forwarding. | ||
536 | .Pp | ||
537 | .It Ic no-touch-required | ||
538 | Do not require signatures made using this key require demonstration | ||
539 | of user presence (e.g. by having the user touch the key). | ||
540 | This option only makes sense for the FIDO authenticator algorithms | ||
541 | .Cm ecdsa-sk | ||
542 | and | ||
543 | .Cm ed25519-sk . | ||
544 | .Pp | ||
545 | .It Ic source-address Ns = Ns Ar address_list | ||
546 | Restrict the source addresses from which the certificate is considered valid. | ||
547 | The | ||
548 | .Ar address_list | ||
549 | is a comma-separated list of one or more address/netmask pairs in CIDR | ||
550 | format. | ||
551 | .El | ||
552 | .It Fl P Ar passphrase | 465 | .It Fl P Ar passphrase |
553 | Provides the (old) passphrase. | 466 | Provides the (old) passphrase. |
554 | .It Fl p | 467 | .It Fl p |
@@ -899,9 +812,94 @@ be specified through certificate options. | |||
899 | A certificate option may disable features of the SSH session, may be | 812 | A certificate option may disable features of the SSH session, may be |
900 | valid only when presented from particular source addresses or may | 813 | valid only when presented from particular source addresses or may |
901 | force the use of a specific command. | 814 | force the use of a specific command. |
902 | For a list of valid certificate options, see the documentation for the | 815 | .Pp |
903 | .Fl O | 816 | The options that are valid for user certificates are: |
904 | option above. | 817 | .Pp |
818 | .Bl -tag -width Ds -compact | ||
819 | .It Ic clear | ||
820 | Clear all enabled permissions. | ||
821 | This is useful for clearing the default set of permissions so permissions may | ||
822 | be added individually. | ||
823 | .Pp | ||
824 | .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents | ||
825 | .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents | ||
826 | Includes an arbitrary certificate critical option or extension. | ||
827 | The specified | ||
828 | .Ar name | ||
829 | should include a domain suffix, e.g.\& | ||
830 | .Dq name@example.com . | ||
831 | If | ||
832 | .Ar contents | ||
833 | is specified then it is included as the contents of the extension/option | ||
834 | encoded as a string, otherwise the extension/option is created with no | ||
835 | contents (usually indicating a flag). | ||
836 | Extensions may be ignored by a client or server that does not recognise them, | ||
837 | whereas unknown critical options will cause the certificate to be refused. | ||
838 | .Pp | ||
839 | .It Ic force-command Ns = Ns Ar command | ||
840 | Forces the execution of | ||
841 | .Ar command | ||
842 | instead of any shell or command specified by the user when | ||
843 | the certificate is used for authentication. | ||
844 | .Pp | ||
845 | .It Ic no-agent-forwarding | ||
846 | Disable | ||
847 | .Xr ssh-agent 1 | ||
848 | forwarding (permitted by default). | ||
849 | .Pp | ||
850 | .It Ic no-port-forwarding | ||
851 | Disable port forwarding (permitted by default). | ||
852 | .Pp | ||
853 | .It Ic no-pty | ||
854 | Disable PTY allocation (permitted by default). | ||
855 | .Pp | ||
856 | .It Ic no-user-rc | ||
857 | Disable execution of | ||
858 | .Pa ~/.ssh/rc | ||
859 | by | ||
860 | .Xr sshd 8 | ||
861 | (permitted by default). | ||
862 | .Pp | ||
863 | .It Ic no-x11-forwarding | ||
864 | Disable X11 forwarding (permitted by default). | ||
865 | .Pp | ||
866 | .It Ic permit-agent-forwarding | ||
867 | Allows | ||
868 | .Xr ssh-agent 1 | ||
869 | forwarding. | ||
870 | .Pp | ||
871 | .It Ic permit-port-forwarding | ||
872 | Allows port forwarding. | ||
873 | .Pp | ||
874 | .It Ic permit-pty | ||
875 | Allows PTY allocation. | ||
876 | .Pp | ||
877 | .It Ic permit-user-rc | ||
878 | Allows execution of | ||
879 | .Pa ~/.ssh/rc | ||
880 | by | ||
881 | .Xr sshd 8 . | ||
882 | .Pp | ||
883 | .It Ic permit-X11-forwarding | ||
884 | Allows X11 forwarding. | ||
885 | .Pp | ||
886 | .It Ic no-touch-required | ||
887 | Do not require signatures made using this key require demonstration | ||
888 | of user presence (e.g. by having the user touch the key). | ||
889 | This option only makes sense for the Security Key algorithms | ||
890 | .Cm ecdsa-sk | ||
891 | and | ||
892 | .Cm ed25519-sk . | ||
893 | .Pp | ||
894 | .It Ic source-address Ns = Ns Ar address_list | ||
895 | Restrict the source addresses from which the certificate is considered valid. | ||
896 | The | ||
897 | .Ar address_list | ||
898 | is a comma-separated list of one or more address/netmask pairs in CIDR | ||
899 | format. | ||
900 | .El | ||
901 | .Pp | ||
902 | At present, no standard options are valid for host keys. | ||
905 | .Pp | 903 | .Pp |
906 | Finally, certificates may be defined with a validity lifetime. | 904 | Finally, certificates may be defined with a validity lifetime. |
907 | The | 905 | The |