1 files changed, 19 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 9198a511f..7e0558fe1 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.205 2020/07/15 07:50:46 solene Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.206 2020/08/27 01:06:18 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 15 2020 $
+.Dd $Mdocdate: August 27 2020 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -511,6 +511,12 @@ A username to be associated with a resident key,
 overriding the empty default username.
 Specifying a username may be useful when generating multiple resident keys
 for the same application name.
+.It Cm verify-required
+Indicate that this private key should require user verification for
+each signature.
+Not all FIDO tokens support support this option.
+Currently PIN authentication is the only supported verification method,
+but other methods may be supported in the future.
 .It Cm write-attestation Ns = Ns Ar path
 May be used at key generation time to record the attestation certificate
 returned from FIDO tokens during key generation.
@@ -961,7 +967,7 @@ by
 Allows X11 forwarding.
 .Pp
 .It Ic no-touch-required
-Do not require signatures made using this key require demonstration
+Do not require signatures made using this key include demonstration
 of user presence (e.g. by having the user touch the authenticator).
 This option only makes sense for the FIDO authenticator algorithms
 .Cm ecdsa-sk
@@ -974,6 +980,16 @@ The
 .Ar address_list
 is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
+.Pp
+.It Ic verify-required
+Require signatures made using this key indicate that the user was first
+verified.
+This option only makes sense for the FIDO authenticator algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
+Currently PIN authentication is the only supported verification method,
+but other methods may be supported in the future.
 .El
 .Pp
 At present, no standard options are valid for host keys.

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9198a511f..7e0558fe1 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.205 2020/07/15 07:50:46 solene Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.206 2020/08/27 01:06:18 djm Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: July 15 2020 $	38	.Dd $Mdocdate: August 27 2020 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -511,6 +511,12 @@ A username to be associated with a resident key,
511	overriding the empty default username.	511	overriding the empty default username.
512	Specifying a username may be useful when generating multiple resident keys	512	Specifying a username may be useful when generating multiple resident keys
513	for the same application name.	513	for the same application name.
		514	.It Cm verify-required
		515	Indicate that this private key should require user verification for
		516	each signature.
		517	Not all FIDO tokens support support this option.
		518	Currently PIN authentication is the only supported verification method,
		519	but other methods may be supported in the future.
514	.It Cm write-attestation Ns = Ns Ar path	520	.It Cm write-attestation Ns = Ns Ar path
515	May be used at key generation time to record the attestation certificate	521	May be used at key generation time to record the attestation certificate
516	returned from FIDO tokens during key generation.	522	returned from FIDO tokens during key generation.
@@ -961,7 +967,7 @@ by
961	Allows X11 forwarding.	967	Allows X11 forwarding.
962	.Pp	968	.Pp
963	.It Ic no-touch-required	969	.It Ic no-touch-required
964	Do not require signatures made using this key require demonstration	970	Do not require signatures made using this key include demonstration
965	of user presence (e.g. by having the user touch the authenticator).	971	of user presence (e.g. by having the user touch the authenticator).
966	This option only makes sense for the FIDO authenticator algorithms	972	This option only makes sense for the FIDO authenticator algorithms
967	.Cm ecdsa-sk	973	.Cm ecdsa-sk
@@ -974,6 +980,16 @@ The
974	.Ar address_list	980	.Ar address_list
975	is a comma-separated list of one or more address/netmask pairs in CIDR	981	is a comma-separated list of one or more address/netmask pairs in CIDR
976	format.	982	format.
		983	.Pp
		984	.It Ic verify-required
		985	Require signatures made using this key indicate that the user was first
		986	verified.
		987	This option only makes sense for the FIDO authenticator algorithms
		988	.Cm ecdsa-sk
		989	and
		990	.Cm ed25519-sk .
		991	Currently PIN authentication is the only supported verification method,
		992	but other methods may be supported in the future.
977	.El	993	.El
978	.Pp	994	.Pp
979	At present, no standard options are valid for host keys.	995	At present, no standard options are valid for host keys.