diff options
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 45866f931..836174fb6 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.203 2020/04/03 02:26:56 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.209 2020/09/09 03:08:01 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: April 3 2020 $ | 38 | .Dd $Mdocdate: September 9 2020 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -44,16 +44,18 @@ | |||
44 | .Sh SYNOPSIS | 44 | .Sh SYNOPSIS |
45 | .Nm ssh-keygen | 45 | .Nm ssh-keygen |
46 | .Op Fl q | 46 | .Op Fl q |
47 | .Op Fl a Ar rounds | ||
47 | .Op Fl b Ar bits | 48 | .Op Fl b Ar bits |
48 | .Op Fl C Ar comment | 49 | .Op Fl C Ar comment |
49 | .Op Fl f Ar output_keyfile | 50 | .Op Fl f Ar output_keyfile |
50 | .Op Fl m Ar format | 51 | .Op Fl m Ar format |
51 | .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa | ||
52 | .Op Fl N Ar new_passphrase | 52 | .Op Fl N Ar new_passphrase |
53 | .Op Fl O Ar option | 53 | .Op Fl O Ar option |
54 | .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa | ||
54 | .Op Fl w Ar provider | 55 | .Op Fl w Ar provider |
55 | .Nm ssh-keygen | 56 | .Nm ssh-keygen |
56 | .Fl p | 57 | .Fl p |
58 | .Op Fl a Ar rounds | ||
57 | .Op Fl f Ar keyfile | 59 | .Op Fl f Ar keyfile |
58 | .Op Fl m Ar format | 60 | .Op Fl m Ar format |
59 | .Op Fl N Ar new_passphrase | 61 | .Op Fl N Ar new_passphrase |
@@ -71,6 +73,7 @@ | |||
71 | .Op Fl f Ar input_keyfile | 73 | .Op Fl f Ar input_keyfile |
72 | .Nm ssh-keygen | 74 | .Nm ssh-keygen |
73 | .Fl c | 75 | .Fl c |
76 | .Op Fl a Ar rounds | ||
74 | .Op Fl C Ar comment | 77 | .Op Fl C Ar comment |
75 | .Op Fl f Ar keyfile | 78 | .Op Fl f Ar keyfile |
76 | .Op Fl P Ar passphrase | 79 | .Op Fl P Ar passphrase |
@@ -93,6 +96,7 @@ | |||
93 | .Op Fl f Ar known_hosts_file | 96 | .Op Fl f Ar known_hosts_file |
94 | .Nm ssh-keygen | 97 | .Nm ssh-keygen |
95 | .Fl K | 98 | .Fl K |
99 | .Op Fl a Ar rounds | ||
96 | .Op Fl w Ar provider | 100 | .Op Fl w Ar provider |
97 | .Nm ssh-keygen | 101 | .Nm ssh-keygen |
98 | .Fl R Ar hostname | 102 | .Fl R Ar hostname |
@@ -125,6 +129,7 @@ | |||
125 | .Op Fl f Ar input_keyfile | 129 | .Op Fl f Ar input_keyfile |
126 | .Nm ssh-keygen | 130 | .Nm ssh-keygen |
127 | .Fl A | 131 | .Fl A |
132 | .Op Fl a Ar rounds | ||
128 | .Op Fl f Ar prefix_path | 133 | .Op Fl f Ar prefix_path |
129 | .Nm ssh-keygen | 134 | .Nm ssh-keygen |
130 | .Fl k | 135 | .Fl k |
@@ -246,7 +251,9 @@ keys may be converted using this option in conjunction with the | |||
246 | .Fl p | 251 | .Fl p |
247 | (change passphrase) flag. | 252 | (change passphrase) flag. |
248 | .Pp | 253 | .Pp |
249 | After a key is generated, instructions below detail where the keys | 254 | After a key is generated, |
255 | .Nm | ||
256 | will ask where the keys | ||
250 | should be placed to be activated. | 257 | should be placed to be activated. |
251 | .Pp | 258 | .Pp |
252 | The options are as follows: | 259 | The options are as follows: |
@@ -266,6 +273,7 @@ When saving a private key, this option specifies the number of KDF | |||
266 | (key derivation function) rounds used. | 273 | (key derivation function) rounds used. |
267 | Higher numbers result in slower passphrase verification and increased | 274 | Higher numbers result in slower passphrase verification and increased |
268 | resistance to brute-force password cracking (should the keys be stolen). | 275 | resistance to brute-force password cracking (should the keys be stolen). |
276 | The default is 16 rounds. | ||
269 | .It Fl B | 277 | .It Fl B |
270 | Show the bubblebabble digest of specified private or public key file. | 278 | Show the bubblebabble digest of specified private or public key file. |
271 | .It Fl b Ar bits | 279 | .It Fl b Ar bits |
@@ -370,6 +378,8 @@ The default import format is | |||
370 | Download resident keys from a FIDO authenticator. | 378 | Download resident keys from a FIDO authenticator. |
371 | Public and private key files will be written to the current directory for | 379 | Public and private key files will be written to the current directory for |
372 | each downloaded key. | 380 | each downloaded key. |
381 | If multiple FIDO authenticators are attached, keys will be downloaded from | ||
382 | the first touched authenticator. | ||
373 | .It Fl k | 383 | .It Fl k |
374 | Generate a KRL file. | 384 | Generate a KRL file. |
375 | In this mode, | 385 | In this mode, |
@@ -499,10 +509,17 @@ A username to be associated with a resident key, | |||
499 | overriding the empty default username. | 509 | overriding the empty default username. |
500 | Specifying a username may be useful when generating multiple resident keys | 510 | Specifying a username may be useful when generating multiple resident keys |
501 | for the same application name. | 511 | for the same application name. |
512 | .It Cm verify-required | ||
513 | Indicate that this private key should require user verification for | ||
514 | each signature. | ||
515 | Not all FIDO tokens support this option. | ||
516 | Currently PIN authentication is the only supported verification method, | ||
517 | but other methods may be supported in the future. | ||
502 | .It Cm write-attestation Ns = Ns Ar path | 518 | .It Cm write-attestation Ns = Ns Ar path |
503 | May be used at key generation time to record the attestation certificate | 519 | May be used at key generation time to record the attestation data |
504 | returned from FIDO tokens during key generation. | 520 | returned from FIDO tokens during key generation. |
505 | By default this information is discarded. | 521 | Please note that this information is potentially sensitive. |
522 | By default, this information is discarded. | ||
506 | .El | 523 | .El |
507 | .Pp | 524 | .Pp |
508 | The | 525 | The |
@@ -949,7 +966,7 @@ by | |||
949 | Allows X11 forwarding. | 966 | Allows X11 forwarding. |
950 | .Pp | 967 | .Pp |
951 | .It Ic no-touch-required | 968 | .It Ic no-touch-required |
952 | Do not require signatures made using this key require demonstration | 969 | Do not require signatures made using this key include demonstration |
953 | of user presence (e.g. by having the user touch the authenticator). | 970 | of user presence (e.g. by having the user touch the authenticator). |
954 | This option only makes sense for the FIDO authenticator algorithms | 971 | This option only makes sense for the FIDO authenticator algorithms |
955 | .Cm ecdsa-sk | 972 | .Cm ecdsa-sk |
@@ -962,6 +979,16 @@ The | |||
962 | .Ar address_list | 979 | .Ar address_list |
963 | is a comma-separated list of one or more address/netmask pairs in CIDR | 980 | is a comma-separated list of one or more address/netmask pairs in CIDR |
964 | format. | 981 | format. |
982 | .Pp | ||
983 | .It Ic verify-required | ||
984 | Require signatures made using this key indicate that the user was first | ||
985 | verified. | ||
986 | This option only makes sense for the FIDO authenticator algorithms | ||
987 | .Cm ecdsa-sk | ||
988 | and | ||
989 | .Cm ed25519-sk . | ||
990 | Currently PIN authentication is the only supported verification method, | ||
991 | but other methods may be supported in the future. | ||
965 | .El | 992 | .El |
966 | .Pp | 993 | .Pp |
967 | At present, no standard options are valid for host keys. | 994 | At present, no standard options are valid for host keys. |