1 files changed, 83 insertions, 42 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index c0f24dcd0..3987b1e66 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.63 2004/08/13 00:01:43 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.66 2005/03/01 18:15:56 jmc Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -81,6 +81,15 @@
 .Nm ssh-keygen
 .Fl D Ar reader
 .Nm ssh-keygen
+.Fl F Ar hostname
+.Op Fl f Ar known_hosts_file
+.Nm ssh-keygen
+.Fl H
+.Op Fl f Ar known_hosts_file
+.Nm ssh-keygen
+.Fl R Ar hostname
+.Op Fl f Ar known_hosts_file
+.Nm ssh-keygen
 .Fl U Ar reader
 .Op Fl f Ar input_keyfile
 .Nm ssh-keygen
@@ -174,16 +183,23 @@ Specifies the number of primality tests to perform when screening DH-GEX
 candidates using the
 .Fl T
 command.
+.It Fl B
+Show the bubblebabble digest of specified private or public key file.
 .It Fl b Ar bits
 Specifies the number of bits in the key to create.
 Minimum is 512 bits.
 Generally, 1024 bits is considered sufficient.
 The default is 1024 bits.
+.It Fl C Ar comment
+Provides a new comment.
 .It Fl c
 Requests changing the comment in the private and public key files.
 This operation is only supported for RSA1 keys.
 The program will prompt for the file containing the private keys, for
 the passphrase if the key has one, and for the new comment.
+.It Fl D Ar reader
+Download the RSA public key stored in the smartcard in
+.Ar reader .
 .It Fl e
 This option will read a private or public OpenSSH key file and
 print the key in a
@@ -191,12 +207,41 @@ print the key in a
 to stdout.
 This option allows exporting keys for use by several commercial
 SSH implementations.
+.It Fl F Ar hostname
+Search for the specified
+.Ar hostname
+in a
+.Pa known_hosts
+file, listing any occurrences found.
+This option is useful to find hashed host names or addresses and may also be
+used in conjunction with the
+.Fl H
+option to print found keys in a hashed format.
+.It Fl f Ar filename
+Specifies the filename of the key file.
+.It Fl G Ar output_file
+Generate candidate primes for DH-GEX.
+These primes must be screened for
+safety (using the
+.Fl T
+option) before use.
 .It Fl g
 Use generic DNS format when printing fingerprint resource records using the
 .Fl r
 command.
-.It Fl f Ar filename
+.It Fl H
-Specifies the filename of the key file.
+Hash a
+.Pa known_hosts
+file, printing the result to standard output.
+This replaces all hostnames and addresses with hashed representations.
+These hashes may be used normally by
+.Nm ssh
+and
+.Nm sshd ,
+but they do not reveal identifying information should the file's contents
+be disclosed.
+This option will not modify existing hashed hostnames and is therefore safe
+to use on files that mix hashed and non-hashed names.
 .It Fl i
 This option will read an unencrypted private (or public) key file
 in SSH2-compatible format and print an OpenSSH compatible private
@@ -212,6 +257,13 @@ Private RSA1 keys are also supported.
 For RSA and DSA keys
 .Nm
 tries to find the matching public key file and prints its fingerprint.
+.It Fl M Ar memory
+Specify the amount of memory to use (in megabytes) when generating
+candidate moduli for DH-GEX.
+.It Fl N Ar new_passphrase
+Provides the new passphrase.
+.It Fl P Ar passphrase
+Provides the (old) passphrase.
 .It Fl p
 Requests changing the passphrase of a private key file instead of
 creating a new private key.
@@ -224,11 +276,27 @@ Silence
 Used by
 .Pa /etc/rc
 when creating a new key.
-.It Fl y
+.It Fl R Ar hostname
-This option will read a private
+Removes all keys belonging to
-OpenSSH format file and print an OpenSSH public key to stdout.
+.Ar hostname
+from a
+.Pa known_hosts
+file.
+This option is useful to delete hashed hosts (see the
+.Fl H
+option above).
+.It Fl r Ar hostname
+Print the SSHFP fingerprint resource record named
+.Ar hostname
+for the specified public key file.
+.It Fl S Ar start
+Specify start point (in hex) when generating candidate moduli for DH-GEX.
+.It Fl T Ar output_file
+Test DH group exchange candidate primes (generated using the
+.Fl G
+option) for safety.
 .It Fl t Ar type
-Specifies the type of the key to create.
+Specifies the type of key to create.
 The possible values are
 .Dq rsa1
 for protocol version 1 and
@@ -236,34 +304,6 @@ for protocol version 1 and
 or
 .Dq dsa
 for protocol version 2.
-.It Fl B
-Show the bubblebabble digest of specified private or public key file.
-.It Fl C Ar comment
-Provides the new comment.
-.It Fl D Ar reader
-Download the RSA public key stored in the smartcard in
-.Ar reader .
-.It Fl G Ar output_file
-Generate candidate primes for DH-GEX.
-These primes must be screened for
-safety (using the
-.Fl T
-option) before use.
-.It Fl M Ar memory
-Specify the amount of memory to use (in megabytes) when generating
-candidate moduli for DH-GEX.
-.It Fl N Ar new_passphrase
-Provides the new passphrase.
-.It Fl P Ar passphrase
-Provides the (old) passphrase.
-.It Fl S Ar start
-Specify start point (in hex) when generating candidate moduli for DH-GEX.
-.It Fl T Ar output_file
-Test DH group exchange candidate primes (generated using the
-.Fl G
-option) for safety.
-.It Fl W Ar generator
-Specify desired generator when testing candidate moduli for DH-GEX.
 .It Fl U Ar reader
 Upload an existing RSA private key into the smartcard in
 .Ar reader .
@@ -277,10 +317,11 @@ Multiple
 .Fl v
 options increase the verbosity.
 The maximum is 3.
-.It Fl r Ar hostname
+.It Fl W Ar generator
-Print the SSHFP fingerprint resource record named
+Specify desired generator when testing candidate moduli for DH-GEX.
-.Ar hostname
+.It Fl y
-for the specified public key file.
+This option will read a private
+OpenSSH format file and print an OpenSSH public key to stdout.
 .El
 .Sh MODULI GENERATION
 .Nm
@@ -299,7 +340,7 @@ The desired length of the primes may be specified by the
 option.
 For example:
 .Pp
-.Dl ssh-keygen -G moduli-2048.candidates -b 2048
+.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
 .Pp
 By default, the search for primes begins at a random point in the
 desired length range.
@@ -319,7 +360,7 @@ will read candidates from standard input (or a file specified using the
 option).
 For example:
 .Pp
-.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates
+.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
 .Pp
 By default, each candidate will be subjected to 100 primality tests.
 This may be overridden using the
@@ -330,7 +371,7 @@ prime under consideration.
 If a specific generator is desired, it may be requested using the
 .Fl W
 option.
-Valid generator values are 2, 3 and 5.
+Valid generator values are 2, 3, and 5.
 .Pp
 Screened DH groups may be installed in
 .Pa /etc/moduli .

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c0f24dcd0..3987b1e66 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.63 2004/08/13 00:01:43 jmc Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.66 2005/03/01 18:15:56 jmc Exp $
2	.\"	2	.\"
3	.\" -- nroff --	3	.\" -- nroff --
4	.\"	4	.\"
@@ -81,6 +81,15 @@
81	.Nm ssh-keygen	81	.Nm ssh-keygen
82	.Fl D Ar reader	82	.Fl D Ar reader
83	.Nm ssh-keygen	83	.Nm ssh-keygen
		84	.Fl F Ar hostname
		85	.Op Fl f Ar known_hosts_file
		86	.Nm ssh-keygen
		87	.Fl H
		88	.Op Fl f Ar known_hosts_file
		89	.Nm ssh-keygen
		90	.Fl R Ar hostname
		91	.Op Fl f Ar known_hosts_file
		92	.Nm ssh-keygen
84	.Fl U Ar reader	93	.Fl U Ar reader
85	.Op Fl f Ar input_keyfile	94	.Op Fl f Ar input_keyfile
86	.Nm ssh-keygen	95	.Nm ssh-keygen
@@ -174,16 +183,23 @@ Specifies the number of primality tests to perform when screening DH-GEX
174	candidates using the	183	candidates using the
175	.Fl T	184	.Fl T
176	command.	185	command.
		186	.It Fl B
		187	Show the bubblebabble digest of specified private or public key file.
177	.It Fl b Ar bits	188	.It Fl b Ar bits
178	Specifies the number of bits in the key to create.	189	Specifies the number of bits in the key to create.
179	Minimum is 512 bits.	190	Minimum is 512 bits.
180	Generally, 1024 bits is considered sufficient.	191	Generally, 1024 bits is considered sufficient.
181	The default is 1024 bits.	192	The default is 1024 bits.
		193	.It Fl C Ar comment
		194	Provides a new comment.
182	.It Fl c	195	.It Fl c
183	Requests changing the comment in the private and public key files.	196	Requests changing the comment in the private and public key files.
184	This operation is only supported for RSA1 keys.	197	This operation is only supported for RSA1 keys.
185	The program will prompt for the file containing the private keys, for	198	The program will prompt for the file containing the private keys, for
186	the passphrase if the key has one, and for the new comment.	199	the passphrase if the key has one, and for the new comment.
		200	.It Fl D Ar reader
		201	Download the RSA public key stored in the smartcard in
		202	.Ar reader .
187	.It Fl e	203	.It Fl e
188	This option will read a private or public OpenSSH key file and	204	This option will read a private or public OpenSSH key file and
189	print the key in a	205	print the key in a
@@ -191,12 +207,41 @@ print the key in a
191	to stdout.	207	to stdout.
192	This option allows exporting keys for use by several commercial	208	This option allows exporting keys for use by several commercial
193	SSH implementations.	209	SSH implementations.
		210	.It Fl F Ar hostname
		211	Search for the specified
		212	.Ar hostname
		213	in a
		214	.Pa known_hosts
		215	file, listing any occurrences found.
		216	This option is useful to find hashed host names or addresses and may also be
		217	used in conjunction with the
		218	.Fl H
		219	option to print found keys in a hashed format.
		220	.It Fl f Ar filename
		221	Specifies the filename of the key file.
		222	.It Fl G Ar output_file
		223	Generate candidate primes for DH-GEX.
		224	These primes must be screened for
		225	safety (using the
		226	.Fl T
		227	option) before use.
194	.It Fl g	228	.It Fl g
195	Use generic DNS format when printing fingerprint resource records using the	229	Use generic DNS format when printing fingerprint resource records using the
196	.Fl r	230	.Fl r
197	command.	231	command.
198	.It Fl f Ar filename	232	.It Fl H
199	Specifies the filename of the key file.	233	Hash a
		234	.Pa known_hosts
		235	file, printing the result to standard output.
		236	This replaces all hostnames and addresses with hashed representations.
		237	These hashes may be used normally by
		238	.Nm ssh
		239	and
		240	.Nm sshd ,
		241	but they do not reveal identifying information should the file's contents
		242	be disclosed.
		243	This option will not modify existing hashed hostnames and is therefore safe
		244	to use on files that mix hashed and non-hashed names.
200	.It Fl i	245	.It Fl i
201	This option will read an unencrypted private (or public) key file	246	This option will read an unencrypted private (or public) key file
202	in SSH2-compatible format and print an OpenSSH compatible private	247	in SSH2-compatible format and print an OpenSSH compatible private
@@ -212,6 +257,13 @@ Private RSA1 keys are also supported.
212	For RSA and DSA keys	257	For RSA and DSA keys
213	.Nm	258	.Nm
214	tries to find the matching public key file and prints its fingerprint.	259	tries to find the matching public key file and prints its fingerprint.
		260	.It Fl M Ar memory
		261	Specify the amount of memory to use (in megabytes) when generating
		262	candidate moduli for DH-GEX.
		263	.It Fl N Ar new_passphrase
		264	Provides the new passphrase.
		265	.It Fl P Ar passphrase
		266	Provides the (old) passphrase.
215	.It Fl p	267	.It Fl p
216	Requests changing the passphrase of a private key file instead of	268	Requests changing the passphrase of a private key file instead of
217	creating a new private key.	269	creating a new private key.
@@ -224,11 +276,27 @@ Silence
224	Used by	276	Used by
225	.Pa /etc/rc	277	.Pa /etc/rc
226	when creating a new key.	278	when creating a new key.
227	.It Fl y	279	.It Fl R Ar hostname
228	This option will read a private	280	Removes all keys belonging to
229	OpenSSH format file and print an OpenSSH public key to stdout.	281	.Ar hostname
		282	from a
		283	.Pa known_hosts
		284	file.
		285	This option is useful to delete hashed hosts (see the
		286	.Fl H
		287	option above).
		288	.It Fl r Ar hostname
		289	Print the SSHFP fingerprint resource record named
		290	.Ar hostname
		291	for the specified public key file.
		292	.It Fl S Ar start
		293	Specify start point (in hex) when generating candidate moduli for DH-GEX.
		294	.It Fl T Ar output_file
		295	Test DH group exchange candidate primes (generated using the
		296	.Fl G
		297	option) for safety.
230	.It Fl t Ar type	298	.It Fl t Ar type
231	Specifies the type of the key to create.	299	Specifies the type of key to create.
232	The possible values are	300	The possible values are
233	.Dq rsa1	301	.Dq rsa1
234	for protocol version 1 and	302	for protocol version 1 and
@@ -236,34 +304,6 @@ for protocol version 1 and
236	or	304	or
237	.Dq dsa	305	.Dq dsa
238	for protocol version 2.	306	for protocol version 2.
239	.It Fl B
240	Show the bubblebabble digest of specified private or public key file.
241	.It Fl C Ar comment
242	Provides the new comment.
243	.It Fl D Ar reader
244	Download the RSA public key stored in the smartcard in
245	.Ar reader .
246	.It Fl G Ar output_file
247	Generate candidate primes for DH-GEX.
248	These primes must be screened for
249	safety (using the
250	.Fl T
251	option) before use.
252	.It Fl M Ar memory
253	Specify the amount of memory to use (in megabytes) when generating
254	candidate moduli for DH-GEX.
255	.It Fl N Ar new_passphrase
256	Provides the new passphrase.
257	.It Fl P Ar passphrase
258	Provides the (old) passphrase.
259	.It Fl S Ar start
260	Specify start point (in hex) when generating candidate moduli for DH-GEX.
261	.It Fl T Ar output_file
262	Test DH group exchange candidate primes (generated using the
263	.Fl G
264	option) for safety.
265	.It Fl W Ar generator
266	Specify desired generator when testing candidate moduli for DH-GEX.
267	.It Fl U Ar reader	307	.It Fl U Ar reader
268	Upload an existing RSA private key into the smartcard in	308	Upload an existing RSA private key into the smartcard in
269	.Ar reader .	309	.Ar reader .
@@ -277,10 +317,11 @@ Multiple
277	.Fl v	317	.Fl v
278	options increase the verbosity.	318	options increase the verbosity.
279	The maximum is 3.	319	The maximum is 3.
280	.It Fl r Ar hostname	320	.It Fl W Ar generator
281	Print the SSHFP fingerprint resource record named	321	Specify desired generator when testing candidate moduli for DH-GEX.
282	.Ar hostname	322	.It Fl y
283	for the specified public key file.	323	This option will read a private
		324	OpenSSH format file and print an OpenSSH public key to stdout.
284	.El	325	.El
285	.Sh MODULI GENERATION	326	.Sh MODULI GENERATION
286	.Nm	327	.Nm
@@ -299,7 +340,7 @@ The desired length of the primes may be specified by the
299	option.	340	option.
300	For example:	341	For example:
301	.Pp	342	.Pp
302	.Dl ssh-keygen -G moduli-2048.candidates -b 2048	343	.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
303	.Pp	344	.Pp
304	By default, the search for primes begins at a random point in the	345	By default, the search for primes begins at a random point in the
305	desired length range.	346	desired length range.
@@ -319,7 +360,7 @@ will read candidates from standard input (or a file specified using the
319	option).	360	option).
320	For example:	361	For example:
321	.Pp	362	.Pp
322	.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates	363	.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
323	.Pp	364	.Pp
324	By default, each candidate will be subjected to 100 primality tests.	365	By default, each candidate will be subjected to 100 primality tests.
325	This may be overridden using the	366	This may be overridden using the
@@ -330,7 +371,7 @@ prime under consideration.
330	If a specific generator is desired, it may be requested using the	371	If a specific generator is desired, it may be requested using the
331	.Fl W	372	.Fl W
332	option.	373	option.
333	Valid generator values are 2, 3 and 5.	374	Valid generator values are 2, 3, and 5.
334	.Pp	375	.Pp
335	Screened DH groups may be installed in	376	Screened DH groups may be installed in
336	.Pa /etc/moduli .	377	.Pa /etc/moduli .