From aa4c640dc362816d63584a16e786d5e314e24390 Mon Sep 17 00:00:00 2001 From: "naddy@openbsd.org" Date: Thu, 7 Nov 2019 08:38:38 +0000 Subject: upstream: Fill in missing man page bits for U2F security key support: Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable, and ssh-keygen's new -w and -x options. Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal substitutions. ok djm@ OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4 --- ssh_config.5 | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) (limited to 'ssh_config.5') diff --git a/ssh_config.5 b/ssh_config.5 index 02a87892d..ad016470c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $ -.Dd $Mdocdate: September 13 2019 $ +.\" $OpenBSD: ssh_config.5,v 1.305 2019/11/07 08:38:38 naddy Exp $ +.Dd $Mdocdate: November 7 2019 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -381,7 +381,9 @@ flag to via .Xr ssh-agent 1 , or via a -.Cm PKCS11Provider . +.Cm PKCS11Provider +or +.Cm SecurityKeyProvider . .Pp Arguments to .Cm CertificateFile @@ -808,7 +810,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa @@ -840,7 +843,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa @@ -883,6 +887,8 @@ even if .Xr ssh-agent 1 or a .Cm PKCS11Provider +or +.Cm SecurityKeyProvider offers more identities. The argument to this keyword must be .Cm yes @@ -919,11 +925,12 @@ or the tokens described in the .Sx TOKENS section. .It Cm IdentityFile -Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication -identity is read. +Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA, +Ed25519 or RSA authentication identity is read. The default is .Pa ~/.ssh/id_dsa , .Pa ~/.ssh/id_ecdsa , +.Pa ~/.ssh/id_ecdsa_sk , .Pa ~/.ssh/id_ed25519 and .Pa ~/.ssh/id_rsa . @@ -1315,12 +1322,15 @@ character, then the specified key types will be placed at the head of the default set. The default for this option is: .Bd -literal -offset 3n +sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, +rsa-sha2-512-cert-v01@openssh.com, +rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com, +sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed @@ -1437,6 +1447,11 @@ an OpenSSH Key Revocation List (KRL) as generated by .Xr ssh-keygen 1 . For more information on KRLs, see the KEY REVOCATION LISTS section in .Xr ssh-keygen 1 . +.It Cm SecurityKeyProvider +Specifies a path to a security key provider library that will be used when +loading any security key-hosted keys, overriding the default of using the +.Ev SSH_SK_PROVIDER +environment variable to specify a provider. .It Cm SendEnv Specifies what variables from the local .Xr environ 7 -- cgit v1.2.3