version 1.136, 2017/04/30 23:18:44 |
version 1.137, 2017/05/02 07:13:31 |
|
|
.It Fl O Ar option |
.It Fl O Ar option |
Specify a certificate option when signing a key. |
Specify a certificate option when signing a key. |
This option may be specified multiple times. |
This option may be specified multiple times. |
Please see the |
See also the |
.Sx CERTIFICATES |
.Sx CERTIFICATES |
section for details. |
section for further details. |
|
At present, no standard options are valid for host keys. |
The options that are valid for user certificates are: |
The options that are valid for user certificates are: |
.Bl -tag -width Ds |
.Pp |
|
.Bl -tag -width Ds -compact |
.It Ic clear |
.It Ic clear |
Clear all enabled permissions. |
Clear all enabled permissions. |
This is useful for clearing the default set of permissions so permissions may |
This is useful for clearing the default set of permissions so permissions may |
be added individually. |
be added individually. |
|
.Pp |
|
.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents |
|
.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents |
|
Includes an arbitrary certificate critical option or extension. |
|
The specified |
|
.Ar name |
|
should include a domain suffix, e.g.\& |
|
.Dq name@example.com . |
|
If |
|
.Ar contents |
|
is specified then it is included as the contents of the extension/option |
|
encoded as a string, otherwise the extension/option is created with no |
|
contents (usually indicating a flag). |
|
Extensions may be ignored by a client or server that does not recognise them, |
|
whereas unknown critical options will cause the certificate to be refused. |
|
.Pp |
.It Ic force-command Ns = Ns Ar command |
.It Ic force-command Ns = Ns Ar command |
Forces the execution of |
Forces the execution of |
.Ar command |
.Ar command |
instead of any shell or command specified by the user when |
instead of any shell or command specified by the user when |
the certificate is used for authentication. |
the certificate is used for authentication. |
|
.Pp |
.It Ic no-agent-forwarding |
.It Ic no-agent-forwarding |
Disable |
Disable |
.Xr ssh-agent 1 |
.Xr ssh-agent 1 |
forwarding (permitted by default). |
forwarding (permitted by default). |
|
.Pp |
.It Ic no-port-forwarding |
.It Ic no-port-forwarding |
Disable port forwarding (permitted by default). |
Disable port forwarding (permitted by default). |
|
.Pp |
.It Ic no-pty |
.It Ic no-pty |
Disable PTY allocation (permitted by default). |
Disable PTY allocation (permitted by default). |
|
.Pp |
.It Ic no-user-rc |
.It Ic no-user-rc |
Disable execution of |
Disable execution of |
.Pa ~/.ssh/rc |
.Pa ~/.ssh/rc |
by |
by |
.Xr sshd 8 |
.Xr sshd 8 |
(permitted by default). |
(permitted by default). |
|
.Pp |
.It Ic no-x11-forwarding |
.It Ic no-x11-forwarding |
Disable X11 forwarding (permitted by default). |
Disable X11 forwarding (permitted by default). |
|
.Pp |
.It Ic permit-agent-forwarding |
.It Ic permit-agent-forwarding |
Allows |
Allows |
.Xr ssh-agent 1 |
.Xr ssh-agent 1 |
forwarding. |
forwarding. |
|
.Pp |
.It Ic permit-port-forwarding |
.It Ic permit-port-forwarding |
Allows port forwarding. |
Allows port forwarding. |
|
.Pp |
.It Ic permit-pty |
.It Ic permit-pty |
Allows PTY allocation. |
Allows PTY allocation. |
|
.Pp |
.It Ic permit-user-rc |
.It Ic permit-user-rc |
Allows execution of |
Allows execution of |
.Pa ~/.ssh/rc |
.Pa ~/.ssh/rc |
by |
by |
.Xr sshd 8 . |
.Xr sshd 8 . |
|
.Pp |
.It Ic permit-x11-forwarding |
.It Ic permit-x11-forwarding |
Allows X11 forwarding. |
Allows X11 forwarding. |
|
.Pp |
.It Ic source-address Ns = Ns Ar address_list |
.It Ic source-address Ns = Ns Ar address_list |
Restrict the source addresses from which the certificate is considered valid. |
Restrict the source addresses from which the certificate is considered valid. |
The |
The |
.Ar address_list |
.Ar address_list |
is a comma-separated list of one or more address/netmask pairs in CIDR |
is a comma-separated list of one or more address/netmask pairs in CIDR |
format. |
format. |
.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents |
|
Includes an arbitrary certificate extension. |
|
.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents |
|
Includes an arbitrary certificate critical option. |
|
.El |
.El |
.Pp |
|
At present, no standard options are valid for host keys. |
|
.Pp |
|
For non-standard certificate extensions or options included using |
|
.Ic extension |
|
or |
|
.Ic option , |
|
the specified |
|
.Ar name |
|
should include a domain suffix, e.g.\& |
|
.Dq name@example.com . |
|
If |
|
.Ar contents |
|
is specified then it is included as the contents of the extension/option |
|
encoded as a string, otherwise the extension/option is created with no |
|
contents (usually indicating a flag). |
|
Extensions may be ignored by a client or server that does not recognise them, |
|
whereas unknown critical options will cause the certificate to be refused. |
|
.It Fl o |
.It Fl o |
Causes |
Causes |
.Nm |
.Nm |