| version 1.136, 2017/04/30 23:18:44 |
version 1.137, 2017/05/02 07:13:31 |
|
|
| .It Fl O Ar option |
.It Fl O Ar option |
| Specify a certificate option when signing a key. |
Specify a certificate option when signing a key. |
| This option may be specified multiple times. |
This option may be specified multiple times. |
| Please see the |
See also the |
| .Sx CERTIFICATES |
.Sx CERTIFICATES |
| section for details. |
section for further details. |
| |
At present, no standard options are valid for host keys. |
| The options that are valid for user certificates are: |
The options that are valid for user certificates are: |
| .Bl -tag -width Ds |
.Pp |
| |
.Bl -tag -width Ds -compact |
| .It Ic clear |
.It Ic clear |
| Clear all enabled permissions. |
Clear all enabled permissions. |
| This is useful for clearing the default set of permissions so permissions may |
This is useful for clearing the default set of permissions so permissions may |
| be added individually. |
be added individually. |
| |
.Pp |
| |
.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents |
| |
.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents |
| |
Includes an arbitrary certificate critical option or extension. |
| |
The specified |
| |
.Ar name |
| |
should include a domain suffix, e.g.\& |
| |
.Dq name@example.com . |
| |
If |
| |
.Ar contents |
| |
is specified then it is included as the contents of the extension/option |
| |
encoded as a string, otherwise the extension/option is created with no |
| |
contents (usually indicating a flag). |
| |
Extensions may be ignored by a client or server that does not recognise them, |
| |
whereas unknown critical options will cause the certificate to be refused. |
| |
.Pp |
| .It Ic force-command Ns = Ns Ar command |
.It Ic force-command Ns = Ns Ar command |
| Forces the execution of |
Forces the execution of |
| .Ar command |
.Ar command |
| instead of any shell or command specified by the user when |
instead of any shell or command specified by the user when |
| the certificate is used for authentication. |
the certificate is used for authentication. |
| |
.Pp |
| .It Ic no-agent-forwarding |
.It Ic no-agent-forwarding |
| Disable |
Disable |
| .Xr ssh-agent 1 |
.Xr ssh-agent 1 |
| forwarding (permitted by default). |
forwarding (permitted by default). |
| |
.Pp |
| .It Ic no-port-forwarding |
.It Ic no-port-forwarding |
| Disable port forwarding (permitted by default). |
Disable port forwarding (permitted by default). |
| |
.Pp |
| .It Ic no-pty |
.It Ic no-pty |
| Disable PTY allocation (permitted by default). |
Disable PTY allocation (permitted by default). |
| |
.Pp |
| .It Ic no-user-rc |
.It Ic no-user-rc |
| Disable execution of |
Disable execution of |
| .Pa ~/.ssh/rc |
.Pa ~/.ssh/rc |
| by |
by |
| .Xr sshd 8 |
.Xr sshd 8 |
| (permitted by default). |
(permitted by default). |
| |
.Pp |
| .It Ic no-x11-forwarding |
.It Ic no-x11-forwarding |
| Disable X11 forwarding (permitted by default). |
Disable X11 forwarding (permitted by default). |
| |
.Pp |
| .It Ic permit-agent-forwarding |
.It Ic permit-agent-forwarding |
| Allows |
Allows |
| .Xr ssh-agent 1 |
.Xr ssh-agent 1 |
| forwarding. |
forwarding. |
| |
.Pp |
| .It Ic permit-port-forwarding |
.It Ic permit-port-forwarding |
| Allows port forwarding. |
Allows port forwarding. |
| |
.Pp |
| .It Ic permit-pty |
.It Ic permit-pty |
| Allows PTY allocation. |
Allows PTY allocation. |
| |
.Pp |
| .It Ic permit-user-rc |
.It Ic permit-user-rc |
| Allows execution of |
Allows execution of |
| .Pa ~/.ssh/rc |
.Pa ~/.ssh/rc |
| by |
by |
| .Xr sshd 8 . |
.Xr sshd 8 . |
| |
.Pp |
| .It Ic permit-x11-forwarding |
.It Ic permit-x11-forwarding |
| Allows X11 forwarding. |
Allows X11 forwarding. |
| |
.Pp |
| .It Ic source-address Ns = Ns Ar address_list |
.It Ic source-address Ns = Ns Ar address_list |
| Restrict the source addresses from which the certificate is considered valid. |
Restrict the source addresses from which the certificate is considered valid. |
| The |
The |
| .Ar address_list |
.Ar address_list |
| is a comma-separated list of one or more address/netmask pairs in CIDR |
is a comma-separated list of one or more address/netmask pairs in CIDR |
| format. |
format. |
| .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents |
|
| Includes an arbitrary certificate extension. |
|
| .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents |
|
| Includes an arbitrary certificate critical option. |
|
| .El |
.El |
| .Pp |
|
| At present, no standard options are valid for host keys. |
|
| .Pp |
|
| For non-standard certificate extensions or options included using |
|
| .Ic extension |
|
| or |
|
| .Ic option , |
|
| the specified |
|
| .Ar name |
|
| should include a domain suffix, e.g.\& |
|
| .Dq name@example.com . |
|
| If |
|
| .Ar contents |
|
| is specified then it is included as the contents of the extension/option |
|
| encoded as a string, otherwise the extension/option is created with no |
|
| contents (usually indicating a flag). |
|
| Extensions may be ignored by a client or server that does not recognise them, |
|
| whereas unknown critical options will cause the certificate to be refused. |
|
| .It Fl o |
.It Fl o |
| Causes |
Causes |
| .Nm |
.Nm |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh