version 1.189, 2020/01/06 02:00:46 |
version 1.190, 2020/01/06 07:43:28 |
|
|
.Sx MODULI GENERATION |
.Sx MODULI GENERATION |
section may be specified. |
section may be specified. |
.Pp |
.Pp |
When generating a key that will be hosted on a FIDO authenticator, this |
When generating a key that will be hosted on a FIDO authenticator, |
flag may be used to specify key-specific options. |
this flag may be used to specify key-specific options. |
The FIDO authenticator options are supported at present are: |
Those supported at present are: |
.Pp |
.Bl -tag -width Ds |
.Cm application |
.It Cm application |
overrides the default FIDO application/origin string of |
Override the default FIDO application/origin string of |
.Dq ssh: . |
.Dq ssh: . |
This option may be useful when generating host or domain-specific resident |
This may be useful when generating host or domain-specific resident keys. |
keys. |
.It Cm device |
.Cm device |
Explicitly specify a |
explicitly specify a device to generate the key on, rather than accepting |
|
the authenticator middleware's automatic selection. |
|
.Xr fido 4 |
.Xr fido 4 |
device to use, rather than letting the token middleware select one. |
device to use, rather than letting the token middleware select one. |
.Cm no-touch-required |
.It Cm no-touch-required |
indicates that the generated private key should not require touch |
Indicate that the generated private key should not require touch |
events (user presence) when making signatures. |
events (user presence) when making signatures. |
Note that |
Note that |
.Xr sshd 8 |
.Xr sshd 8 |
will refuse such signatures by default, unless overridden via |
will refuse such signatures by default, unless overridden via |
an authorized_keys option. |
an authorized_keys option. |
.Pp |
.It Cm resident |
.Cm resident |
Indicate that the key should be stored on the FIDO authenticator itself. |
indicates that the key should be stored on the FIDO authenticator itself. |
|
Resident keys may be supported on FIDO2 tokens and typically require that |
Resident keys may be supported on FIDO2 tokens and typically require that |
a PIN be set on the token prior to generation. |
a PIN be set on the token prior to generation. |
Resident keys may be loaded off the token using |
Resident keys may be loaded off the token using |
.Xr ssh-add 1 . |
.Xr ssh-add 1 . |
.Cm user |
.It Cm user |
allows specification of a username to be associated with a resident key, |
A username to be associated with a resident key, |
overriding the empty default username. |
overriding the empty default username. |
Specifying a username may be useful when generating multiple resident keys |
Specifying a username may be useful when generating multiple resident keys |
for the same application name. |
for the same application name. |
|
.El |
.Pp |
.Pp |
The |
The |
.Fl O |
.Fl O |