| version 1.220, 2022/02/06 00:29:03 |
version 1.221, 2022/05/03 07:42:27 |
|
|
| each downloaded key. |
each downloaded key. |
| If multiple FIDO authenticators are attached, keys will be downloaded from |
If multiple FIDO authenticators are attached, keys will be downloaded from |
| the first touched authenticator. |
the first touched authenticator. |
| |
See the |
| |
.Sx FIDO AUTHENTICATOR |
| |
section for more information. |
| .It Fl k |
.It Fl k |
| Generate a KRL file. |
Generate a KRL file. |
| In this mode, |
In this mode, |
|
|
| .Sx MODULI GENERATION |
.Sx MODULI GENERATION |
| section may be specified. |
section may be specified. |
| .Pp |
.Pp |
| When generating a key that will be hosted on a FIDO authenticator, |
When generating FIDO authenticator-backed keys, the options listed in the |
| this flag may be used to specify key-specific options. |
.Sx FIDO AUTHENTICATOR |
| Those supported at present are: |
section may be specified. |
| .Bl -tag -width Ds |
|
| .It Cm application |
|
| Override the default FIDO application/origin string of |
|
| .Dq ssh: . |
|
| This may be useful when generating host or domain-specific resident keys. |
|
| The specified application string must begin with |
|
| .Dq ssh: . |
|
| .It Cm challenge Ns = Ns Ar path |
|
| Specifies a path to a challenge string that will be passed to the |
|
| FIDO token during key generation. |
|
| The challenge string may be used as part of an out-of-band |
|
| protocol for key enrollment |
|
| (a random challenge is used by default). |
|
| .It Cm device |
|
| Explicitly specify a |
|
| .Xr fido 4 |
|
| device to use, rather than letting the token middleware select one. |
|
| .It Cm no-touch-required |
|
| Indicate that the generated private key should not require touch |
|
| events (user presence) when making signatures. |
|
| Note that |
|
| .Xr sshd 8 |
|
| will refuse such signatures by default, unless overridden via |
|
| an authorized_keys option. |
|
| .It Cm resident |
|
| Indicate that the key should be stored on the FIDO authenticator itself. |
|
| Resident keys may be supported on FIDO2 tokens and typically require that |
|
| a PIN be set on the token prior to generation. |
|
| Resident keys may be loaded off the token using |
|
| .Xr ssh-add 1 . |
|
| .It Cm user |
|
| A username to be associated with a resident key, |
|
| overriding the empty default username. |
|
| Specifying a username may be useful when generating multiple resident keys |
|
| for the same application name. |
|
| .It Cm verify-required |
|
| Indicate that this private key should require user verification for |
|
| each signature. |
|
| Not all FIDO tokens support this option. |
|
| Currently PIN authentication is the only supported verification method, |
|
| but other methods may be supported in the future. |
|
| .It Cm write-attestation Ns = Ns Ar path |
|
| May be used at key generation time to record the attestation data |
|
| returned from FIDO tokens during key generation. |
|
| This information is potentially sensitive. |
|
| By default, this information is discarded. |
|
| .El |
|
| .Pp |
.Pp |
| When performing signature-related options using the |
When performing signature-related options using the |
| .Fl Y |
.Fl Y |
|
|
| or |
or |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| Refer to those manual pages for details. |
Refer to those manual pages for details. |
| |
.Sh FIDO AUTHENTICATOR |
| |
.Nm |
| |
is able to to generate FIDO authenticator-backed keys, after which |
| |
they may be used much like any other key type supported by OpenSSH, so |
| |
long as the hardware authenticator is attached when the keys are used. |
| |
FIDO authenticators generally require the user to explicitly authorise |
| |
operations by touching or tapping them. |
| |
FIDO keys consist of two parts: a key handle part stored in the |
| |
private key file on disk, and a per-device private key that is unique |
| |
to each FIDO authenticator and that cannot be exported from the |
| |
authenticator hardware. |
| |
These are combined by the hardware at authentication time to derive |
| |
the real key that is used to sign authentication challenges. |
| |
Supported key types are |
| |
.Cm ecdsa-sk |
| |
and |
| |
.Cm ed25519-sk . |
| |
.Pp |
| |
The options that are valid for FIDO keys are: |
| |
.Bl -tag -width Ds |
| |
.It Cm application |
| |
Override the default FIDO application/origin string of |
| |
.Dq ssh: . |
| |
This may be useful when generating host or domain-specific resident keys. |
| |
The specified application string must begin with |
| |
.Dq ssh: . |
| |
.It Cm challenge Ns = Ns Ar path |
| |
Specifies a path to a challenge string that will be passed to the |
| |
FIDO authenticator during key generation. |
| |
The challenge string may be used as part of an out-of-band |
| |
protocol for key enrollment |
| |
(a random challenge is used by default). |
| |
.It Cm device |
| |
Explicitly specify a |
| |
.Xr fido 4 |
| |
device to use, rather than letting the authenticator middleware select one. |
| |
.It Cm no-touch-required |
| |
Indicate that the generated private key should not require touch |
| |
events (user presence) when making signatures. |
| |
Note that |
| |
.Xr sshd 8 |
| |
will refuse such signatures by default, unless overridden via |
| |
an authorized_keys option. |
| |
.It Cm resident |
| |
Indicate that the key handle should be stored on the FIDO |
| |
authenticator itself. |
| |
This makes it easier to use the authenticator on multiple computers. |
| |
Resident keys may be supported on FIDO2 authenticators and typically |
| |
require that a PIN be set on the authenticator prior to generation. |
| |
Resident keys may be loaded off the authenticator using |
| |
.Xr ssh-add 1 . |
| |
Storing both parts of a key on a FIDO authenticator increases the likelihood |
| |
of an attacker being able to use a stolen authenticator device. |
| |
.It Cm user |
| |
A username to be associated with a resident key, |
| |
overriding the empty default username. |
| |
Specifying a username may be useful when generating multiple resident keys |
| |
for the same application name. |
| |
.It Cm verify-required |
| |
Indicate that this private key should require user verification for |
| |
each signature. |
| |
Not all FIDO authenticators support this option. |
| |
Currently PIN authentication is the only supported verification method, |
| |
but other methods may be supported in the future. |
| |
.It Cm write-attestation Ns = Ns Ar path |
| |
May be used at key generation time to record the attestation data |
| |
returned from FIDO authenticators during key generation. |
| |
This information is potentially sensitive. |
| |
By default, this information is discarded. |
| |
.El |
| .Sh KEY REVOCATION LISTS |
.Sh KEY REVOCATION LISTS |
| .Nm |
.Nm |
| is able to manage OpenSSH format Key Revocation Lists (KRLs). |
is able to manage OpenSSH format Key Revocation Lists (KRLs). |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh