version 1.92, 2010/03/13 23:38:13 |
version 1.93, 2010/04/16 01:47:26 |
|
|
.Fl I Ar certificate_identity |
.Fl I Ar certificate_identity |
.Op Fl h |
.Op Fl h |
.Op Fl n Ar principals |
.Op Fl n Ar principals |
.Op Fl O Ar constraint |
.Op Fl O Ar option |
.Op Fl V Ar validity_interval |
.Op Fl V Ar validity_interval |
|
.Op Fl z Ar serial_number |
.Ar |
.Ar |
.Nm ssh-keygen |
.Nm ssh-keygen |
.Fl L |
.Fl L |
|
|
Please see the |
Please see the |
.Sx CERTIFICATES |
.Sx CERTIFICATES |
section for details. |
section for details. |
.It Fl O Ar constraint |
.It Fl O Ar option |
Specify a certificate constraint when signing a key. |
Specify a certificate option when signing a key. |
This option may be specified multiple times. |
This option may be specified multiple times. |
Please see the |
Please see the |
.Sx CERTIFICATES |
.Sx CERTIFICATES |
section for details. |
section for details. |
The constraints that are valid for user certificates are: |
The options that are valid for user certificates are: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Ic clear |
.It Ic clear |
Clear all enabled permissions. |
Clear all enabled permissions. |
|
|
format. |
format. |
.El |
.El |
.Pp |
.Pp |
At present, no constraints are valid for host keys. |
At present, no options are valid for host keys. |
.It Fl P Ar passphrase |
.It Fl P Ar passphrase |
Provides the (old) passphrase. |
Provides the (old) passphrase. |
.It Fl p |
.It Fl p |
|
|
.It Fl y |
.It Fl y |
This option will read a private |
This option will read a private |
OpenSSH format file and print an OpenSSH public key to stdout. |
OpenSSH format file and print an OpenSSH public key to stdout. |
|
.It Fl z Ar serial_number |
|
Specifies a serial number to be embedded in the certificate to distinguish |
|
this certificate from others from the same CA. |
|
The default serial number is zero. |
.El |
.El |
.Sh MODULI GENERATION |
.Sh MODULI GENERATION |
.Nm |
.Nm |
|
|
supports signing of keys to produce certificates that may be used for |
supports signing of keys to produce certificates that may be used for |
user or host authentication. |
user or host authentication. |
Certificates consist of a public key, some identity information, zero or |
Certificates consist of a public key, some identity information, zero or |
more principal (user or host) names and an optional set of constraints that |
more principal (user or host) names and an optional set of options that |
are signed by a Certification Authority (CA) key. |
are signed by a Certification Authority (CA) key. |
Clients or servers may then trust only the CA key and verify its signature |
Clients or servers may then trust only the CA key and verify its signature |
on a certificate rather than trusting many user/host keys. |
on a certificate rather than trusting many user/host keys. |
|
|
.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" |
.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" |
.Pp |
.Pp |
Additional limitations on the validity and use of user certificates may |
Additional limitations on the validity and use of user certificates may |
be specified through certificate constraints. |
be specified through certificate options.. |
A constrained certificate may disable features of the SSH session, may be |
A certificate option may disable features of the SSH session, may be |
valid only when presented from particular source addresses or may |
valid only when presented from particular source addresses or may |
force the use of a specific command. |
force the use of a specific command. |
For a list of valid certificate constraints, see the documentation for the |
For a list of valid certificate options, see the documentation for the |
.Fl O |
.Fl O |
option above. |
option above. |
.Pp |
.Pp |