| version 1.92, 2010/03/13 23:38:13 |
version 1.93, 2010/04/16 01:47:26 |
|
|
| .Fl I Ar certificate_identity |
.Fl I Ar certificate_identity |
| .Op Fl h |
.Op Fl h |
| .Op Fl n Ar principals |
.Op Fl n Ar principals |
| .Op Fl O Ar constraint |
.Op Fl O Ar option |
| .Op Fl V Ar validity_interval |
.Op Fl V Ar validity_interval |
| |
.Op Fl z Ar serial_number |
| .Ar |
.Ar |
| .Nm ssh-keygen |
.Nm ssh-keygen |
| .Fl L |
.Fl L |
|
|
| Please see the |
Please see the |
| .Sx CERTIFICATES |
.Sx CERTIFICATES |
| section for details. |
section for details. |
| .It Fl O Ar constraint |
.It Fl O Ar option |
| Specify a certificate constraint when signing a key. |
Specify a certificate option when signing a key. |
| This option may be specified multiple times. |
This option may be specified multiple times. |
| Please see the |
Please see the |
| .Sx CERTIFICATES |
.Sx CERTIFICATES |
| section for details. |
section for details. |
| The constraints that are valid for user certificates are: |
The options that are valid for user certificates are: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Ic clear |
.It Ic clear |
| Clear all enabled permissions. |
Clear all enabled permissions. |
|
|
| format. |
format. |
| .El |
.El |
| .Pp |
.Pp |
| At present, no constraints are valid for host keys. |
At present, no options are valid for host keys. |
| .It Fl P Ar passphrase |
.It Fl P Ar passphrase |
| Provides the (old) passphrase. |
Provides the (old) passphrase. |
| .It Fl p |
.It Fl p |
|
|
| .It Fl y |
.It Fl y |
| This option will read a private |
This option will read a private |
| OpenSSH format file and print an OpenSSH public key to stdout. |
OpenSSH format file and print an OpenSSH public key to stdout. |
| |
.It Fl z Ar serial_number |
| |
Specifies a serial number to be embedded in the certificate to distinguish |
| |
this certificate from others from the same CA. |
| |
The default serial number is zero. |
| .El |
.El |
| .Sh MODULI GENERATION |
.Sh MODULI GENERATION |
| .Nm |
.Nm |
|
|
| supports signing of keys to produce certificates that may be used for |
supports signing of keys to produce certificates that may be used for |
| user or host authentication. |
user or host authentication. |
| Certificates consist of a public key, some identity information, zero or |
Certificates consist of a public key, some identity information, zero or |
| more principal (user or host) names and an optional set of constraints that |
more principal (user or host) names and an optional set of options that |
| are signed by a Certification Authority (CA) key. |
are signed by a Certification Authority (CA) key. |
| Clients or servers may then trust only the CA key and verify its signature |
Clients or servers may then trust only the CA key and verify its signature |
| on a certificate rather than trusting many user/host keys. |
on a certificate rather than trusting many user/host keys. |
|
|
| .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" |
.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" |
| .Pp |
.Pp |
| Additional limitations on the validity and use of user certificates may |
Additional limitations on the validity and use of user certificates may |
| be specified through certificate constraints. |
be specified through certificate options.. |
| A constrained certificate may disable features of the SSH session, may be |
A certificate option may disable features of the SSH session, may be |
| valid only when presented from particular source addresses or may |
valid only when presented from particular source addresses or may |
| force the use of a specific command. |
force the use of a specific command. |
| For a list of valid certificate constraints, see the documentation for the |
For a list of valid certificate options, see the documentation for the |
| .Fl O |
.Fl O |
| option above. |
option above. |
| .Pp |
.Pp |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh