=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.1,v retrieving revision 1.136 retrieving revision 1.137 diff -u -r1.136 -r1.137 --- src/usr.bin/ssh/ssh-keygen.1 2017/04/30 23:18:44 1.136 +++ src/usr.bin/ssh/ssh-keygen.1 2017/05/02 07:13:31 1.137 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.136 2017/04/30 23:18:44 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.137 2017/05/02 07:13:31 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 30 2017 $ +.Dd $Mdocdate: May 2 2017 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -422,80 +422,87 @@ .It Fl O Ar option Specify a certificate option when signing a key. This option may be specified multiple times. -Please see the +See also the .Sx CERTIFICATES -section for details. +section for further details. +At present, no standard options are valid for host keys. The options that are valid for user certificates are: -.Bl -tag -width Ds +.Pp +.Bl -tag -width Ds -compact .It Ic clear Clear all enabled permissions. This is useful for clearing the default set of permissions so permissions may be added individually. +.Pp +.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents +.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents +Includes an arbitrary certificate critical option or extension. +The specified +.Ar name +should include a domain suffix, e.g.\& +.Dq name@example.com . +If +.Ar contents +is specified then it is included as the contents of the extension/option +encoded as a string, otherwise the extension/option is created with no +contents (usually indicating a flag). +Extensions may be ignored by a client or server that does not recognise them, +whereas unknown critical options will cause the certificate to be refused. +.Pp .It Ic force-command Ns = Ns Ar command Forces the execution of .Ar command instead of any shell or command specified by the user when the certificate is used for authentication. +.Pp .It Ic no-agent-forwarding Disable .Xr ssh-agent 1 forwarding (permitted by default). +.Pp .It Ic no-port-forwarding Disable port forwarding (permitted by default). +.Pp .It Ic no-pty Disable PTY allocation (permitted by default). +.Pp .It Ic no-user-rc Disable execution of .Pa ~/.ssh/rc by .Xr sshd 8 (permitted by default). +.Pp .It Ic no-x11-forwarding Disable X11 forwarding (permitted by default). +.Pp .It Ic permit-agent-forwarding Allows .Xr ssh-agent 1 forwarding. +.Pp .It Ic permit-port-forwarding Allows port forwarding. +.Pp .It Ic permit-pty Allows PTY allocation. +.Pp .It Ic permit-user-rc Allows execution of .Pa ~/.ssh/rc by .Xr sshd 8 . +.Pp .It Ic permit-x11-forwarding Allows X11 forwarding. +.Pp .It Ic source-address Ns = Ns Ar address_list Restrict the source addresses from which the certificate is considered valid. The .Ar address_list is a comma-separated list of one or more address/netmask pairs in CIDR format. -.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents -Includes an arbitrary certificate extension. -.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents -Includes an arbitrary certificate critical option. .El -.Pp -At present, no standard options are valid for host keys. -.Pp -For non-standard certificate extensions or options included using -.Ic extension -or -.Ic option , -the specified -.Ar name -should include a domain suffix, e.g.\& -.Dq name@example.com . -If -.Ar contents -is specified then it is included as the contents of the extension/option -encoded as a string, otherwise the extension/option is created with no -contents (usually indicating a flag). -Extensions may be ignored by a client or server that does not recognise them, -whereas unknown critical options will cause the certificate to be refused. .It Fl o Causes .Nm