=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.1,v retrieving revision 1.182 retrieving revision 1.183 diff -u -r1.182 -r1.183 --- src/usr.bin/ssh/ssh-keygen.1 2019/12/27 08:28:44 1.182 +++ src/usr.bin/ssh/ssh-keygen.1 2019/12/30 03:28:41 1.183 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 27 2019 $ +.Dd $Mdocdate: December 30 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -458,97 +458,10 @@ section for details. .It Fl O Ar option Specify a certificate option when signing a key. -This option may be specified multiple times. -See also the +See the .Sx CERTIFICATES -section for further details. -.Pp -At present, no standard options are valid for host keys. -The options that are valid for user certificates are: -.Pp -.Bl -tag -width Ds -compact -.It Ic clear -Clear all enabled permissions. -This is useful for clearing the default set of permissions so permissions may -be added individually. -.Pp -.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents -.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents -Includes an arbitrary certificate critical option or extension. -The specified -.Ar name -should include a domain suffix, e.g.\& -.Dq name@example.com . -If -.Ar contents -is specified then it is included as the contents of the extension/option -encoded as a string, otherwise the extension/option is created with no -contents (usually indicating a flag). -Extensions may be ignored by a client or server that does not recognise them, -whereas unknown critical options will cause the certificate to be refused. -.Pp -.It Ic force-command Ns = Ns Ar command -Forces the execution of -.Ar command -instead of any shell or command specified by the user when -the certificate is used for authentication. -.Pp -.It Ic no-agent-forwarding -Disable -.Xr ssh-agent 1 -forwarding (permitted by default). -.Pp -.It Ic no-port-forwarding -Disable port forwarding (permitted by default). -.Pp -.It Ic no-pty -Disable PTY allocation (permitted by default). -.Pp -.It Ic no-user-rc -Disable execution of -.Pa ~/.ssh/rc -by -.Xr sshd 8 -(permitted by default). -.Pp -.It Ic no-x11-forwarding -Disable X11 forwarding (permitted by default). -.Pp -.It Ic permit-agent-forwarding -Allows -.Xr ssh-agent 1 -forwarding. -.Pp -.It Ic permit-port-forwarding -Allows port forwarding. -.Pp -.It Ic permit-pty -Allows PTY allocation. -.Pp -.It Ic permit-user-rc -Allows execution of -.Pa ~/.ssh/rc -by -.Xr sshd 8 . -.Pp -.It Ic permit-X11-forwarding -Allows X11 forwarding. -.Pp -.It Ic no-touch-required -Do not require signatures made using this key require demonstration -of user presence (e.g. by having the user touch the key). -This option only makes sense for the FIDO authenticator algorithms -.Cm ecdsa-sk -and -.Cm ed25519-sk . -.Pp -.It Ic source-address Ns = Ns Ar address_list -Restrict the source addresses from which the certificate is considered valid. -The -.Ar address_list -is a comma-separated list of one or more address/netmask pairs in CIDR -format. -.El +section for a list of available certificate options. +This option may be specified multiple times. .It Fl P Ar passphrase Provides the (old) passphrase. .It Fl p @@ -899,9 +812,94 @@ A certificate option may disable features of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command. -For a list of valid certificate options, see the documentation for the -.Fl O -option above. +.Pp +The options that are valid for user certificates are: +.Pp +.Bl -tag -width Ds -compact +.It Ic clear +Clear all enabled permissions. +This is useful for clearing the default set of permissions so permissions may +be added individually. +.Pp +.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents +.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents +Includes an arbitrary certificate critical option or extension. +The specified +.Ar name +should include a domain suffix, e.g.\& +.Dq name@example.com . +If +.Ar contents +is specified then it is included as the contents of the extension/option +encoded as a string, otherwise the extension/option is created with no +contents (usually indicating a flag). +Extensions may be ignored by a client or server that does not recognise them, +whereas unknown critical options will cause the certificate to be refused. +.Pp +.It Ic force-command Ns = Ns Ar command +Forces the execution of +.Ar command +instead of any shell or command specified by the user when +the certificate is used for authentication. +.Pp +.It Ic no-agent-forwarding +Disable +.Xr ssh-agent 1 +forwarding (permitted by default). +.Pp +.It Ic no-port-forwarding +Disable port forwarding (permitted by default). +.Pp +.It Ic no-pty +Disable PTY allocation (permitted by default). +.Pp +.It Ic no-user-rc +Disable execution of +.Pa ~/.ssh/rc +by +.Xr sshd 8 +(permitted by default). +.Pp +.It Ic no-x11-forwarding +Disable X11 forwarding (permitted by default). +.Pp +.It Ic permit-agent-forwarding +Allows +.Xr ssh-agent 1 +forwarding. +.Pp +.It Ic permit-port-forwarding +Allows port forwarding. +.Pp +.It Ic permit-pty +Allows PTY allocation. +.Pp +.It Ic permit-user-rc +Allows execution of +.Pa ~/.ssh/rc +by +.Xr sshd 8 . +.Pp +.It Ic permit-X11-forwarding +Allows X11 forwarding. +.Pp +.It Ic no-touch-required +Do not require signatures made using this key require demonstration +of user presence (e.g. by having the user touch the key). +This option only makes sense for the Security Key algorithms +.Cm ecdsa-sk +and +.Cm ed25519-sk . +.Pp +.It Ic source-address Ns = Ns Ar address_list +Restrict the source addresses from which the certificate is considered valid. +The +.Ar address_list +is a comma-separated list of one or more address/netmask pairs in CIDR +format. +.El +.Pp +At present, no standard options are valid for host keys. .Pp Finally, certificates may be defined with a validity lifetime. The