=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.1,v retrieving revision 1.92 retrieving revision 1.93 diff -u -r1.92 -r1.93 --- src/usr.bin/ssh/ssh-keygen.1 2010/03/13 23:38:13 1.92 +++ src/usr.bin/ssh/ssh-keygen.1 2010/04/16 01:47:26 1.93 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.93 2010/04/16 01:47:26 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -37,7 +37,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 13 2010 $ +.Dd $Mdocdate: April 16 2010 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -110,8 +110,9 @@ .Fl I Ar certificate_identity .Op Fl h .Op Fl n Ar principals -.Op Fl O Ar constraint +.Op Fl O Ar option .Op Fl V Ar validity_interval +.Op Fl z Ar serial_number .Ar .Nm ssh-keygen .Fl L @@ -299,13 +300,13 @@ Please see the .Sx CERTIFICATES section for details. -.It Fl O Ar constraint -Specify a certificate constraint when signing a key. +.It Fl O Ar option +Specify a certificate option when signing a key. This option may be specified multiple times. Please see the .Sx CERTIFICATES section for details. -The constraints that are valid for user certificates are: +The options that are valid for user certificates are: .Bl -tag -width Ds .It Ic clear Clear all enabled permissions. @@ -355,7 +356,7 @@ format. .El .Pp -At present, no constraints are valid for host keys. +At present, no options are valid for host keys. .It Fl P Ar passphrase Provides the (old) passphrase. .It Fl p @@ -441,6 +442,10 @@ .It Fl y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout. +.It Fl z Ar serial_number +Specifies a serial number to be embedded in the certificate to distinguish +this certificate from others from the same CA. +The default serial number is zero. .El .Sh MODULI GENERATION .Nm @@ -501,7 +506,7 @@ supports signing of keys to produce certificates that may be used for user or host authentication. Certificates consist of a public key, some identity information, zero or -more principal (user or host) names and an optional set of constraints that +more principal (user or host) names and an optional set of options that are signed by a Certification Authority (CA) key. Clients or servers may then trust only the CA key and verify its signature on a certificate rather than trusting many user/host keys. @@ -541,11 +546,11 @@ .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" .Pp Additional limitations on the validity and use of user certificates may -be specified through certificate constraints. -A constrained certificate may disable features of the SSH session, may be +be specified through certificate options.. +A certificate option may disable features of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command. -For a list of valid certificate constraints, see the documentation for the +For a list of valid certificate options, see the documentation for the .Fl O option above. .Pp