diff --git a/ssh-keygen.1 b/ssh-keygen.1 index be1a169f4..0202fe757 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.136 2017/04/30 23:18:44 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.137 2017/05/02 07:13:31 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 30 2017 $ +.Dd $Mdocdate: May 2 2017 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -422,70 +422,22 @@ section for details. .It Fl O Ar option Specify a certificate option when signing a key. This option may be specified multiple times. -Please see the +See also the .Sx CERTIFICATES -section for details. +section for further details. +At present, no standard options are valid for host keys. The options that are valid for user certificates are: -.Bl -tag -width Ds +.Pp +.Bl -tag -width Ds -compact .It Ic clear Clear all enabled permissions. This is useful for clearing the default set of permissions so permissions may be added individually. -.It Ic force-command Ns = Ns Ar command -Forces the execution of -.Ar command -instead of any shell or command specified by the user when -the certificate is used for authentication. -.It Ic no-agent-forwarding -Disable -.Xr ssh-agent 1 -forwarding (permitted by default). -.It Ic no-port-forwarding -Disable port forwarding (permitted by default). -.It Ic no-pty -Disable PTY allocation (permitted by default). -.It Ic no-user-rc -Disable execution of -.Pa ~/.ssh/rc -by -.Xr sshd 8 -(permitted by default). -.It Ic no-x11-forwarding -Disable X11 forwarding (permitted by default). -.It Ic permit-agent-forwarding -Allows -.Xr ssh-agent 1 -forwarding. -.It Ic permit-port-forwarding -Allows port forwarding. -.It Ic permit-pty -Allows PTY allocation. -.It Ic permit-user-rc -Allows execution of -.Pa ~/.ssh/rc -by -.Xr sshd 8 . -.It Ic permit-x11-forwarding -Allows X11 forwarding. -.It Ic source-address Ns = Ns Ar address_list -Restrict the source addresses from which the certificate is considered valid. -The -.Ar address_list -is a comma-separated list of one or more address/netmask pairs in CIDR -format. -.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents -Includes an arbitrary certificate extension. +.Pp .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents -Includes an arbitrary certificate critical option. -.El -.Pp -At present, no standard options are valid for host keys. -.Pp -For non-standard certificate extensions or options included using -.Ic extension -or -.Ic option , -the specified +.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents +Includes an arbitrary certificate critical option or extension. +The specified .Ar name should include a domain suffix, e.g.\& .Dq name@example.com . @@ -496,6 +448,61 @@ encoded as a string, otherwise the extension/option is created with no contents (usually indicating a flag). Extensions may be ignored by a client or server that does not recognise them, whereas unknown critical options will cause the certificate to be refused. +.Pp +.It Ic force-command Ns = Ns Ar command +Forces the execution of +.Ar command +instead of any shell or command specified by the user when +the certificate is used for authentication. +.Pp +.It Ic no-agent-forwarding +Disable +.Xr ssh-agent 1 +forwarding (permitted by default). +.Pp +.It Ic no-port-forwarding +Disable port forwarding (permitted by default). +.Pp +.It Ic no-pty +Disable PTY allocation (permitted by default). +.Pp +.It Ic no-user-rc +Disable execution of +.Pa ~/.ssh/rc +by +.Xr sshd 8 +(permitted by default). +.Pp +.It Ic no-x11-forwarding +Disable X11 forwarding (permitted by default). +.Pp +.It Ic permit-agent-forwarding +Allows +.Xr ssh-agent 1 +forwarding. +.Pp +.It Ic permit-port-forwarding +Allows port forwarding. +.Pp +.It Ic permit-pty +Allows PTY allocation. +.Pp +.It Ic permit-user-rc +Allows execution of +.Pa ~/.ssh/rc +by +.Xr sshd 8 . +.Pp +.It Ic permit-x11-forwarding +Allows X11 forwarding. +.Pp +.It Ic source-address Ns = Ns Ar address_list +Restrict the source addresses from which the certificate is considered valid. +The +.Ar address_list +is a comma-separated list of one or more address/netmask pairs in CIDR +format. +.El .It Fl o Causes .Nm