ssh-keygen.1 (294464) | ssh-keygen.1 (294496) |
---|---|
1.\" $OpenBSD: ssh-keygen.1,v 1.126 2015/07/03 03:49:45 djm Exp $ | 1.\" $OpenBSD: ssh-keygen.1,v 1.127 2015/08/20 19:20:06 naddy Exp $ |
2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is --- 20 unchanged lines hidden (view full) --- 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" | 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is --- 20 unchanged lines hidden (view full) --- 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" |
38.Dd $Mdocdate: July 3 2015 $ | 38.Dd $Mdocdate: August 20 2015 $ |
39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen 43.Nd authentication key generation, management and conversion 44.Sh SYNOPSIS 45.Bk -words 46.Nm ssh-keygen --- 628 unchanged lines hidden (view full) --- 675.Pp 676It is possible to sign using a CA key stored in a PKCS#11 token by 677providing the token library using 678.Fl D 679and identifying the CA key by providing its public half as an argument 680to 681.Fl s : 682.Pp | 39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen 43.Nd authentication key generation, management and conversion 44.Sh SYNOPSIS 45.Bk -words 46.Nm ssh-keygen --- 628 unchanged lines hidden (view full) --- 675.Pp 676It is possible to sign using a CA key stored in a PKCS#11 token by 677providing the token library using 678.Fl D 679and identifying the CA key by providing its public half as an argument 680to 681.Fl s : 682.Pp |
683.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub | 683.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub |
684.Pp 685In all cases, 686.Ar key_id 687is a "key identifier" that is logged by the server when the certificate 688is used for authentication. 689.Pp 690Certificates may be limited to be valid for a set of principal (user/host) 691names. 692By default, generated certificates are valid for all users or hosts. 693To generate a certificate for a specified set of principals: 694.Pp 695.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub | 684.Pp 685In all cases, 686.Ar key_id 687is a "key identifier" that is logged by the server when the certificate 688is used for authentication. 689.Pp 690Certificates may be limited to be valid for a set of principal (user/host) 691names. 692By default, generated certificates are valid for all users or hosts. 693To generate a certificate for a specified set of principals: 694.Pp 695.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub |
696.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" | 696.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub" |
697.Pp 698Additional limitations on the validity and use of user certificates may 699be specified through certificate options. 700A certificate option may disable features of the SSH session, may be 701valid only when presented from particular source addresses or may 702force the use of a specific command. 703For a list of valid certificate options, see the documentation for the 704.Fl O --- 160 unchanged lines hidden --- | 697.Pp 698Additional limitations on the validity and use of user certificates may 699be specified through certificate options. 700A certificate option may disable features of the SSH session, may be 701valid only when presented from particular source addresses or may 702force the use of a specific command. 703For a list of valid certificate options, see the documentation for the 704.Fl O --- 160 unchanged lines hidden --- |