upstream: prepare for use of ssh-keygen -O flag beyond certs

Move list of available certificate options in ssh-keygen.1 to the
CERTIFICATES section.

Collect options specified by -O but delay parsing/validation of
certificate options until we're sure that we're acting as a CA.

ok markus@

OpenBSD-Commit-ID: 33e6bcc29cfca43606f6fa09bd84b955ee3a4106

1 files changed, 93 insertions, 95 deletions

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 038e2c57..67a57b9f 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.182 2019/12/27 08:28:44 jmc Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.183 2019/12/30 03:28:41 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 27 2019 $
+.Dd $Mdocdate: December 30 2019 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -458,97 +458,10 @@ Please see the
 section for details.
 .It Fl O Ar option
 Specify a certificate option when signing a key.
-This option may be specified multiple times.
-See also the
+See the
 .Sx CERTIFICATES
-section for further details.
-.Pp
-At present, no standard options are valid for host keys.
-The options that are valid for user certificates are:
-.Pp
-.Bl -tag -width Ds -compact
-.It Ic clear
-Clear all enabled permissions.
-This is useful for clearing the default set of permissions so permissions may
-be added individually.
-.Pp
-.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
-.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
-Includes an arbitrary certificate critical option or extension.
-The specified
-.Ar name
-should include a domain suffix, e.g.\&
-.Dq name@example.com .
-If
-.Ar contents
-is specified then it is included as the contents of the extension/option
-encoded as a string, otherwise the extension/option is created with no
-contents (usually indicating a flag).
-Extensions may be ignored by a client or server that does not recognise them,
-whereas unknown critical options will cause the certificate to be refused.
-.Pp
-.It Ic force-command Ns = Ns Ar command
-Forces the execution of
-.Ar command
-instead of any shell or command specified by the user when
-the certificate is used for authentication.
-.Pp
-.It Ic no-agent-forwarding
-Disable
-.Xr ssh-agent 1
-forwarding (permitted by default).
-.Pp
-.It Ic no-port-forwarding
-Disable port forwarding (permitted by default).
-.Pp
-.It Ic no-pty
-Disable PTY allocation (permitted by default).
-.Pp
-.It Ic no-user-rc
-Disable execution of
-.Pa ~/.ssh/rc
-by
-.Xr sshd 8
-(permitted by default).
-.Pp
-.It Ic no-x11-forwarding
-Disable X11 forwarding (permitted by default).
-.Pp
-.It Ic permit-agent-forwarding
-Allows
-.Xr ssh-agent 1
-forwarding.
-.Pp
-.It Ic permit-port-forwarding
-Allows port forwarding.
-.Pp
-.It Ic permit-pty
-Allows PTY allocation.
-.Pp
-.It Ic permit-user-rc
-Allows execution of
-.Pa ~/.ssh/rc
-by
-.Xr sshd 8 .
-.Pp
-.It Ic permit-X11-forwarding
-Allows X11 forwarding.
-.Pp
-.It Ic no-touch-required
-Do not require signatures made using this key require demonstration
-of user presence (e.g. by having the user touch the key).
-This option only makes sense for the FIDO authenticator algorithms
-.Cm ecdsa-sk
-and
-.Cm ed25519-sk .
-.Pp
-.It Ic source-address Ns = Ns Ar address_list
-Restrict the source addresses from which the certificate is considered valid.
-The
-.Ar address_list
-is a comma-separated list of one or more address/netmask pairs in CIDR
-format.
-.El
+section for a list of available certificate options.
+This option may be specified multiple times.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
 .It Fl p
@@ -899,9 +812,94 @@ be specified through certificate options.
 A certificate option may disable features of the SSH session, may be
 valid only when presented from particular source addresses or may
 force the use of a specific command.
-For a list of valid certificate options, see the documentation for the
-.Fl O
-option above.
+.Pp
+The options that are valid for user certificates are:
+.Pp
+.Bl -tag -width Ds -compact
+.It Ic clear
+Clear all enabled permissions.
+This is useful for clearing the default set of permissions so permissions may
+be added individually.
+.Pp
+.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
+.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
+Includes an arbitrary certificate critical option or extension.
+The specified
+.Ar name
+should include a domain suffix, e.g.\&
+.Dq name@example.com .
+If
+.Ar contents
+is specified then it is included as the contents of the extension/option
+encoded as a string, otherwise the extension/option is created with no
+contents (usually indicating a flag).
+Extensions may be ignored by a client or server that does not recognise them,
+whereas unknown critical options will cause the certificate to be refused.
+.Pp
+.It Ic force-command Ns = Ns Ar command
+Forces the execution of
+.Ar command
+instead of any shell or command specified by the user when
+the certificate is used for authentication.
+.Pp
+.It Ic no-agent-forwarding
+Disable
+.Xr ssh-agent 1
+forwarding (permitted by default).
+.Pp
+.It Ic no-port-forwarding
+Disable port forwarding (permitted by default).
+.Pp
+.It Ic no-pty
+Disable PTY allocation (permitted by default).
+.Pp
+.It Ic no-user-rc
+Disable execution of
+.Pa ~/.ssh/rc
+by
+.Xr sshd 8
+(permitted by default).
+.Pp
+.It Ic no-x11-forwarding
+Disable X11 forwarding (permitted by default).
+.Pp
+.It Ic permit-agent-forwarding
+Allows
+.Xr ssh-agent 1
+forwarding.
+.Pp
+.It Ic permit-port-forwarding
+Allows port forwarding.
+.Pp
+.It Ic permit-pty
+Allows PTY allocation.
+.Pp
+.It Ic permit-user-rc
+Allows execution of
+.Pa ~/.ssh/rc
+by
+.Xr sshd 8 .
+.Pp
+.It Ic permit-X11-forwarding
+Allows X11 forwarding.
+.Pp
+.It Ic no-touch-required
+Do not require signatures made using this key require demonstration
+of user presence (e.g. by having the user touch the key).
+This option only makes sense for the Security Key algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
+.Pp
+.It Ic source-address Ns = Ns Ar address_list
+Restrict the source addresses from which the certificate is considered valid.
+The
+.Ar address_list
+is a comma-separated list of one or more address/netmask pairs in CIDR
+format.
+.El
+.Pp
+At present, no standard options are valid for host keys.
 .Pp
 Finally, certificates may be defined with a validity lifetime.
 The