upstream: Fill in missing man page bits for U2F security key support:

Mention the new key types, the ~/.ssh/id_ecdsa_sk file, ssh's
SecurityKeyProvider keyword, the SSH_SK_PROVIDER environment variable,
and ssh-keygen's new -w and -x options.

Copy the ssh-sk-helper man page from ssh-pkcs11-helper with minimal
substitutions.

ok djm@

OpenBSD-Commit-ID: ef2e8f83d0c0ce11ad9b8c28945747e5ca337ac4

1 files changed, 23 insertions, 8 deletions

diff --git a/ssh_config.5 b/ssh_config.5
index 02a87892..ad016470 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.304 2019/09/13 04:52:34 djm Exp $
-.Dd $Mdocdate: September 13 2019 $
+.\" $OpenBSD: ssh_config.5,v 1.305 2019/11/07 08:38:38 naddy Exp $
+.Dd $Mdocdate: November 7 2019 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -381,7 +381,9 @@ flag to
 via
 .Xr ssh-agent 1 ,
 or via a
-.Cm PKCS11Provider .
+.Cm PKCS11Provider
+or
+.Cm SecurityKeyProvider .
 .Pp
 Arguments to
 .Cm CertificateFile
@@ -808,7 +810,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,
+rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -840,7 +843,8 @@ ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,
+rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
@@ -883,6 +887,8 @@ even if
 .Xr ssh-agent 1
 or a
 .Cm PKCS11Provider
+or
+.Cm SecurityKeyProvider
 offers more identities.
 The argument to this keyword must be
 .Cm yes
@@ -919,11 +925,12 @@ or the tokens described in the
 .Sx TOKENS
 section.
 .It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication
-identity is read.
+Specifies a file from which the user's DSA, ECDSA, security key-hosted ECDSA,
+Ed25519 or RSA authentication identity is read.
 The default is
 .Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
+.Pa ~/.ssh/id_ecdsa_sk ,
 .Pa ~/.ssh/id_ed25519
 and
 .Pa ~/.ssh/id_rsa .
@@ -1315,12 +1322,15 @@ character, then the specified key types will be placed at the head of the
 default set.
 The default for this option is:
 .Bd -literal -offset 3n
+sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
 ecdsa-sha2-nistp384-cert-v01@openssh.com,
 ecdsa-sha2-nistp521-cert-v01@openssh.com,
 ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
+rsa-sha2-512-cert-v01@openssh.com,
+rsa-sha2-256-cert-v01@openssh.com,
 ssh-rsa-cert-v01@openssh.com,
+sk-ecdsa-sha2-nistp256@openssh.com,
 ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 .Ed
@@ -1437,6 +1447,11 @@ an OpenSSH Key Revocation List (KRL) as generated by
 .Xr ssh-keygen 1 .
 For more information on KRLs, see the KEY REVOCATION LISTS section in
 .Xr ssh-keygen 1 .
+.It Cm SecurityKeyProvider
+Specifies a path to a security key provider library that will be used when
+loading any security key-hosted keys, overriding the default of using the
+.Ev SSH_SK_PROVIDER
+environment variable to specify a provider.
 .It Cm SendEnv
 Specifies what variables from the local
 .Xr environ 7