From cd53476383f0cf475f40ba8ac8deb6b76dd5ce4e Mon Sep 17 00:00:00 2001 From: "jmc@openbsd.org" Date: Mon, 6 Jan 2020 07:43:28 +0000 Subject: upstream: put the fido options in a list, and tidy up the text a little; ok djm OpenBSD-Commit-ID: 491ce15ae52a88b7a6a2b3b6708a14b4aacdeebb --- ssh-keygen.1 | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) (limited to 'ssh-keygen.1') diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 92c51658..2e989428 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.189 2020/01/06 02:00:46 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.190 2020/01/06 07:43:28 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -460,39 +460,37 @@ listed in the .Sx MODULI GENERATION section may be specified. .Pp -When generating a key that will be hosted on a FIDO authenticator, this -flag may be used to specify key-specific options. -The FIDO authenticator options are supported at present are: -.Pp -.Cm application -overrides the default FIDO application/origin string of +When generating a key that will be hosted on a FIDO authenticator, +this flag may be used to specify key-specific options. +Those supported at present are: +.Bl -tag -width Ds +.It Cm application +Override the default FIDO application/origin string of .Dq ssh: . -This option may be useful when generating host or domain-specific resident -keys. -.Cm device -explicitly specify a device to generate the key on, rather than accepting -the authenticator middleware's automatic selection. +This may be useful when generating host or domain-specific resident keys. +.It Cm device +Explicitly specify a .Xr fido 4 device to use, rather than letting the token middleware select one. -.Cm no-touch-required -indicates that the generated private key should not require touch +.It Cm no-touch-required +Indicate that the generated private key should not require touch events (user presence) when making signatures. Note that .Xr sshd 8 will refuse such signatures by default, unless overridden via an authorized_keys option. -.Pp -.Cm resident -indicates that the key should be stored on the FIDO authenticator itself. +.It Cm resident +Indicate that the key should be stored on the FIDO authenticator itself. Resident keys may be supported on FIDO2 tokens and typically require that a PIN be set on the token prior to generation. Resident keys may be loaded off the token using .Xr ssh-add 1 . -.Cm user -allows specification of a username to be associated with a resident key, +.It Cm user +A username to be associated with a resident key, overriding the empty default username. Specifying a username may be useful when generating multiple resident keys for the same application name. +.El .Pp The .Fl O -- cgit v1.2.1