-.\" $OpenBSD: ssh-keygen.1,v 1.136 2017/04/30 23:18:44 djm Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.137 2017/05/02 07:13:31 jmc Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: April 30 2017 $
+.Dd $Mdocdate: May 2 2017 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
.It Fl O Ar option
Specify a certificate option when signing a key.
This option may be specified multiple times.
-Please see the
+See also the
.Sx CERTIFICATES
-section for details.
+section for further details.
+At present, no standard options are valid for host keys.
The options that are valid for user certificates are:
-.Bl -tag -width Ds
+.Pp
+.Bl -tag -width Ds -compact
.It Ic clear
Clear all enabled permissions.
This is useful for clearing the default set of permissions so permissions may
be added individually.
+.Pp
+.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
+.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
+Includes an arbitrary certificate critical option or extension.
+The specified
+.Ar name
+should include a domain suffix, e.g.\&
+.Dq name@example.com .
+If
+.Ar contents
+is specified then it is included as the contents of the extension/option
+encoded as a string, otherwise the extension/option is created with no
+contents (usually indicating a flag).
+Extensions may be ignored by a client or server that does not recognise them,
+whereas unknown critical options will cause the certificate to be refused.
+.Pp
.It Ic force-command Ns = Ns Ar command
Forces the execution of
.Ar command
instead of any shell or command specified by the user when
the certificate is used for authentication.
+.Pp
.It Ic no-agent-forwarding
Disable
.Xr ssh-agent 1
forwarding (permitted by default).
+.Pp
.It Ic no-port-forwarding
Disable port forwarding (permitted by default).
+.Pp
.It Ic no-pty
Disable PTY allocation (permitted by default).
+.Pp
.It Ic no-user-rc
Disable execution of
.Pa ~/.ssh/rc
by
.Xr sshd 8
(permitted by default).
+.Pp
.It Ic no-x11-forwarding
Disable X11 forwarding (permitted by default).
+.Pp
.It Ic permit-agent-forwarding
Allows
.Xr ssh-agent 1
forwarding.
+.Pp
.It Ic permit-port-forwarding
Allows port forwarding.
+.Pp
.It Ic permit-pty
Allows PTY allocation.
+.Pp
.It Ic permit-user-rc
Allows execution of
.Pa ~/.ssh/rc
by
.Xr sshd 8 .
+.Pp
.It Ic permit-x11-forwarding
Allows X11 forwarding.
+.Pp
.It Ic source-address Ns = Ns Ar address_list
Restrict the source addresses from which the certificate is considered valid.
The
.Ar address_list
is a comma-separated list of one or more address/netmask pairs in CIDR
format.
-.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
-Includes an arbitrary certificate extension.
-.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
-Includes an arbitrary certificate critical option.
.El
-.Pp
-At present, no standard options are valid for host keys.
-.Pp
-For non-standard certificate extensions or options included using
-.Ic extension
-or
-.Ic option ,
-the specified
-.Ar name
-should include a domain suffix, e.g.\&
-.Dq name@example.com .
-If
-.Ar contents
-is specified then it is included as the contents of the extension/option
-encoded as a string, otherwise the extension/option is created with no
-contents (usually indicating a flag).
-Extensions may be ignored by a client or server that does not recognise them,
-whereas unknown critical options will cause the certificate to be refused.
.It Fl o
Causes
.Nm
projects / openbsd / commitdiff