diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-07-23 05:37:52 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-07-23 06:07:19 +0200 |
| commit | d0bb1ce731762c55acb95817df4d5fab526c7ecd (patch) | |
| tree | d842850a20b4d61cd15e7ff9c9dc6474831797ca /ssh-keygen.1 | |
| parent | upstream: Use SUDO when setting up hostkey. (diff) | |
| download | openssh-d0bb1ce731762c55acb95817df4d5fab526c7ecd.tar.xz openssh-d0bb1ce731762c55acb95817df4d5fab526c7ecd.zip | |
upstream: Let allowed signers files used by ssh-keygen(1)
signatures support key lifetimes, and allow the verification mode to specify
a signature time to check at. This is intended for use by git to support
signing objects using ssh keys. ok dtucker@
OpenBSD-Commit-ID: 3e2c67b7dcd94f0610194d1e8e4907829a40cf31
Diffstat (limited to 'ssh-keygen.1')
| -rw-r--r-- | ssh-keygen.1 | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 4e7372745..9bfbcdc77 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.213 2021/05/12 11:34:30 dtucker Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.214 2021/07/23 03:37:52 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 12 2021 $ +.Dd $Mdocdate: July 23 2021 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -147,10 +147,12 @@ .Ar .Nm ssh-keygen .Fl Y Cm find-principals +.Op Fl O Ar option .Fl s Ar signature_file .Fl f Ar allowed_signers_file .Nm ssh-keygen .Fl Y Cm check-novalidate +.Op Fl O Ar option .Fl n Ar namespace .Fl s Ar signature_file .Nm ssh-keygen @@ -160,6 +162,7 @@ .Ar .Nm ssh-keygen .Fl Y Cm verify +.Op Fl O Ar option .Fl f Ar allowed_signers_file .Fl I Ar signer_identity .Fl n Ar namespace @@ -530,6 +533,17 @@ Please note that this information is potentially sensitive. By default, this information is discarded. .El .Pp +When performing signature-related options using the +.Fl Y +flag, the following options are accepted: +.Bl -tag -width Ds +.It Cm verify-time Ns = Ns Ar timestamp +Specifies a time to use when validating signatures instead of the current +time. +The time may be specified as a date in YYYYMMDD format or a time +in YYYYMMDDHHMM[SS] format. +.El +.Pp The .Fl O option may be specified multiple times. @@ -1134,11 +1148,16 @@ are case-insensitive): .It Cm cert-authority Indicates that this key is accepted as a certificate authority (CA) and that certificates signed by this CA may be accepted for verification. -.It Cm namespaces="namespace-list" +.It Cm namespaces Ns = Ns "namespace-list" Specifies a pattern-list of namespaces that are accepted for this key. If this option is present, the signature namespace embedded in the signature object and presented on the verification command-line must match the specified list before the key will be considered acceptable. +.It Cm valid-after Ns = Ns "timestamp" +Indicates that the key is valid for use at or after the specified timestamp, +which may be a date in YYYYMMDD format or a time in YYYYMMDDHHMM[SS] format, +.It Cm valid-before Ns = Ns "timestamp" +Indicates that the key is valid for use at or before the specified timestamp. .El .Pp When verifying signatures made by certificates, the expected principal |