summaryrefslogtreecommitdiffstats
path: root/ssh-keygen.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r--ssh-keygen.122
1 files changed, 19 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 9198a511f..7e0558fe1 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.205 2020/07/15 07:50:46 solene Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.206 2020/08/27 01:06:18 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: July 15 2020 $
+.Dd $Mdocdate: August 27 2020 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@@ -511,6 +511,12 @@ A username to be associated with a resident key,
overriding the empty default username.
Specifying a username may be useful when generating multiple resident keys
for the same application name.
+.It Cm verify-required
+Indicate that this private key should require user verification for
+each signature.
+Not all FIDO tokens support support this option.
+Currently PIN authentication is the only supported verification method,
+but other methods may be supported in the future.
.It Cm write-attestation Ns = Ns Ar path
May be used at key generation time to record the attestation certificate
returned from FIDO tokens during key generation.
@@ -961,7 +967,7 @@ by
Allows X11 forwarding.
.Pp
.It Ic no-touch-required
-Do not require signatures made using this key require demonstration
+Do not require signatures made using this key include demonstration
of user presence (e.g. by having the user touch the authenticator).
This option only makes sense for the FIDO authenticator algorithms
.Cm ecdsa-sk
@@ -974,6 +980,16 @@ The
.Ar address_list
is a comma-separated list of one or more address/netmask pairs in CIDR
format.
+.Pp
+.It Ic verify-required
+Require signatures made using this key indicate that the user was first
+verified.
+This option only makes sense for the FIDO authenticator algorithms
+.Cm ecdsa-sk
+and
+.Cm ed25519-sk .
+Currently PIN authentication is the only supported verification method,
+but other methods may be supported in the future.
.El
.Pp
At present, no standard options are valid for host keys.