upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus
Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 786d37d..66f8321 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.141 2017/05/05 10:41:58 naddy Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.142 2017/06/28 01:09:22 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 5 2017 $
+.Dd $Mdocdate: June 28 2017 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@@ -114,6 +114,8 @@
.Fl s Ar ca_key
.Fl I Ar certificate_identity
.Op Fl h
+.Op Fl U
+.Op Fl D Ar pkcs11_provider
.Op Fl n Ar principals
.Op Fl O Ar option
.Op Fl V Ar validity_interval
@@ -558,6 +560,14 @@
.Dq ed25519 ,
or
.Dq rsa .
+.It Fl U
+When used in combination with
+.Fl s ,
+this option indicates that a CA key resides in a
+.Xr ssh-agent 1 .
+See the
+.Sx CERTIFICATES
+section for more information.
.It Fl u
Update a KRL.
When specified with
@@ -705,6 +715,14 @@
.Pp
.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
.Pp
+Similarly, it is possible for the CA key to be hosted in a
+.Xr ssh-agent 1 .
+This is indicated by the
+.Fl U
+flag and, again, the CA key must be identified by its public half.
+.Pp
+.Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
+.Pp
In all cases,
.Ar key_id
is a "key identifier" that is logged by the server when the certificate