Re: Show -o and -a in ssh-keygen(1) synopsis
On 08/14 04:05, Darren Tucker wrote: > On 4 August 2018 at 18:15, Jeremy Evans wrote: > > I think the documentation for -e should be updated to specify it only > > exports public keys (assuming I'm reading the code correctly), or > > ssh-keygen should be updated to write private keys for the RFC4716 > > format if the input file is a private key (since that's what the > > documentation currently implies). But that should probably be a > > separate commit. > > I'll check the history but my recollection was that it was supposed to > be able to export private keys as RFC4716 format. OK. > > I also noticed that the -f flag with -A was documented in ssh-keygen(1) > > but not in usage, so I updated usage to match ssh-keygen(1). > > > > OKs for the diff below? After I sent this email, djm@ made changes in ssh-keygen.1 1.148 and ssh-keygen.c 1.319 to ignore the -o option and make new format private keys the default, so I think the previous diff to document -o is no longer useful. Here's a new diff to document -a, which I think is still useful. OKs? Index: ssh-keygen.1 === RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v retrieving revision 1.148 diff -u -p -r1.148 ssh-keygen.1 --- ssh-keygen.18 Aug 2018 01:16:01 - 1.148 +++ ssh-keygen.113 Aug 2018 18:29:33 - @@ -45,6 +45,7 @@ .Bk -words .Nm ssh-keygen .Op Fl q +.Op Fl a Ar rounds .Op Fl b Ar bits .Op Fl t Cm dsa | ecdsa | ed25519 | rsa .Op Fl N Ar new_passphrase @@ -52,6 +53,7 @@ .Op Fl f Ar output_keyfile .Nm ssh-keygen .Fl p +.Op Fl a Ar rounds .Op Fl P Ar old_passphrase .Op Fl N Ar new_passphrase .Op Fl f Ar keyfile Index: ssh-keygen.c === RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.319 diff -u -p -r1.319 ssh-keygen.c --- ssh-keygen.c8 Aug 2018 01:16:01 - 1.319 +++ ssh-keygen.c13 Aug 2018 18:29:34 - @@ -2282,9 +2282,10 @@ static void usage(void) { fprintf(stderr, - "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n" + "usage: ssh-keygen [-q] [-a rounds] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n" " [-N new_passphrase] [-C comment] [-f output_keyfile]\n" - " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" + " ssh-keygen -p [-a rounds] [-P old_passphrase] [-N new_passphrase]\n" + " [-f keyfile]\n" " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" " ssh-keygen -y [-f input_keyfile]\n" > ok dtucker except for: > > > +.Op Fl oq > > this doesn't look right? -o and -q are distinct orthogonal flags. > > [...] > > + "usage: ssh-keygen [-oq] [-a rounds] [-b bits] [-t dsa | ecdsa > > | ed25519 | rsa]\n" > > ditto. Are orthogonal flags without arguments not supposed to be combined? It seems most of our man pages combine orthogonal flags without arguments. Some examples: ls [-1AaCcdFfgHhikLlmnopqRrSsTtux] [file ...] col [-bfhx] [-l num] ex [-FRrSsv] [-c cmd] [-t tag] [-w size] [file ...] I'm not an expert on our documentation, but it appears the rule is that arguments are separated if they accept arguments, and combined if they do not accept arguments. If that is not accurate, hopefully jmc@ can correct me. Thanks, Jeremy
Re: Show -o and -a in ssh-keygen(1) synopsis
On 4 August 2018 at 18:15, Jeremy Evans wrote: [...] > I checked -A and that also respects -o, so I documented that. I'm > not sure how much it matters as the host keys -A generates are not > password protected, but maybe there are other reasons to use the > newer format. The host keys must be unencrypted if you want sshd to be able to start at boot time, which most people do. > I think the documentation for -e should be updated to specify it only > exports public keys (assuming I'm reading the code correctly), or > ssh-keygen should be updated to write private keys for the RFC4716 > format if the input file is a private key (since that's what the > documentation currently implies). But that should probably be a > separate commit. I'll check the history but my recollection was that it was supposed to be able to export private keys as RFC4716 format. > I also noticed that the -f flag with -A was documented in ssh-keygen(1) > but not in usage, so I updated usage to match ssh-keygen(1). > > OKs for the diff below? ok dtucker except for: > +.Op Fl oq this doesn't look right? -o and -q are distinct orthogonal flags. [...] > + "usage: ssh-keygen [-oq] [-a rounds] [-b bits] [-t dsa | ecdsa | > ed25519 | rsa]\n" ditto. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Show -o and -a in ssh-keygen(1) synopsis
On Sat, Aug 04, 2018 at 01:15:14AM -0700, Jeremy Evans wrote: > On 08/03 09:28, Jeremy Evans wrote: > > The ssh-keygen -o flag wasn't listed in the synopsis, and -a was only > > listed with -T (where it specifies the number of primality tests), not > > for specifying the number of KDF rounds of new-format private key files. > > > > I only tested creating a new private key and conversion of existing > > keys with -p. I didn't test usage with -i, but I'm assuming that -o > > and -a would also apply there. > > jmc@ pointed out that usage should be updated. I also tried to test the > -i flag, but it appears that -e will only export public keys (even if > given a file containing a private key), and -i only writes private keys > using the PEM_write_*PrivateKey LibreSSL functions, which I don't think > handle the new format. > > I checked -A and that also respects -o, so I documented that. I'm > not sure how much it matters as the host keys -A generates are not > password protected, but maybe there are other reasons to use the > newer format. > > I think the documentation for -e should be updated to specify it only > exports public keys (assuming I'm reading the code correctly), or > ssh-keygen should be updated to write private keys for the RFC4716 > format if the input file is a private key (since that's what the > documentation currently implies). But that should probably be a > separate commit. > > I also noticed that the -f flag with -A was documented in ssh-keygen(1) > but not in usage, so I updated usage to match ssh-keygen(1). > > OKs for the diff below? > > Thanks, > Jeremy > ok by me, but please wait for a ssh dev to respond. this is one of the worst synopses we have, to be honest. jmc > Index: ssh-keygen.1 > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v > retrieving revision 1.147 > diff -u -p -r1.147 ssh-keygen.1 > --- ssh-keygen.1 12 Mar 2018 00:52:01 - 1.147 > +++ ssh-keygen.1 4 Aug 2018 08:04:18 - > @@ -44,7 +44,8 @@ > .Sh SYNOPSIS > .Bk -words > .Nm ssh-keygen > -.Op Fl q > +.Op Fl oq > +.Op Fl a Ar rounds > .Op Fl b Ar bits > .Op Fl t Cm dsa | ecdsa | ed25519 | rsa > .Op Fl N Ar new_passphrase > @@ -52,6 +53,8 @@ > .Op Fl f Ar output_keyfile > .Nm ssh-keygen > .Fl p > +.Op Fl o > +.Op Fl a Ar rounds > .Op Fl P Ar old_passphrase > .Op Fl N Ar new_passphrase > .Op Fl f Ar keyfile > @@ -126,6 +129,8 @@ > .Op Fl f Ar input_keyfile > .Nm ssh-keygen > .Fl A > +.Op Fl o > +.Op Fl a Ar rounds > .Op Fl f Ar prefix_path > .Nm ssh-keygen > .Fl k > Index: ssh-keygen.c > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > retrieving revision 1.318 > diff -u -p -r1.318 ssh-keygen.c > --- ssh-keygen.c 9 Jul 2018 21:59:10 - 1.318 > +++ ssh-keygen.c 4 Aug 2018 08:04:18 - > @@ -2282,9 +2282,10 @@ static void > usage(void) > { > fprintf(stderr, > - "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | > rsa]\n" > + "usage: ssh-keygen [-oq] [-a rounds] [-b bits] [-t dsa | ecdsa | > ed25519 | rsa]\n" > " [-N new_passphrase] [-C comment] [-f > output_keyfile]\n" > - " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f > keyfile]\n" > + " ssh-keygen -p [-o] [-a rounds] [-P old_passphrase] [-N > new_passphrase]\n" > + " [-f keyfile]\n" > " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" > " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" > " ssh-keygen -y [-f input_keyfile]\n" > @@ -2309,7 +2310,7 @@ usage(void) > " [-D pkcs11_provider] [-n principals] [-O > option]\n" > " [-V validity_interval] [-z serial_number] file > ...\n" > " ssh-keygen -L [-f input_keyfile]\n" > - " ssh-keygen -A\n" > + " ssh-keygen -A [-o] [-a rounds] [-f prefix_path]\n" > " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z > version_number]\n" > " file ...\n" > " ssh-keygen -Q -f krl_file file ...\n"); >
Re: Show -o and -a in ssh-keygen(1) synopsis
On 08/03 09:28, Jeremy Evans wrote: > The ssh-keygen -o flag wasn't listed in the synopsis, and -a was only > listed with -T (where it specifies the number of primality tests), not > for specifying the number of KDF rounds of new-format private key files. > > I only tested creating a new private key and conversion of existing > keys with -p. I didn't test usage with -i, but I'm assuming that -o > and -a would also apply there. jmc@ pointed out that usage should be updated. I also tried to test the -i flag, but it appears that -e will only export public keys (even if given a file containing a private key), and -i only writes private keys using the PEM_write_*PrivateKey LibreSSL functions, which I don't think handle the new format. I checked -A and that also respects -o, so I documented that. I'm not sure how much it matters as the host keys -A generates are not password protected, but maybe there are other reasons to use the newer format. I think the documentation for -e should be updated to specify it only exports public keys (assuming I'm reading the code correctly), or ssh-keygen should be updated to write private keys for the RFC4716 format if the input file is a private key (since that's what the documentation currently implies). But that should probably be a separate commit. I also noticed that the -f flag with -A was documented in ssh-keygen(1) but not in usage, so I updated usage to match ssh-keygen(1). OKs for the diff below? Thanks, Jeremy Index: ssh-keygen.1 === RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v retrieving revision 1.147 diff -u -p -r1.147 ssh-keygen.1 --- ssh-keygen.112 Mar 2018 00:52:01 - 1.147 +++ ssh-keygen.14 Aug 2018 08:04:18 - @@ -44,7 +44,8 @@ .Sh SYNOPSIS .Bk -words .Nm ssh-keygen -.Op Fl q +.Op Fl oq +.Op Fl a Ar rounds .Op Fl b Ar bits .Op Fl t Cm dsa | ecdsa | ed25519 | rsa .Op Fl N Ar new_passphrase @@ -52,6 +53,8 @@ .Op Fl f Ar output_keyfile .Nm ssh-keygen .Fl p +.Op Fl o +.Op Fl a Ar rounds .Op Fl P Ar old_passphrase .Op Fl N Ar new_passphrase .Op Fl f Ar keyfile @@ -126,6 +129,8 @@ .Op Fl f Ar input_keyfile .Nm ssh-keygen .Fl A +.Op Fl o +.Op Fl a Ar rounds .Op Fl f Ar prefix_path .Nm ssh-keygen .Fl k Index: ssh-keygen.c === RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.318 diff -u -p -r1.318 ssh-keygen.c --- ssh-keygen.c9 Jul 2018 21:59:10 - 1.318 +++ ssh-keygen.c4 Aug 2018 08:04:18 - @@ -2282,9 +2282,10 @@ static void usage(void) { fprintf(stderr, - "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n" + "usage: ssh-keygen [-oq] [-a rounds] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n" " [-N new_passphrase] [-C comment] [-f output_keyfile]\n" - " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" + " ssh-keygen -p [-o] [-a rounds] [-P old_passphrase] [-N new_passphrase]\n" + " [-f keyfile]\n" " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" " ssh-keygen -y [-f input_keyfile]\n" @@ -2309,7 +2310,7 @@ usage(void) " [-D pkcs11_provider] [-n principals] [-O option]\n" " [-V validity_interval] [-z serial_number] file ...\n" " ssh-keygen -L [-f input_keyfile]\n" - " ssh-keygen -A\n" + " ssh-keygen -A [-o] [-a rounds] [-f prefix_path]\n" " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" " file ...\n" " ssh-keygen -Q -f krl_file file ...\n");
Re: Show -o and -a in ssh-keygen(1) synopsis
On Fri, Aug 03, 2018 at 09:28:52PM -0700, Jeremy Evans wrote: > The ssh-keygen -o flag wasn't listed in the synopsis, and -a was only > listed with -T (where it specifies the number of primality tests), not > for specifying the number of KDF rounds of new-format private key files. > > I only tested creating a new private key and conversion of existing > keys with -p. I didn't test usage with -i, but I'm assuming that -o > and -a would also apply there. > > OK? > > Thanks, > Jeremy > morning. remember to update usage() too. jmc > Index: ssh-keygen.1 > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v > retrieving revision 1.147 > diff -u -p -r1.147 ssh-keygen.1 > --- ssh-keygen.1 12 Mar 2018 00:52:01 - 1.147 > +++ ssh-keygen.1 4 Aug 2018 04:20:08 - > @@ -44,7 +44,8 @@ > .Sh SYNOPSIS > .Bk -words > .Nm ssh-keygen > -.Op Fl q > +.Op Fl oq > +.Op Fl a Ar rounds > .Op Fl b Ar bits > .Op Fl t Cm dsa | ecdsa | ed25519 | rsa > .Op Fl N Ar new_passphrase > @@ -52,11 +53,15 @@ > .Op Fl f Ar output_keyfile > .Nm ssh-keygen > .Fl p > +.Op Fl o > +.Op Fl a Ar rounds > .Op Fl P Ar old_passphrase > .Op Fl N Ar new_passphrase > .Op Fl f Ar keyfile > .Nm ssh-keygen > .Fl i > +.Op Fl o > +.Op Fl a Ar rounds > .Op Fl m Ar key_format > .Op Fl f Ar input_keyfile > .Nm ssh-keygen >
Show -o and -a in ssh-keygen(1) synopsis
The ssh-keygen -o flag wasn't listed in the synopsis, and -a was only listed with -T (where it specifies the number of primality tests), not for specifying the number of KDF rounds of new-format private key files. I only tested creating a new private key and conversion of existing keys with -p. I didn't test usage with -i, but I'm assuming that -o and -a would also apply there. OK? Thanks, Jeremy Index: ssh-keygen.1 === RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v retrieving revision 1.147 diff -u -p -r1.147 ssh-keygen.1 --- ssh-keygen.112 Mar 2018 00:52:01 - 1.147 +++ ssh-keygen.14 Aug 2018 04:20:08 - @@ -44,7 +44,8 @@ .Sh SYNOPSIS .Bk -words .Nm ssh-keygen -.Op Fl q +.Op Fl oq +.Op Fl a Ar rounds .Op Fl b Ar bits .Op Fl t Cm dsa | ecdsa | ed25519 | rsa .Op Fl N Ar new_passphrase @@ -52,11 +53,15 @@ .Op Fl f Ar output_keyfile .Nm ssh-keygen .Fl p +.Op Fl o +.Op Fl a Ar rounds .Op Fl P Ar old_passphrase .Op Fl N Ar new_passphrase .Op Fl f Ar keyfile .Nm ssh-keygen .Fl i +.Op Fl o +.Op Fl a Ar rounds .Op Fl m Ar key_format .Op Fl f Ar input_keyfile .Nm ssh-keygen