On 08/03 09:28, Jeremy Evans wrote:
> The ssh-keygen -o flag wasn't listed in the synopsis, and -a was only
> listed with -T (where it specifies the number of primality tests), not
> for specifying the number of KDF rounds of new-format private key files.
>
> I only tested creating a new private key and conversion of existing
> keys with -p. I didn't test usage with -i, but I'm assuming that -o
> and -a would also apply there.
jmc@ pointed out that usage should be updated. I also tried to test the
-i flag, but it appears that -e will only export public keys (even if
given a file containing a private key), and -i only writes private keys
using the PEM_write_*PrivateKey LibreSSL functions, which I don't think
handle the new format.
I checked -A and that also respects -o, so I documented that. I'm
not sure how much it matters as the host keys -A generates are not
password protected, but maybe there are other reasons to use the
newer format.
I think the documentation for -e should be updated to specify it only
exports public keys (assuming I'm reading the code correctly), or
ssh-keygen should be updated to write private keys for the RFC4716
format if the input file is a private key (since that's what the
documentation currently implies). But that should probably be a
separate commit.
I also noticed that the -f flag with -A was documented in ssh-keygen(1)
but not in usage, so I updated usage to match ssh-keygen(1).
OKs for the diff below?
Thanks,
Jeremy
Index: ssh-keygen.1
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v
retrieving revision 1.147
diff -u -p -r1.147 ssh-keygen.1
--- ssh-keygen.1 12 Mar 2018 00:52:01 -0000 1.147
+++ ssh-keygen.1 4 Aug 2018 08:04:18 -0000
@@ -44,7 +44,8 @@
.Sh SYNOPSIS
.Bk -words
.Nm ssh-keygen
-.Op Fl q
+.Op Fl oq
+.Op Fl a Ar rounds
.Op Fl b Ar bits
.Op Fl t Cm dsa | ecdsa | ed25519 | rsa
.Op Fl N Ar new_passphrase
@@ -52,6 +53,8 @@
.Op Fl f Ar output_keyfile
.Nm ssh-keygen
.Fl p
+.Op Fl o
+.Op Fl a Ar rounds
.Op Fl P Ar old_passphrase
.Op Fl N Ar new_passphrase
.Op Fl f Ar keyfile
@@ -126,6 +129,8 @@
.Op Fl f Ar input_keyfile
.Nm ssh-keygen
.Fl A
+.Op Fl o
+.Op Fl a Ar rounds
.Op Fl f Ar prefix_path
.Nm ssh-keygen
.Fl k
Index: ssh-keygen.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.318
diff -u -p -r1.318 ssh-keygen.c
--- ssh-keygen.c 9 Jul 2018 21:59:10 -0000 1.318
+++ ssh-keygen.c 4 Aug 2018 08:04:18 -0000
@@ -2282,9 +2282,10 @@ static void
usage(void)
{
fprintf(stderr,
- "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 |
rsa]\n"
+ "usage: ssh-keygen [-oq] [-a rounds] [-b bits] [-t dsa | ecdsa |
ed25519 | rsa]\n"
" [-N new_passphrase] [-C comment] [-f
output_keyfile]\n"
- " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f
keyfile]\n"
+ " ssh-keygen -p [-o] [-a rounds] [-P old_passphrase] [-N
new_passphrase]\n"
+ " [-f keyfile]\n"
" ssh-keygen -i [-m key_format] [-f input_keyfile]\n"
" ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
" ssh-keygen -y [-f input_keyfile]\n"
@@ -2309,7 +2310,7 @@ usage(void)
" [-D pkcs11_provider] [-n principals] [-O
option]\n"
" [-V validity_interval] [-z serial_number] file
...\n"
" ssh-keygen -L [-f input_keyfile]\n"
- " ssh-keygen -A\n"
+ " ssh-keygen -A [-o] [-a rounds] [-f prefix_path]\n"
" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z
version_number]\n"
" file ...\n"
" ssh-keygen -Q -f krl_file file ...\n");
