On Sat, Aug 04, 2018 at 01:15:14AM -0700, Jeremy Evans wrote:
> On 08/03 09:28, Jeremy Evans wrote:
> > The ssh-keygen -o flag wasn't listed in the synopsis, and -a was only
> > listed with -T (where it specifies the number of primality tests), not
> > for specifying the number of KDF rounds of new-format private key files.
> >
> > I only tested creating a new private key and conversion of existing
> > keys with -p. I didn't test usage with -i, but I'm assuming that -o
> > and -a would also apply there.
>
> jmc@ pointed out that usage should be updated. I also tried to test the
> -i flag, but it appears that -e will only export public keys (even if
> given a file containing a private key), and -i only writes private keys
> using the PEM_write_*PrivateKey LibreSSL functions, which I don't think
> handle the new format.
>
> I checked -A and that also respects -o, so I documented that. I'm
> not sure how much it matters as the host keys -A generates are not
> password protected, but maybe there are other reasons to use the
> newer format.
>
> I think the documentation for -e should be updated to specify it only
> exports public keys (assuming I'm reading the code correctly), or
> ssh-keygen should be updated to write private keys for the RFC4716
> format if the input file is a private key (since that's what the
> documentation currently implies). But that should probably be a
> separate commit.
>
> I also noticed that the -f flag with -A was documented in ssh-keygen(1)
> but not in usage, so I updated usage to match ssh-keygen(1).
>
> OKs for the diff below?
>
> Thanks,
> Jeremy
>
ok by me, but please wait for a ssh dev to respond. this is one of the
worst synopses we have, to be honest.
jmc
> Index: ssh-keygen.1
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v
> retrieving revision 1.147
> diff -u -p -r1.147 ssh-keygen.1
> --- ssh-keygen.1 12 Mar 2018 00:52:01 -0000 1.147
> +++ ssh-keygen.1 4 Aug 2018 08:04:18 -0000
> @@ -44,7 +44,8 @@
> .Sh SYNOPSIS
> .Bk -words
> .Nm ssh-keygen
> -.Op Fl q
> +.Op Fl oq
> +.Op Fl a Ar rounds
> .Op Fl b Ar bits
> .Op Fl t Cm dsa | ecdsa | ed25519 | rsa
> .Op Fl N Ar new_passphrase
> @@ -52,6 +53,8 @@
> .Op Fl f Ar output_keyfile
> .Nm ssh-keygen
> .Fl p
> +.Op Fl o
> +.Op Fl a Ar rounds
> .Op Fl P Ar old_passphrase
> .Op Fl N Ar new_passphrase
> .Op Fl f Ar keyfile
> @@ -126,6 +129,8 @@
> .Op Fl f Ar input_keyfile
> .Nm ssh-keygen
> .Fl A
> +.Op Fl o
> +.Op Fl a Ar rounds
> .Op Fl f Ar prefix_path
> .Nm ssh-keygen
> .Fl k
> Index: ssh-keygen.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
> retrieving revision 1.318
> diff -u -p -r1.318 ssh-keygen.c
> --- ssh-keygen.c 9 Jul 2018 21:59:10 -0000 1.318
> +++ ssh-keygen.c 4 Aug 2018 08:04:18 -0000
> @@ -2282,9 +2282,10 @@ static void
> usage(void)
> {
> fprintf(stderr,
> - "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 |
> rsa]\n"
> + "usage: ssh-keygen [-oq] [-a rounds] [-b bits] [-t dsa | ecdsa |
> ed25519 | rsa]\n"
> " [-N new_passphrase] [-C comment] [-f
> output_keyfile]\n"
> - " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f
> keyfile]\n"
> + " ssh-keygen -p [-o] [-a rounds] [-P old_passphrase] [-N
> new_passphrase]\n"
> + " [-f keyfile]\n"
> " ssh-keygen -i [-m key_format] [-f input_keyfile]\n"
> " ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
> " ssh-keygen -y [-f input_keyfile]\n"
> @@ -2309,7 +2310,7 @@ usage(void)
> " [-D pkcs11_provider] [-n principals] [-O
> option]\n"
> " [-V validity_interval] [-z serial_number] file
> ...\n"
> " ssh-keygen -L [-f input_keyfile]\n"
> - " ssh-keygen -A\n"
> + " ssh-keygen -A [-o] [-a rounds] [-f prefix_path]\n"
> " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z
> version_number]\n"
> " file ...\n"
> " ssh-keygen -Q -f krl_file file ...\n");
>
