On Sat, Aug 04, 2018 at 01:15:14AM -0700, Jeremy Evans wrote: > On 08/03 09:28, Jeremy Evans wrote: > > The ssh-keygen -o flag wasn't listed in the synopsis, and -a was only > > listed with -T (where it specifies the number of primality tests), not > > for specifying the number of KDF rounds of new-format private key files. > > > > I only tested creating a new private key and conversion of existing > > keys with -p. I didn't test usage with -i, but I'm assuming that -o > > and -a would also apply there. > > jmc@ pointed out that usage should be updated. I also tried to test the > -i flag, but it appears that -e will only export public keys (even if > given a file containing a private key), and -i only writes private keys > using the PEM_write_*PrivateKey LibreSSL functions, which I don't think > handle the new format. > > I checked -A and that also respects -o, so I documented that. I'm > not sure how much it matters as the host keys -A generates are not > password protected, but maybe there are other reasons to use the > newer format. > > I think the documentation for -e should be updated to specify it only > exports public keys (assuming I'm reading the code correctly), or > ssh-keygen should be updated to write private keys for the RFC4716 > format if the input file is a private key (since that's what the > documentation currently implies). But that should probably be a > separate commit. > > I also noticed that the -f flag with -A was documented in ssh-keygen(1) > but not in usage, so I updated usage to match ssh-keygen(1). > > OKs for the diff below? > > Thanks, > Jeremy >
ok by me, but please wait for a ssh dev to respond. this is one of the worst synopses we have, to be honest. jmc > Index: ssh-keygen.1 > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v > retrieving revision 1.147 > diff -u -p -r1.147 ssh-keygen.1 > --- ssh-keygen.1 12 Mar 2018 00:52:01 -0000 1.147 > +++ ssh-keygen.1 4 Aug 2018 08:04:18 -0000 > @@ -44,7 +44,8 @@ > .Sh SYNOPSIS > .Bk -words > .Nm ssh-keygen > -.Op Fl q > +.Op Fl oq > +.Op Fl a Ar rounds > .Op Fl b Ar bits > .Op Fl t Cm dsa | ecdsa | ed25519 | rsa > .Op Fl N Ar new_passphrase > @@ -52,6 +53,8 @@ > .Op Fl f Ar output_keyfile > .Nm ssh-keygen > .Fl p > +.Op Fl o > +.Op Fl a Ar rounds > .Op Fl P Ar old_passphrase > .Op Fl N Ar new_passphrase > .Op Fl f Ar keyfile > @@ -126,6 +129,8 @@ > .Op Fl f Ar input_keyfile > .Nm ssh-keygen > .Fl A > +.Op Fl o > +.Op Fl a Ar rounds > .Op Fl f Ar prefix_path > .Nm ssh-keygen > .Fl k > Index: ssh-keygen.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > retrieving revision 1.318 > diff -u -p -r1.318 ssh-keygen.c > --- ssh-keygen.c 9 Jul 2018 21:59:10 -0000 1.318 > +++ ssh-keygen.c 4 Aug 2018 08:04:18 -0000 > @@ -2282,9 +2282,10 @@ static void > usage(void) > { > fprintf(stderr, > - "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | > rsa]\n" > + "usage: ssh-keygen [-oq] [-a rounds] [-b bits] [-t dsa | ecdsa | > ed25519 | rsa]\n" > " [-N new_passphrase] [-C comment] [-f > output_keyfile]\n" > - " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f > keyfile]\n" > + " ssh-keygen -p [-o] [-a rounds] [-P old_passphrase] [-N > new_passphrase]\n" > + " [-f keyfile]\n" > " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" > " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" > " ssh-keygen -y [-f input_keyfile]\n" > @@ -2309,7 +2310,7 @@ usage(void) > " [-D pkcs11_provider] [-n principals] [-O > option]\n" > " [-V validity_interval] [-z serial_number] file > ...\n" > " ssh-keygen -L [-f input_keyfile]\n" > - " ssh-keygen -A\n" > + " ssh-keygen -A [-o] [-a rounds] [-f prefix_path]\n" > " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z > version_number]\n" > " file ...\n" > " ssh-keygen -Q -f krl_file file ...\n"); >