[Bug 3028] New: Discrepancy with URL man pages.

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jul 2 04:56:58 AEST 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=3028

            Bug ID: 3028
           Summary: Discrepancy with URL man pages.
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: donald.p.richards1 at aexp.com

For the man pages under the URL, https://man.openbsd.org/ssh-keygen,
the option -U states:

-U    When used in combination with -s, this option indicates that a CA
key resides in a ssh-agent(1). See the CERTIFICATES section for more
information.

Under the CERTIFICATES section,
https://man.openbsd.org/ssh-keygen#CERTIFICATES, it states:

Similarly, it is possible for the CA key to be hosted in a
ssh-agent(1). This is indicated by the -U flag and, again, the CA key
must be identified by its public half.

$ ssh-keygen -Us ca_key.pub -I key_id user_key.pub

In all cases, key_id is a "key identifier" that is logged by the server
when the certificate is used for authentication.

I have a use case in which having a Certificates Authority's private
key loaded in the ssh-agent would be very beneficial (i.e. not having
the private key unsecured), and then using it to sign ssh host
certificates using 

    "ssh-keygen -Us ca_key.pub -h -I key_id host_key.pub"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list