From 922b541329285cede860607c877f72663f3d2a9f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 5 Mar 2010 21:30:54 +1100 Subject: [PATCH] - jmc@cvs.openbsd.org 2010/03/05 08:31:20 [ssh.1] document certificate authentication; help/ok djm --- ChangeLog | 3 +++ ssh.1 | 18 +++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 99ec97956..5e1bb231b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - jmc@cvs.openbsd.org 2010/03/05 06:50:35 [ssh.1 sshd.8] tweak previous; + - jmc@cvs.openbsd.org 2010/03/05 08:31:20 + [ssh.1] + document certificate authentication; help/ok djm - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older compilers. OK djm@ - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure diff --git a/ssh.1 b/ssh.1 index fd713e3b4..c1a408348 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.300 2010/03/05 06:50:34 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.301 2010/03/05 08:31:20 jmc Exp $ .Dd $Mdocdate: March 5 2010 $ .Dt SSH 1 .Os @@ -798,8 +798,20 @@ file, and has one key per line, though the lines can be very long. After this, the user can log in without giving the password. .Pp -The most convenient way to use public key authentication may be with an -authentication agent. +A variation on public key authentication +is available in the form of certificate authentication: +instead of a set of public/private keys, +signed certificates are used. +This has the advantage that a single trusted certification authority +can be used in place of many public/private keys. +See the +.Sx CERTIFICATES +section of +.Xr ssh-keygen 1 +for more information. +.Pp +The most convenient way to use public key or certificate authentication +may be with an authentication agent. See .Xr ssh-agent 1 for more information.