- djm@cvs.openbsd.org 2004/08/12 09:18:24
[sshlogin.c]
typo in error message, spotted by moritz AT jodeit.org (Id sync only)
+ - jakob@cvs.openbsd.org 2004/08/12 21:41:13
+ [ssh-keygen.1 ssh.1]
+ improve SSHFP documentation; ok deraadt@
20040812
- (dtucker) [sshd.c] Remove duplicate variable imported during sync.
-.\" $OpenBSD: ssh-keygen.1,v 1.61 2003/12/22 09:16:58 djm Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.62 2004/08/12 21:41:13 jakob Exp $
.\"
.\" -*- nroff -*-
.\"
This option allows exporting keys for use by several commercial
SSH implementations.
.It Fl g
-Use generic DNS resource record format.
+Use generic DNS format when printing fingerprint resource records using the
+.Fl r
+command.
.It Fl f Ar filename
Specifies the filename of the key file.
.It Fl i
options increase the verbosity.
The maximum is 3.
.It Fl r Ar hostname
-Print DNS resource record with the specified
-.Ar hostname .
+Print the SSHFP fingerprint resource record named
+.Ar hostname
+for the specified public key file.
.El
.Sh MODULI GENERATION
.Nm
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.193 2004/06/26 09:03:21 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
option can be used to prevent logins to machines whose
host key is not known or has changed.
.Pp
+.Nm
+can be configured to verify host identification using fingerprint resource
+records (SSHFP) published in DNS.
+The
+.Cm VerifyHostKeyDNS
+option can be used to control how DNS lookups are performed.
+SSHFP resource records can be generated using
+.Xr ssh-keygen 1 .
+.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl 1