- jakob@cvs.openbsd.org 2004/08/12 21:41:13

     [ssh-keygen.1 ssh.1]
     improve SSHFP documentation; ok deraadt@

diff --git a/ChangeLog b/ChangeLog
index 131bfc864a345eeddbe78e385083626f4510b357..2a90eac1479358ec990838d65dfd0ab5abd23f2e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,9 @@
    - djm@cvs.openbsd.org 2004/08/12 09:18:24
      [sshlogin.c]
      typo in error message, spotted by moritz AT jodeit.org (Id sync only)
    - djm@cvs.openbsd.org 2004/08/12 09:18:24
      [sshlogin.c]
      typo in error message, spotted by moritz AT jodeit.org (Id sync only)

+   - jakob@cvs.openbsd.org 2004/08/12 21:41:13
+     [ssh-keygen.1 ssh.1]
+     improve SSHFP documentation; ok deraadt@

 
 20040812
  - (dtucker) [sshd.c] Remove duplicate variable imported during sync.
 
 20040812
  - (dtucker) [sshd.c] Remove duplicate variable imported during sync.

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 6dd6154287aa7ab4caa3ed4d7c3fdfcfd39963ac..824b6e09c782ed7eb17ca5a1f5bfa5cf06a95f62 100644 (file)
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: ssh-keygen.1,v 1.61 2003/12/22 09:16:58 djm Exp $
+.\"    $OpenBSD: ssh-keygen.1,v 1.62 2004/08/12 21:41:13 jakob Exp $

 .\"
 .\"  -*- nroff -*-
 .\"
 .\"
 .\"  -*- nroff -*-
 .\"


@@ -192,7 +192,9 @@ to stdout.
 This option allows exporting keys for use by several commercial
 SSH implementations.
 .It Fl g
 This option allows exporting keys for use by several commercial
 SSH implementations.
 .It Fl g

-Use generic DNS resource record format.
+Use generic DNS format when printing fingerprint resource records using the
+.Fl r 
+command.

 .It Fl f Ar filename
 Specifies the filename of the key file.
 .It Fl i
 .It Fl f Ar filename
 Specifies the filename of the key file.
 .It Fl i


@@ -276,8 +278,9 @@ Multiple
 options increase the verbosity.
 The maximum is 3.
 .It Fl r Ar hostname
 options increase the verbosity.
 The maximum is 3.
 .It Fl r Ar hostname

-Print DNS resource record with the specified
-.Ar hostname .
+Print the SSHFP fingerprint resource record named
+.Ar hostname
+for the specified public key file.

 .El
 .Sh MODULI GENERATION
 .Nm
 .El
 .Sh MODULI GENERATION
 .Nm

diff --git a/ssh.1 b/ssh.1
index faaf20587c0f0c1c80645d65e19590ee4a6fbbc0..0ff77ea296f797c67c63c65078b9a11e9e6d4694 100644 (file)
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"

-.\" $OpenBSD: ssh.1,v 1.193 2004/06/26 09:03:21 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $

 .Dd September 25, 1999
 .Dt SSH 1
 .Os
 .Dd September 25, 1999
 .Dt SSH 1
 .Os


@@ -400,6 +400,15 @@ The
 option can be used to prevent logins to machines whose
 host key is not known or has changed.
 .Pp
 option can be used to prevent logins to machines whose
 host key is not known or has changed.
 .Pp

+.Nm
+can be configured to verify host identification using fingerprint resource
+records (SSHFP) published in DNS.
+The
+.Cm VerifyHostKeyDNS
+option can be used to control how DNS lookups are performed.
+SSHFP resource records can be generated using
+.Xr ssh-keygen 1 .
+.Pp

 The options are as follows:
 .Bl -tag -width Ds
 .It Fl 1
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl 1