[system-administrators-guide/22] Fix: use -n for principles

stephenw stephenw at fedoraproject.org
Tue Jun 9 20:21:46 UTC 2015 

commit f48b2ebb78bfdc49066e2cf77301edd786633fe0
Author: Stephen Wadeley <swadeley at redhat.com>
Date:   Thu Jun 4 15:07:45 2015 +0200

    Fix: use -n for principles
    
    -Z is only for RHEL6

 en-US/OpenSSH.xml |   22 +++++++++++-----------
 1 files changed, 11 insertions(+), 11 deletions(-)
---
diff --git a/en-US/OpenSSH.xml b/en-US/OpenSSH.xml
index 518d641..9f218f5 100644
--- a/en-US/OpenSSH.xml
+++ b/en-US/OpenSSH.xml
@@ -978,12 +978,12 @@ dr-xr-x---. 3 root root 4096 May  8 08:34 ..
 <step>
 <para>
 Create the CA server's own host certificate by signing the server's host public key together with an identification string such as the host name, the CA server's <firstterm>fully qualified domain name</firstterm> (<acronym>FQDN</acronym>) but without the trailing <literal>.</literal>, and a validity period. The command takes the following form:
-<synopsis>ssh-keygen -s ~/.ssh/ca_host_key -I <replaceable>certificate_ID</replaceable> -h -Z <replaceable>host_name.example.com</replaceable> -V <replaceable>-start:+end</replaceable> /etc/ssh/ssh_host_rsa.pub</synopsis>
-The <option>-Z</option> option restricts this certificate to a specific host within the domain. The <option>-V</option> option is for adding a validity period; this is highly recommend. Where the validity period is intended to be one year, fifty two weeks, consider the need for time to change the certificates and any holiday periods around the time of certificate expiry.
+<synopsis>ssh-keygen -s ~/.ssh/ca_host_key -I <replaceable>certificate_ID</replaceable> -h -n <replaceable>host_name.example.com</replaceable> -V <replaceable>-start:+end</replaceable> /etc/ssh/ssh_host_rsa.pub</synopsis>
+The <option>-n</option> option restricts this certificate to a specific host within the domain. The <option>-V</option> option is for adding a validity period; this is highly recommend. Where the validity period is intended to be one year, fifty two weeks, consider the need for time to change the certificates and any holiday periods around the time of certificate expiry.
 </para>
 <para>
 For example:
-<screen>~]# <command>ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1w:+54w5d /etc/ssh/ssh_host_rsa.pub</command>
+<screen>~]# <command>ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -n host_name.example.com -V -1w:+54w5d /etc/ssh/ssh_host_rsa.pub</command>
 Enter passphrase:
 Signed host key /root/.ssh/ssh_host_rsa-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-15T13:52:29 to 2016-06-08T13:52:29</screen>
 </para>
@@ -1119,7 +1119,7 @@ ssh_host_rsa_key.pub                           100%  382     0.4KB/s   00:00</sc
 <step>
 <para>
   On the CA server, sign the host's public key. For example, as <systemitem class="username">root</systemitem>:
-  <screen>~]# <command>ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1d:+54w /home/admin/keys/ssh_host_rsa_key.pub</command>
+  <screen>~]# <command>ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -n host_name.example.com -V -1d:+54w /home/admin/keys/ssh_host_rsa_key.pub</command>
 Enter passphrase:
 Signed host key /home/admin/keys/ssh_host_rsa_key-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-26T12:21:54 to 2016-06-08T12:21:54</screen>
   Where <replaceable>host_name</replaceable> is the host name of the system requiring the certificate.
@@ -1161,7 +1161,7 @@ Configure the host to present the certificate to a user's system when a user ini
 <title>Creating SSH Certificates for Authenticating Users</title>
 <para>
 To sign a user's certificate, use a command in the following format:
- <synopsis>ssh-keygen -s ca_user_key -I <replaceable>user_name</replaceable> -Z <replaceable>user_name</replaceable> -V <replaceable>-start:+end</replaceable> id_rsa.pub</synopsis>
+ <synopsis>ssh-keygen -s ca_user_key -I <replaceable>user_name</replaceable> -n <replaceable>user_name</replaceable> -V <replaceable>-start:+end</replaceable> id_rsa.pub</synopsis>
 The resulting certificate will be named <filename>id_rsa-cert.pub</filename>.
 </para>
 <para>
@@ -1169,8 +1169,8 @@ The resulting certificate will be named <filename>id_rsa-cert.pub</filename>.
   <itemizedlist>
     <listitem>
       <para>
-     Add more user's names to the certificate during the signing process using the <option>-Z</option> option:
-     <synopsis>-Z "name1[,name2,...]"</synopsis>
+     Add more user's names to the certificate during the signing process using the <option>-n</option> option:
+     <synopsis>-n "name1[,name2,...]"</synopsis>
 </para>
 </listitem>
 <listitem>
@@ -1249,7 +1249,7 @@ If you have configured the client system to trust the host signing key as descri
 <step>
 <para>
   On the CA server, sign the user's public key. For example, as <systemitem class="username">root</systemitem>:
-  <screen>~]# <command>ssh-keygen -s ~/.ssh/ca_user_key -I user1 -Z user1 -V -1d:+54w /home/admin/keys/id_rsa.pub</command>
+  <screen>~]# <command>ssh-keygen -s ~/.ssh/ca_user_key -I user1 -n user1 -V -1d:+54w /home/admin/keys/id_rsa.pub</command>
 Enter passphrase:
 Signed user key /home/admin/keys/id_rsa-cert.pub: id "user1" serial 0 for host_name.example.com valid from 2015-05-21T16:43:17 to 2016-06-03T16:43:17</screen>
 </para>
@@ -1300,11 +1300,11 @@ It is possible to sign a host key using a CA key stored in a PKCS#11 token by pr
         In all cases, <replaceable>certificate_ID</replaceable> is a <quote>key identifier</quote> that is logged by the server when the certificate is used for authentication.
       </para>
 <para>
-Certificates may be configured to be valid only for a set of users or host names, the principals. By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals, use a comma separated list with the <option>-Z</option> option as follows:</para>
-<screen>ssh-keygen -s ca_user_key.pub -D libpkcs11.so -I <replaceable>certificate_ID</replaceable> -Z <replaceable>user1,user2</replaceable> id_rsa.pub</screen>
+Certificates may be configured to be valid only for a set of users or host names, the principals. By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals, use a comma separated list with the <option>-n</option> option as follows:</para>
+<screen>ssh-keygen -s ca_user_key.pub -D libpkcs11.so -I <replaceable>certificate_ID</replaceable> -n <replaceable>user1,user2</replaceable> id_rsa.pub</screen>
 <para>
 and for hosts:
-<screen>ssh-keygen -s ca_host_key.pub -D libpkcs11.so -I <replaceable>certificate_ID</replaceable> -h -Z host.domain ssh_host_rsa_key.pub</screen>
+<screen>ssh-keygen -s ca_host_key.pub -D libpkcs11.so -I <replaceable>certificate_ID</replaceable> -h -n host.domain ssh_host_rsa_key.pub</screen>
 </para>
 <para>
      Additional limitations on the validity and use of user certificates may be specified through certificate options.

More information about the docs-commits mailing list