Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   ssh-keygen    ( 1 )

утилита ключа аутентификации OpenSSH (OpenSSH authentication key utility)

ALLOWED SIGNERS

When verifying signatures, ssh-keygen uses a simple list of
     identities and keys to determine whether a signature comes from an
     authorized source.  This "allowed signers" file uses a format
     patterned after the AUTHORIZED_KEYS FILE FORMAT described in
     sshd(8).  Each line of the file contains the following space-
     separated fields: principals, options, keytype, base64-encoded key.
     Empty lines and lines starting with a '#' are ignored as comments.


     The principals field is a pattern-list (see PATTERNS in
     ssh_config(5)) consisting of one or more comma-separated
     USER@DOMAIN identity patterns that are accepted for signing.  When
     verifying, the identity presented via the -I option must match a
     principals pattern in order for the corresponding key to be
     considered acceptable for verification.


     The options (if present) consist of comma-separated option
     specifications.  No spaces are permitted, except within double
     quotes.  The following option specifications are supported (note
     that option keywords are case-insensitive):


     cert-authority
             Indicates that this key is accepted as a certificate
             authority (CA) and that certificates signed by this CA may
             be accepted for verification.


     namespaces=namespace-list
             Specifies a pattern-list of namespaces that are accepted
             for this key.  If this option is present, the signature
             namespace embedded in the signature object and presented on
             the verification command-line must match the specified list
             before the key will be considered acceptable.


     valid-after=timestamp
             Indicates that the key is valid for use at or after the
             specified timestamp, which may be a date in YYYYMMDD format
             or a time in YYYYMMDDHHMM[SS] format.


     valid-before=timestamp
             Indicates that the key is valid for use at or before the
             specified timestamp.


     When verifying signatures made by certificates, the expected
     principal name must match both the principals pattern in the
     allowed signers file and the principals embedded in the certificate
     itself.


     An example allowed signers file:


        # Comments allowed at start of line
        user1@example.com,user2@example.com ssh-rsa AAAAX1...
        # A certificate authority, trusted for all principals in a domain.
        *@example.com cert-authority ssh-ed25519 AAAB4...
        # A key that is accepted only for file signing.
        user2@example.com namespaces="file" ssh-ed25519 AAA41...