Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   ssh-keygen    ( 1 )

утилита ключа аутентификации OpenSSH (OpenSSH authentication key utility)

ALLOWED SIGNERS

When verifying signatures, ssh-keygen uses a simple list of identities and keys to determine whether a signature comes from an authorized source. This "allowed signers" file uses a format patterned after the AUTHORIZED_KEYS FILE FORMAT described in sshd(8). Each line of the file contains the following space- separated fields: principals, options, keytype, base64-encoded key. Empty lines and lines starting with a '#' are ignored as comments.

The principals field is a pattern-list (see PATTERNS in ssh_config(5)) consisting of one or more comma-separated USER@DOMAIN identity patterns that are accepted for signing. When verifying, the identity presented via the -I option must match a principals pattern in order for the corresponding key to be considered acceptable for verification.

The options (if present) consist of comma-separated option specifications. No spaces are permitted, except within double quotes. The following option specifications are supported (note that option keywords are case-insensitive):

cert-authority Indicates that this key is accepted as a certificate authority (CA) and that certificates signed by this CA may be accepted for verification.

namespaces=namespace-list Specifies a pattern-list of namespaces that are accepted for this key. If this option is present, the signature namespace embedded in the signature object and presented on the verification command-line must match the specified list before the key will be considered acceptable.

valid-after=timestamp Indicates that the key is valid for use at or after the specified timestamp, which may be a date in YYYYMMDD format or a time in YYYYMMDDHHMM[SS] format.

valid-before=timestamp Indicates that the key is valid for use at or before the specified timestamp.

When verifying signatures made by certificates, the expected principal name must match both the principals pattern in the allowed signers file and the principals embedded in the certificate itself.

An example allowed signers file:

# Comments allowed at start of line user1@example.com,user2@example.com ssh-rsa AAAAX1... # A certificate authority, trusted for all principals in a domain. *@example.com cert-authority ssh-ed25519 AAAB4... # A key that is accepted only for file signing. user2@example.com namespaces="file" ssh-ed25519 AAA41...