add a new signature operations "find-principal" to look up the

principal associated with a signature from an allowed-signers
file. Work by Sebastian Kinne; ok dtucker@

1 files changed, 17 insertions, 2 deletions

diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1
index c0a22606b86..33e3f5375d6 100644
--- a/usr.bin/ssh/ssh-keygen.1
+++ b/usr.bin/ssh/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.193 2020/01/18 21:16:43 naddy Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.194 2020/01/23 02:43:48 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2020 $
+.Dd $Mdocdate: January 23 2020 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -138,6 +138,10 @@
 .Fl f Ar krl_file
 .Ar
 .Nm ssh-keygen
+.Fl Y Cm find-principal
+.Fl s Ar signature_file
+.Fl f Ar allowed_signers_file
+.Nm ssh-keygen
 .Fl Y Cm check-novalidate
 .Fl n Ar namespace
 .Fl s Ar signature_file
@@ -614,6 +618,17 @@ The maximum is 3.
 Specifies a path to a library that will be used when creating
 FIDO authenticator-hosted keys, overriding the default of using
 the internal USB HID support.
+.It Fl Y Cm find-principal
+Find the principal associated with the public key of a signature,
+provided using the
+.Fl s
+flag in an authorized signers file provided using the
+.Fl f
+flag.
+The format of the allowed signers file is documented in the
+.Sx ALLOWED SIGNERS
+section below. If a matching principal is found, it is returned
+on standard output.
 .It Fl Y Cm check-novalidate
 Checks that a signature generated using
 .Nm