tidy up -O somewhat; ok djm

1 files changed, 34 insertions, 27 deletions

diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1
index be1a169f483..0202fe75741 100644
--- a/usr.bin/ssh/ssh-keygen.1
+++ b/usr.bin/ssh/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.136 2017/04/30 23:18:44 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.137 2017/05/02 07:13:31 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2017 $
+.Dd $Mdocdate: May 2 2017 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -422,80 +422,87 @@ section for details.
 .It Fl O Ar option
 Specify a certificate option when signing a key.
 This option may be specified multiple times.
-Please see the
+See also the
 .Sx CERTIFICATES
-section for details.
+section for further details.
+At present, no standard options are valid for host keys.
 The options that are valid for user certificates are:
-.Bl -tag -width Ds
+.Pp
+.Bl -tag -width Ds -compact
 .It Ic clear
 Clear all enabled permissions.
 This is useful for clearing the default set of permissions so permissions may
 be added individually.
+.Pp
+.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
+.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
+Includes an arbitrary certificate critical option or extension.
+The specified
+.Ar name
+should include a domain suffix, e.g.\&
+.Dq name@example.com .
+If
+.Ar contents
+is specified then it is included as the contents of the extension/option
+encoded as a string, otherwise the extension/option is created with no
+contents (usually indicating a flag).
+Extensions may be ignored by a client or server that does not recognise them,
+whereas unknown critical options will cause the certificate to be refused.
+.Pp
 .It Ic force-command Ns = Ns Ar command
 Forces the execution of
 .Ar command
 instead of any shell or command specified by the user when
 the certificate is used for authentication.
+.Pp
 .It Ic no-agent-forwarding
 Disable
 .Xr ssh-agent 1
 forwarding (permitted by default).
+.Pp
 .It Ic no-port-forwarding
 Disable port forwarding (permitted by default).
+.Pp
 .It Ic no-pty
 Disable PTY allocation (permitted by default).
+.Pp
 .It Ic no-user-rc
 Disable execution of
 .Pa ~/.ssh/rc
 by
 .Xr sshd 8
 (permitted by default).
+.Pp
 .It Ic no-x11-forwarding
 Disable X11 forwarding (permitted by default).
+.Pp
 .It Ic permit-agent-forwarding
 Allows
 .Xr ssh-agent 1
 forwarding.
+.Pp
 .It Ic permit-port-forwarding
 Allows port forwarding.
+.Pp
 .It Ic permit-pty
 Allows PTY allocation.
+.Pp
 .It Ic permit-user-rc
 Allows execution of
 .Pa ~/.ssh/rc
 by
 .Xr sshd 8 .
+.Pp
 .It Ic permit-x11-forwarding
 Allows X11 forwarding.
+.Pp
 .It Ic source-address Ns = Ns Ar address_list
 Restrict the source addresses from which the certificate is considered valid.
 The
 .Ar address_list
 is a comma-separated list of one or more address/netmask pairs in CIDR
 format.
-.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
-Includes an arbitrary certificate extension.
-.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
-Includes an arbitrary certificate critical option.
 .El
-.Pp
-At present, no standard options are valid for host keys.
-.Pp
-For non-standard certificate extensions or options included using
-.Ic extension
-or
-.Ic option ,
-the specified
-.Ar name
-should include a domain suffix, e.g.\&
-.Dq name@example.com .
-If
-.Ar contents
-is specified then it is included as the contents of the extension/option
-encoded as a string, otherwise the extension/option is created with no
-contents (usually indicating a flag).
-Extensions may be ignored by a client or server that does not recognise them,
-whereas unknown critical options will cause the certificate to be refused.
 .It Fl o
 Causes
 .Nm