improve SSHFP documentation; ok deraadt@

2 files changed, 17 insertions, 5 deletions

diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1
index 6dd6154287a..824b6e09c78 100644
--- a/usr.bin/ssh/ssh-keygen.1
+++ b/usr.bin/ssh/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.61 2003/12/22 09:16:58 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.62 2004/08/12 21:41:13 jakob Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -192,7 +192,9 @@ to stdout.
 This option allows exporting keys for use by several commercial
 SSH implementations.
 .It Fl g
-Use generic DNS resource record format.
+Use generic DNS format when printing fingerprint resource records using the
+.Fl r 
+command.
 .It Fl f Ar filename
 Specifies the filename of the key file.
 .It Fl i
@@ -276,8 +278,9 @@ Multiple
 options increase the verbosity.
 The maximum is 3.
 .It Fl r Ar hostname
-Print DNS resource record with the specified
-.Ar hostname .
+Print the SSHFP fingerprint resource record named
+.Ar hostname
+for the specified public key file.
 .El
 .Sh MODULI GENERATION
 .Nm
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index faaf20587c0..0ff77ea296f 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.193 2004/06/26 09:03:21 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.194 2004/08/12 21:41:13 jakob Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -400,6 +400,15 @@ The
 option can be used to prevent logins to machines whose
 host key is not known or has changed.
 .Pp
+.Nm
+can be configured to verify host identification using fingerprint resource
+records (SSHFP) published in DNS.
+The
+.Cm VerifyHostKeyDNS
+option can be used to control how DNS lookups are performed.
+SSHFP resource records can be generated using
+.Xr ssh-keygen 1 .
+.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl 1