The CentOS version of ssh-keygen uses the "-Z" option for providing principals when creating SSH certificates, instead of the standard "-n" option. Instead, the "-n" option means "Extract the public key from smartcard". <br />
<br />
However, the ssh-keygen.1 man page is incorrect because:<br />
1. it still mentions "-n" in the SYNOPSIS, DESCRIPTION and CERTIFICATES sections as being the principal option, and <br />
2. does not mention the "Extract public key from smartcard" at all. <br />
<br />
In the ssh-keygen usage statement, the "-Z" options is described correctly:<br />
<br />
-Z name,... User/host principal names to include in certificate<br />
<br />
while at the same time, the -n option is not in the usage statement, whereas it should say:<br />
<br />
-n Extract the public key from smartcard.<br />
<br />
(This last part is in a #ifdef SMARTCARD openssh-5.3p1-ssh-certificates.patch which apparently isn't TRUE)<br />
<br />
I would suggest going back to using the standard -n option for principal specification, and renaming the smartcard option to something that is still available and does not overlap...
↧
