Hi All, Reading code learns a lot. I discovered the -Z option of ssh-keygen which exists since 2013. Here is a patch to document this option in ssh-keygen.1 man page. It also document the -a option in the places where it is useful. Tell me if this is helpful or not. --- ssh-keygen.1 | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 059c1b0341e8..018b2f205012 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -47,17 +47,21 @@ .Op Fl b Ar bits .Op Fl C Ar comment .Op Fl f Ar output_keyfile -.Op Fl m Ar format +.Op Fl m Ar key_format .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa .Op Fl N Ar new_passphrase .Op Fl O Ar option .Op Fl w Ar provider +.Op Fl a Ar rounds +.Op Fl Z Ar cipher_name .Nm ssh-keygen .Fl p .Op Fl f Ar keyfile .Op Fl m Ar format .Op Fl N Ar new_passphrase .Op Fl P Ar old_passphrase +.Op Fl a Ar rounds +.Op Fl Z Ar cipher_name .Nm ssh-keygen .Fl i .Op Fl f Ar input_keyfile @@ -74,6 +78,8 @@ .Op Fl C Ar comment .Op Fl f Ar keyfile .Op Fl P Ar passphrase +.Op Fl a Ar rounds +.Op Fl Z Ar cipher_name .Nm ssh-keygen .Fl l .Op Fl v @@ -735,6 +741,20 @@ The default serial number is zero. When generating a KRL, the .Fl z flag is used to specify a KRL version number. +.It Fl Z Ar cipher_name +When saving a private key, this option specfies the cipher to use to encrypt +the private key part of the file. +See the +.Cm Ciphers +keyword in +.Xr ssh_config 5 +for more information. +.Pp +The list of available ciphers may also be obtained using +.Qq ssh -Q cipher . +.Pp +The default value is +.Qq aes256-ctr . .El .Sh MODULI GENERATION .Nm -- 2.17.1 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
