upstream: Add ssh-keygen -Y match-principals operation to perform

matching of principals names against an allowed signers file.

Requested by and mostly written by Fabian Stelzer, towards a TOFU
model for SSH signatures in git. Some tweaks by me.

"doesn't bother me" deraadt@

OpenBSD-Commit-ID: 8d1b71f5a4127bc5e10a880c8ea6053394465247

1 files changed, 15 insertions, 2 deletions

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index f83f515f6..57c106d10 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.216 2021/08/11 08:54:17 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.217 2021/11/27 07:14:46 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 11 2021 $
+.Dd $Mdocdate: November 27 2021 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -151,6 +151,11 @@
 .Fl s Ar signature_file
 .Fl f Ar allowed_signers_file
 .Nm ssh-keygen
+.Fl Y Cm match-principals
+.Op Fl O Ar option
+.Fl I Ar signer_identity
+.Fl f Ar allowed_signers_file
+.Nm ssh-keygen
 .Fl Y Cm check-novalidate
 .Op Fl O Ar option
 .Fl n Ar namespace
@@ -683,6 +688,14 @@ The format of the allowed signers file is documented in the
 section below.
 If one or more matching principals are found, they are returned on
 standard output.
+.It Fl Y Cm match-principals
+Find principal matching the principal name provided using the
+.Fl I
+flag in the authorized signers file specified using the
+.Fl f
+flag.
+If one or more matching principals are found, they are returned on
+standard output.
 .It Fl Y Cm check-novalidate
 Checks that a signature generated using
 .Nm