From bba026d535ac8f5838ccd6536987b0d84c1aadb4 Mon Sep 17 00:00:00 2001
From: Andrew Buss <abuss@ucsd.edu>
Date: Fri, 4 Dec 2015 02:24:12 -0800
Subject: [PATCH] Added SSH authentication example to README

---
 README.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/README.md b/README.md
index 7eed5e8..a3d4428 100644
--- a/README.md
+++ b/README.md
@@ -342,3 +342,23 @@ conversion. For dealing with files directly, using the
 [HTML5 File API](https://developer.mozilla.org/en-US/docs/Web/API/FileReader.readAsDataURL)
 would be a good option.
 
+
+## SSH key encryption
+
+Red October can encrypt an SSH private key with a restriction that the key can
+be used to sign messages, but that it should not be returned as the result of a
+decrypt call. The ro client can use this feature to authenticate a user to a
+remote SSH server without ever handling the unencrypted private key directly.
+
+Generate an ssh key without passphrase:
+
+    $ ssh-keygen -f id_rsa -N ""
+
+Encrypt with the "ssh-sign-with" usage only:
+
+    $ ro -minimum 2 -owners alice,bob -usages ssh-sign-with \
+         -server ro.local -in id_rsa -out id_rsa.encrypted encrypt
+
+Use the remote server to authenticate to an SSH server
+
+    $ ro -server ro.local -in id_rsa.encrypted -pubkey id_rsa.pub ssh root@gibson