diff options
author | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
commit | ecebda56da46a03dafff923d91c382f31faa9eec (patch) | |
tree | 449614b6c06a2622c74a609b31fcc46c60037c56 /ssh-keygen.0 | |
parent | c6a2c0334e45419875687d250aed9bea78480f2e (diff) | |
parent | ffc06452028ba78cd693d4ed43df8b60a10d6163 (diff) |
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r-- | ssh-keygen.0 | 84 |
1 files changed, 81 insertions, 3 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 8f9fbd179..3c7a64753 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
@@ -25,6 +25,9 @@ SYNOPSIS | |||
25 | [-O option] [-V validity_interval] [-z serial_number] file ... | 25 | [-O option] [-V validity_interval] [-z serial_number] file ... |
26 | ssh-keygen -L [-f input_keyfile] | 26 | ssh-keygen -L [-f input_keyfile] |
27 | ssh-keygen -A | 27 | ssh-keygen -A |
28 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] | ||
29 | file ... | ||
30 | ssh-keygen -Q -f krl_file file ... | ||
28 | 31 | ||
29 | DESCRIPTION | 32 | DESCRIPTION |
30 | ssh-keygen generates, manages and converts authentication keys for | 33 | ssh-keygen generates, manages and converts authentication keys for |
@@ -37,6 +40,10 @@ DESCRIPTION | |||
37 | ssh-keygen is also used to generate groups for use in Diffie-Hellman | 40 | ssh-keygen is also used to generate groups for use in Diffie-Hellman |
38 | group exchange (DH-GEX). See the MODULI GENERATION section for details. | 41 | group exchange (DH-GEX). See the MODULI GENERATION section for details. |
39 | 42 | ||
43 | Finally, ssh-keygen can be used to generate and update Key Revocation | ||
44 | Lists, and to test whether given keys have been revoked by one. See the | ||
45 | KEY REVOCATION LISTS section for details. | ||
46 | |||
40 | Normally each user wishing to use SSH with public key authentication runs | 47 | Normally each user wishing to use SSH with public key authentication runs |
41 | this once to create the authentication key in ~/.ssh/identity, | 48 | this once to create the authentication key in ~/.ssh/identity, |
42 | ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the | 49 | ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the |
@@ -167,6 +174,13 @@ DESCRIPTION | |||
167 | keys from other software, including several commercial SSH | 174 | keys from other software, including several commercial SSH |
168 | implementations. The default import format is ``RFC4716''. | 175 | implementations. The default import format is ``RFC4716''. |
169 | 176 | ||
177 | -k Generate a KRL file. In this mode, ssh-keygen will generate a | ||
178 | KRL file at the location specified via the -f flag that revokes | ||
179 | every key or certificate presented on the command line. | ||
180 | Keys/certificates to be revoked may be specified by public key | ||
181 | file or using the format described in the KEY REVOCATION LISTS | ||
182 | section. | ||
183 | |||
170 | -L Prints the contents of a certificate. | 184 | -L Prints the contents of a certificate. |
171 | 185 | ||
172 | -l Show fingerprint of specified public key file. Private RSA1 keys | 186 | -l Show fingerprint of specified public key file. Private RSA1 keys |
@@ -256,6 +270,8 @@ DESCRIPTION | |||
256 | containing the private key, for the old passphrase, and twice for | 270 | containing the private key, for the old passphrase, and twice for |
257 | the new passphrase. | 271 | the new passphrase. |
258 | 272 | ||
273 | -Q Test whether keys have been revoked in a KRL. | ||
274 | |||
259 | -q Silence ssh-keygen. | 275 | -q Silence ssh-keygen. |
260 | 276 | ||
261 | -R hostname | 277 | -R hostname |
@@ -275,6 +291,10 @@ DESCRIPTION | |||
275 | Certify (sign) a public key using the specified CA key. Please | 291 | Certify (sign) a public key using the specified CA key. Please |
276 | see the CERTIFICATES section for details. | 292 | see the CERTIFICATES section for details. |
277 | 293 | ||
294 | When generating a KRL, -s specifies a path to a CA public key | ||
295 | file used to revoke certificates directly by key ID or serial | ||
296 | number. See the KEY REVOCATION LISTS section for details. | ||
297 | |||
278 | -T output_file | 298 | -T output_file |
279 | Test DH group exchange candidate primes (generated using the -G | 299 | Test DH group exchange candidate primes (generated using the -G |
280 | option) for safety. | 300 | option) for safety. |
@@ -284,6 +304,10 @@ DESCRIPTION | |||
284 | ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' | 304 | ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' |
285 | for protocol version 2. | 305 | for protocol version 2. |
286 | 306 | ||
307 | -u Update a KRL. When specified with -k, keys listed via the | ||
308 | command line are added to the existing KRL rather than a new KRL | ||
309 | being created. | ||
310 | |||
287 | -V validity_interval | 311 | -V validity_interval |
288 | Specify a validity interval when signing a certificate. A | 312 | Specify a validity interval when signing a certificate. A |
289 | validity interval may consist of a single time, indicating that | 313 | validity interval may consist of a single time, indicating that |
@@ -321,6 +345,9 @@ DESCRIPTION | |||
321 | distinguish this certificate from others from the same CA. The | 345 | distinguish this certificate from others from the same CA. The |
322 | default serial number is zero. | 346 | default serial number is zero. |
323 | 347 | ||
348 | When generating a KRL, the -z flag is used to specify a KRL | ||
349 | version number. | ||
350 | |||
324 | MODULI GENERATION | 351 | MODULI GENERATION |
325 | ssh-keygen may be used to generate groups for the Diffie-Hellman Group | 352 | ssh-keygen may be used to generate groups for the Diffie-Hellman Group |
326 | Exchange (DH-GEX) protocol. Generating these groups is a two-step | 353 | Exchange (DH-GEX) protocol. Generating these groups is a two-step |
@@ -404,13 +431,64 @@ CERTIFICATES | |||
404 | Finally, certificates may be defined with a validity lifetime. The -V | 431 | Finally, certificates may be defined with a validity lifetime. The -V |
405 | option allows specification of certificate start and end times. A | 432 | option allows specification of certificate start and end times. A |
406 | certificate that is presented at a time outside this range will not be | 433 | certificate that is presented at a time outside this range will not be |
407 | considered valid. By default, certificates have a maximum validity | 434 | considered valid. By default, certificates are valid from UNIX Epoch to |
408 | interval. | 435 | the distant future. |
409 | 436 | ||
410 | For certificates to be used for user or host authentication, the CA | 437 | For certificates to be used for user or host authentication, the CA |
411 | public key must be trusted by sshd(8) or ssh(1). Please refer to those | 438 | public key must be trusted by sshd(8) or ssh(1). Please refer to those |
412 | manual pages for details. | 439 | manual pages for details. |
413 | 440 | ||
441 | KEY REVOCATION LISTS | ||
442 | ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs). | ||
443 | These binary files specify keys or certificates to be revoked using a | ||
444 | compact format, taking as little a one bit per certificate if they are | ||
445 | being revoked by serial number. | ||
446 | |||
447 | KRLs may be generated using the -k flag. This option reads one or more | ||
448 | files from the command line and generates a new KRL. The files may | ||
449 | either contain a KRL specification (see below) or public keys, listed one | ||
450 | per line. Plain public keys are revoked by listing their hash or | ||
451 | contents in the KRL and certificates revoked by serial number or key ID | ||
452 | (if the serial is zero or not available). | ||
453 | |||
454 | Revoking keys using a KRL specification offers explicit control over the | ||
455 | types of record used to revoke keys and may be used to directly revoke | ||
456 | certificates by serial number or key ID without having the complete | ||
457 | original certificate on hand. A KRL specification consists of lines | ||
458 | containing one of the following directives followed by a colon and some | ||
459 | directive-specific information. | ||
460 | |||
461 | serial: serial_number[-serial_number] | ||
462 | Revokes a certificate with the specified serial number. Serial | ||
463 | numbers are 64-bit values, not including zero and may be | ||
464 | expressed in decimal, hex or octal. If two serial numbers are | ||
465 | specified separated by a hyphen, then the range of serial numbers | ||
466 | including and between each is revoked. The CA key must have been | ||
467 | specified on the ssh-keygen command line using the -s option. | ||
468 | |||
469 | id: key_id | ||
470 | Revokes a certificate with the specified key ID string. The CA | ||
471 | key must have been specified on the ssh-keygen command line using | ||
472 | the -s option. | ||
473 | |||
474 | key: public_key | ||
475 | Revokes the specified key. If a certificate is listed, then it | ||
476 | is revoked as a plain public key. | ||
477 | |||
478 | sha1: public_key | ||
479 | Revokes the specified key by its SHA1 hash. | ||
480 | |||
481 | KRLs may be updated using the -u flag in addition to -k. When this | ||
482 | option is specified, keys listed via the command line are merged into the | ||
483 | KRL, adding to those already there. | ||
484 | |||
485 | It is also possible, given a KRL, to test whether it revokes a particular | ||
486 | key (or keys). The -Q flag will query an existing KRL, testing each key | ||
487 | specified on the commandline. If any key listed on the command line has | ||
488 | been revoked (or an error encountered) then ssh-keygen will exit with a | ||
489 | non-zero exit status. A zero exit status will only be returned if no key | ||
490 | was revoked. | ||
491 | |||
414 | FILES | 492 | FILES |
415 | ~/.ssh/identity | 493 | ~/.ssh/identity |
416 | Contains the protocol version 1 RSA authentication identity of | 494 | Contains the protocol version 1 RSA authentication identity of |
@@ -465,4 +543,4 @@ AUTHORS | |||
465 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 543 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
466 | versions 1.5 and 2.0. | 544 | versions 1.5 and 2.0. |
467 | 545 | ||
468 | OpenBSD 5.2 July 6, 2012 OpenBSD 5.2 | 546 | OpenBSD 5.3 January 19, 2013 OpenBSD 5.3 |