summaryrefslogtreecommitdiff
path: root/ssh-keygen.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
committerColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
commitecebda56da46a03dafff923d91c382f31faa9eec (patch)
tree449614b6c06a2622c74a609b31fcc46c60037c56 /ssh-keygen.0
parentc6a2c0334e45419875687d250aed9bea78480f2e (diff)
parentffc06452028ba78cd693d4ed43df8b60a10d6163 (diff)
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r--ssh-keygen.084
1 files changed, 81 insertions, 3 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 8f9fbd179..3c7a64753 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -25,6 +25,9 @@ SYNOPSIS
25 [-O option] [-V validity_interval] [-z serial_number] file ... 25 [-O option] [-V validity_interval] [-z serial_number] file ...
26 ssh-keygen -L [-f input_keyfile] 26 ssh-keygen -L [-f input_keyfile]
27 ssh-keygen -A 27 ssh-keygen -A
28 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
29 file ...
30 ssh-keygen -Q -f krl_file file ...
28 31
29DESCRIPTION 32DESCRIPTION
30 ssh-keygen generates, manages and converts authentication keys for 33 ssh-keygen generates, manages and converts authentication keys for
@@ -37,6 +40,10 @@ DESCRIPTION
37 ssh-keygen is also used to generate groups for use in Diffie-Hellman 40 ssh-keygen is also used to generate groups for use in Diffie-Hellman
38 group exchange (DH-GEX). See the MODULI GENERATION section for details. 41 group exchange (DH-GEX). See the MODULI GENERATION section for details.
39 42
43 Finally, ssh-keygen can be used to generate and update Key Revocation
44 Lists, and to test whether given keys have been revoked by one. See the
45 KEY REVOCATION LISTS section for details.
46
40 Normally each user wishing to use SSH with public key authentication runs 47 Normally each user wishing to use SSH with public key authentication runs
41 this once to create the authentication key in ~/.ssh/identity, 48 this once to create the authentication key in ~/.ssh/identity,
42 ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the 49 ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the
@@ -167,6 +174,13 @@ DESCRIPTION
167 keys from other software, including several commercial SSH 174 keys from other software, including several commercial SSH
168 implementations. The default import format is ``RFC4716''. 175 implementations. The default import format is ``RFC4716''.
169 176
177 -k Generate a KRL file. In this mode, ssh-keygen will generate a
178 KRL file at the location specified via the -f flag that revokes
179 every key or certificate presented on the command line.
180 Keys/certificates to be revoked may be specified by public key
181 file or using the format described in the KEY REVOCATION LISTS
182 section.
183
170 -L Prints the contents of a certificate. 184 -L Prints the contents of a certificate.
171 185
172 -l Show fingerprint of specified public key file. Private RSA1 keys 186 -l Show fingerprint of specified public key file. Private RSA1 keys
@@ -256,6 +270,8 @@ DESCRIPTION
256 containing the private key, for the old passphrase, and twice for 270 containing the private key, for the old passphrase, and twice for
257 the new passphrase. 271 the new passphrase.
258 272
273 -Q Test whether keys have been revoked in a KRL.
274
259 -q Silence ssh-keygen. 275 -q Silence ssh-keygen.
260 276
261 -R hostname 277 -R hostname
@@ -275,6 +291,10 @@ DESCRIPTION
275 Certify (sign) a public key using the specified CA key. Please 291 Certify (sign) a public key using the specified CA key. Please
276 see the CERTIFICATES section for details. 292 see the CERTIFICATES section for details.
277 293
294 When generating a KRL, -s specifies a path to a CA public key
295 file used to revoke certificates directly by key ID or serial
296 number. See the KEY REVOCATION LISTS section for details.
297
278 -T output_file 298 -T output_file
279 Test DH group exchange candidate primes (generated using the -G 299 Test DH group exchange candidate primes (generated using the -G
280 option) for safety. 300 option) for safety.
@@ -284,6 +304,10 @@ DESCRIPTION
284 ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' 304 ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa''
285 for protocol version 2. 305 for protocol version 2.
286 306
307 -u Update a KRL. When specified with -k, keys listed via the
308 command line are added to the existing KRL rather than a new KRL
309 being created.
310
287 -V validity_interval 311 -V validity_interval
288 Specify a validity interval when signing a certificate. A 312 Specify a validity interval when signing a certificate. A
289 validity interval may consist of a single time, indicating that 313 validity interval may consist of a single time, indicating that
@@ -321,6 +345,9 @@ DESCRIPTION
321 distinguish this certificate from others from the same CA. The 345 distinguish this certificate from others from the same CA. The
322 default serial number is zero. 346 default serial number is zero.
323 347
348 When generating a KRL, the -z flag is used to specify a KRL
349 version number.
350
324MODULI GENERATION 351MODULI GENERATION
325 ssh-keygen may be used to generate groups for the Diffie-Hellman Group 352 ssh-keygen may be used to generate groups for the Diffie-Hellman Group
326 Exchange (DH-GEX) protocol. Generating these groups is a two-step 353 Exchange (DH-GEX) protocol. Generating these groups is a two-step
@@ -404,13 +431,64 @@ CERTIFICATES
404 Finally, certificates may be defined with a validity lifetime. The -V 431 Finally, certificates may be defined with a validity lifetime. The -V
405 option allows specification of certificate start and end times. A 432 option allows specification of certificate start and end times. A
406 certificate that is presented at a time outside this range will not be 433 certificate that is presented at a time outside this range will not be
407 considered valid. By default, certificates have a maximum validity 434 considered valid. By default, certificates are valid from UNIX Epoch to
408 interval. 435 the distant future.
409 436
410 For certificates to be used for user or host authentication, the CA 437 For certificates to be used for user or host authentication, the CA
411 public key must be trusted by sshd(8) or ssh(1). Please refer to those 438 public key must be trusted by sshd(8) or ssh(1). Please refer to those
412 manual pages for details. 439 manual pages for details.
413 440
441KEY REVOCATION LISTS
442 ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
443 These binary files specify keys or certificates to be revoked using a
444 compact format, taking as little a one bit per certificate if they are
445 being revoked by serial number.
446
447 KRLs may be generated using the -k flag. This option reads one or more
448 files from the command line and generates a new KRL. The files may
449 either contain a KRL specification (see below) or public keys, listed one
450 per line. Plain public keys are revoked by listing their hash or
451 contents in the KRL and certificates revoked by serial number or key ID
452 (if the serial is zero or not available).
453
454 Revoking keys using a KRL specification offers explicit control over the
455 types of record used to revoke keys and may be used to directly revoke
456 certificates by serial number or key ID without having the complete
457 original certificate on hand. A KRL specification consists of lines
458 containing one of the following directives followed by a colon and some
459 directive-specific information.
460
461 serial: serial_number[-serial_number]
462 Revokes a certificate with the specified serial number. Serial
463 numbers are 64-bit values, not including zero and may be
464 expressed in decimal, hex or octal. If two serial numbers are
465 specified separated by a hyphen, then the range of serial numbers
466 including and between each is revoked. The CA key must have been
467 specified on the ssh-keygen command line using the -s option.
468
469 id: key_id
470 Revokes a certificate with the specified key ID string. The CA
471 key must have been specified on the ssh-keygen command line using
472 the -s option.
473
474 key: public_key
475 Revokes the specified key. If a certificate is listed, then it
476 is revoked as a plain public key.
477
478 sha1: public_key
479 Revokes the specified key by its SHA1 hash.
480
481 KRLs may be updated using the -u flag in addition to -k. When this
482 option is specified, keys listed via the command line are merged into the
483 KRL, adding to those already there.
484
485 It is also possible, given a KRL, to test whether it revokes a particular
486 key (or keys). The -Q flag will query an existing KRL, testing each key
487 specified on the commandline. If any key listed on the command line has
488 been revoked (or an error encountered) then ssh-keygen will exit with a
489 non-zero exit status. A zero exit status will only be returned if no key
490 was revoked.
491
414FILES 492FILES
415 ~/.ssh/identity 493 ~/.ssh/identity
416 Contains the protocol version 1 RSA authentication identity of 494 Contains the protocol version 1 RSA authentication identity of
@@ -465,4 +543,4 @@ AUTHORS
465 created OpenSSH. Markus Friedl contributed the support for SSH protocol 543 created OpenSSH. Markus Friedl contributed the support for SSH protocol
466 versions 1.5 and 2.0. 544 versions 1.5 and 2.0.
467 545
468OpenBSD 5.2 July 6, 2012 OpenBSD 5.2 546OpenBSD 5.3 January 19, 2013 OpenBSD 5.3