summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
committerColin Watson <cjwatson@debian.org>2013-05-07 10:06:42 +0100
commitecebda56da46a03dafff923d91c382f31faa9eec (patch)
tree449614b6c06a2622c74a609b31fcc46c60037c56 /ssh-keygen.1
parentc6a2c0334e45419875687d250aed9bea78480f2e (diff)
parentffc06452028ba78cd693d4ed43df8b60a10d6163 (diff)
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r--ssh-keygen.1125
1 files changed, 122 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 03f927edf..7da73e07c 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: July 6 2012 $ 38.Dd $Mdocdate: January 19 2013 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -122,6 +122,17 @@
122.Op Fl f Ar input_keyfile 122.Op Fl f Ar input_keyfile
123.Nm ssh-keygen 123.Nm ssh-keygen
124.Fl A 124.Fl A
125.Nm ssh-keygen
126.Fl k
127.Fl f Ar krl_file
128.Op Fl u
129.Op Fl s Ar ca_public
130.Op Fl z Ar version_number
131.Ar
132.Nm ssh-keygen
133.Fl Q
134.Fl f Ar krl_file
135.Ar
125.Ek 136.Ek
126.Sh DESCRIPTION 137.Sh DESCRIPTION
127.Nm 138.Nm
@@ -144,6 +155,14 @@ See the
144.Sx MODULI GENERATION 155.Sx MODULI GENERATION
145section for details. 156section for details.
146.Pp 157.Pp
158Finally,
159.Nm
160can be used to generate and update Key Revocation Lists, and to test whether
161given keys have been revoked by one.
162See the
163.Sx KEY REVOCATION LISTS
164section for details.
165.Pp
147Normally each user wishing to use SSH 166Normally each user wishing to use SSH
148with public key authentication runs this once to create the authentication 167with public key authentication runs this once to create the authentication
149key in 168key in
@@ -321,6 +340,17 @@ This option allows importing keys from other software, including several
321commercial SSH implementations. 340commercial SSH implementations.
322The default import format is 341The default import format is
323.Dq RFC4716 . 342.Dq RFC4716 .
343.It Fl k
344Generate a KRL file.
345In this mode,
346.Nm
347will generate a KRL file at the location specified via the
348.Fl f
349flag that revokes every key or certificate presented on the command line.
350Keys/certificates to be revoked may be specified by public key file or
351using the format described in the
352.Sx KEY REVOCATION LISTS
353section.
324.It Fl L 354.It Fl L
325Prints the contents of a certificate. 355Prints the contents of a certificate.
326.It Fl l 356.It Fl l
@@ -425,6 +455,8 @@ creating a new private key.
425The program will prompt for the file 455The program will prompt for the file
426containing the private key, for the old passphrase, and twice for the 456containing the private key, for the old passphrase, and twice for the
427new passphrase. 457new passphrase.
458.It Fl Q
459Test whether keys have been revoked in a KRL.
428.It Fl q 460.It Fl q
429Silence 461Silence
430.Nm ssh-keygen . 462.Nm ssh-keygen .
@@ -448,6 +480,14 @@ Certify (sign) a public key using the specified CA key.
448Please see the 480Please see the
449.Sx CERTIFICATES 481.Sx CERTIFICATES
450section for details. 482section for details.
483.Pp
484When generating a KRL,
485.Fl s
486specifies a path to a CA public key file used to revoke certificates directly
487by key ID or serial number.
488See the
489.Sx KEY REVOCATION LISTS
490section for details.
451.It Fl T Ar output_file 491.It Fl T Ar output_file
452Test DH group exchange candidate primes (generated using the 492Test DH group exchange candidate primes (generated using the
453.Fl G 493.Fl G
@@ -462,6 +502,12 @@ for protocol version 1 and
462or 502or
463.Dq rsa 503.Dq rsa
464for protocol version 2. 504for protocol version 2.
505.It Fl u
506Update a KRL.
507When specified with
508.Fl k ,
509keys listed via the command line are added to the existing KRL rather than
510a new KRL being created.
465.It Fl V Ar validity_interval 511.It Fl V Ar validity_interval
466Specify a validity interval when signing a certificate. 512Specify a validity interval when signing a certificate.
467A validity interval may consist of a single time, indicating that the 513A validity interval may consist of a single time, indicating that the
@@ -504,6 +550,10 @@ OpenSSH format file and print an OpenSSH public key to stdout.
504Specifies a serial number to be embedded in the certificate to distinguish 550Specifies a serial number to be embedded in the certificate to distinguish
505this certificate from others from the same CA. 551this certificate from others from the same CA.
506The default serial number is zero. 552The default serial number is zero.
553.Pp
554When generating a KRL, the
555.Fl z
556flag is used to specify a KRL version number.
507.El 557.El
508.Sh MODULI GENERATION 558.Sh MODULI GENERATION
509.Nm 559.Nm
@@ -628,7 +678,9 @@ The
628option allows specification of certificate start and end times. 678option allows specification of certificate start and end times.
629A certificate that is presented at a time outside this range will not be 679A certificate that is presented at a time outside this range will not be
630considered valid. 680considered valid.
631By default, certificates have a maximum validity interval. 681By default, certificates are valid from
682.Ux
683Epoch to the distant future.
632.Pp 684.Pp
633For certificates to be used for user or host authentication, the CA 685For certificates to be used for user or host authentication, the CA
634public key must be trusted by 686public key must be trusted by
@@ -636,6 +688,73 @@ public key must be trusted by
636or 688or
637.Xr ssh 1 . 689.Xr ssh 1 .
638Please refer to those manual pages for details. 690Please refer to those manual pages for details.
691.Sh KEY REVOCATION LISTS
692.Nm
693is able to manage OpenSSH format Key Revocation Lists (KRLs).
694These binary files specify keys or certificates to be revoked using a
695compact format, taking as little a one bit per certificate if they are being
696revoked by serial number.
697.Pp
698KRLs may be generated using the
699.Fl k
700flag.
701This option reads one or more files from the command line and generates a new
702KRL.
703The files may either contain a KRL specification (see below) or public keys,
704listed one per line.
705Plain public keys are revoked by listing their hash or contents in the KRL and
706certificates revoked by serial number or key ID (if the serial is zero or
707not available).
708.Pp
709Revoking keys using a KRL specification offers explicit control over the
710types of record used to revoke keys and may be used to directly revoke
711certificates by serial number or key ID without having the complete original
712certificate on hand.
713A KRL specification consists of lines containing one of the following directives
714followed by a colon and some directive-specific information.
715.Bl -tag -width Ds
716.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
717Revokes a certificate with the specified serial number.
718Serial numbers are 64-bit values, not including zero and may be expressed
719in decimal, hex or octal.
720If two serial numbers are specified separated by a hyphen, then the range
721of serial numbers including and between each is revoked.
722The CA key must have been specified on the
723.Nm
724command line using the
725.Fl s
726option.
727.It Cm id : Ar key_id
728Revokes a certificate with the specified key ID string.
729The CA key must have been specified on the
730.Nm
731command line using the
732.Fl s
733option.
734.It Cm key : Ar public_key
735Revokes the specified key.
736If a certificate is listed, then it is revoked as a plain public key.
737.It Cm sha1 : Ar public_key
738Revokes the specified key by its SHA1 hash.
739.El
740.Pp
741KRLs may be updated using the
742.Fl u
743flag in addition to
744.Fl k .
745When this option is specified, keys listed via the command line are merged into
746the KRL, adding to those already there.
747.Pp
748It is also possible, given a KRL, to test whether it revokes a particular key
749(or keys).
750The
751.Fl Q
752flag will query an existing KRL, testing each key specified on the commandline.
753If any key listed on the command line has been revoked (or an error encountered)
754then
755.Nm
756will exit with a non-zero exit status.
757A zero exit status will only be returned if no key was revoked.
639.Sh FILES 758.Sh FILES
640.Bl -tag -width Ds -compact 759.Bl -tag -width Ds -compact
641.It Pa ~/.ssh/identity 760.It Pa ~/.ssh/identity