1 files changed, 81 insertions, 3 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 8f9fbd179..3c7a64753 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -25,6 +25,9 @@ SYNOPSIS
                [-O option] [-V validity_interval] [-z serial_number] file ...
     ssh-keygen -L [-f input_keyfile]
     ssh-keygen -A
+     ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
+                file ...
+     ssh-keygen -Q -f krl_file file ...
 DESCRIPTION
     ssh-keygen generates, manages and converts authentication keys for
@@ -37,6 +40,10 @@ DESCRIPTION
     ssh-keygen is also used to generate groups for use in Diffie-Hellman
     group exchange (DH-GEX).  See the MODULI GENERATION section for details.
+     Finally, ssh-keygen can be used to generate and update Key Revocation
+     Lists, and to test whether given keys have been revoked by one.  See the
+     KEY REVOCATION LISTS section for details.
     Normally each user wishing to use SSH with public key authentication runs
     this once to create the authentication key in ~/.ssh/identity,
     ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa.  Additionally, the
@@ -167,6 +174,13 @@ DESCRIPTION
             keys from other software, including several commercial SSH
             implementations.  The default import format is ``RFC4716''.
+     -k      Generate a KRL file.  In this mode, ssh-keygen will generate a
+             KRL file at the location specified via the -f flag that revokes
+             every key or certificate presented on the command line.
+             Keys/certificates to be revoked may be specified by public key
+             file or using the format described in the KEY REVOCATION LISTS
+             section.
     -L      Prints the contents of a certificate.
     -l      Show fingerprint of specified public key file.  Private RSA1 keys
@@ -256,6 +270,8 @@ DESCRIPTION
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
+     -Q      Test whether keys have been revoked in a KRL.
     -q      Silence ssh-keygen.
     -R hostname
@@ -275,6 +291,10 @@ DESCRIPTION
             Certify (sign) a public key using the specified CA key.  Please
             see the CERTIFICATES section for details.
+             When generating a KRL, -s specifies a path to a CA public key
+             file used to revoke certificates directly by key ID or serial
+             number.  See the KEY REVOCATION LISTS section for details.
     -T output_file
             Test DH group exchange candidate primes (generated using the -G
             option) for safety.
@@ -284,6 +304,10 @@ DESCRIPTION
             ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa''
             for protocol version 2.
+     -u      Update a KRL.  When specified with -k, keys listed via the
+             command line are added to the existing KRL rather than a new KRL
+             being created.
     -V validity_interval
             Specify a validity interval when signing a certificate.  A
             validity interval may consist of a single time, indicating that
@@ -321,6 +345,9 @@ DESCRIPTION
             distinguish this certificate from others from the same CA.  The
             default serial number is zero.
+             When generating a KRL, the -z flag is used to specify a KRL
+             version number.
 MODULI GENERATION
     ssh-keygen may be used to generate groups for the Diffie-Hellman Group
     Exchange (DH-GEX) protocol.  Generating these groups is a two-step
@@ -404,13 +431,64 @@ CERTIFICATES
     Finally, certificates may be defined with a validity lifetime.  The -V
     option allows specification of certificate start and end times.  A
     certificate that is presented at a time outside this range will not be
-     considered valid.  By default, certificates have a maximum validity
+     considered valid.  By default, certificates are valid from UNIX Epoch to
-     interval.
+     the distant future.
     For certificates to be used for user or host authentication, the CA
     public key must be trusted by sshd(8) or ssh(1).  Please refer to those
     manual pages for details.
+KEY REVOCATION LISTS
+     ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
+     These binary files specify keys or certificates to be revoked using a
+     compact format, taking as little a one bit per certificate if they are
+     being revoked by serial number.
+     KRLs may be generated using the -k flag.  This option reads one or more
+     files from the command line and generates a new KRL.  The files may
+     either contain a KRL specification (see below) or public keys, listed one
+     per line.  Plain public keys are revoked by listing their hash or
+     contents in the KRL and certificates revoked by serial number or key ID
+     (if the serial is zero or not available).
+     Revoking keys using a KRL specification offers explicit control over the
+     types of record used to revoke keys and may be used to directly revoke
+     certificates by serial number or key ID without having the complete
+     original certificate on hand.  A KRL specification consists of lines
+     containing one of the following directives followed by a colon and some
+     directive-specific information.
+     serial: serial_number[-serial_number]
+             Revokes a certificate with the specified serial number.  Serial
+             numbers are 64-bit values, not including zero and may be
+             expressed in decimal, hex or octal.  If two serial numbers are
+             specified separated by a hyphen, then the range of serial numbers
+             including and between each is revoked.  The CA key must have been
+             specified on the ssh-keygen command line using the -s option.
+     id: key_id
+             Revokes a certificate with the specified key ID string.  The CA
+             key must have been specified on the ssh-keygen command line using
+             the -s option.
+     key: public_key
+             Revokes the specified key.  If a certificate is listed, then it
+             is revoked as a plain public key.
+     sha1: public_key
+             Revokes the specified key by its SHA1 hash.
+     KRLs may be updated using the -u flag in addition to -k.  When this
+     option is specified, keys listed via the command line are merged into the
+     KRL, adding to those already there.
+     It is also possible, given a KRL, to test whether it revokes a particular
+     key (or keys).  The -Q flag will query an existing KRL, testing each key
+     specified on the commandline.  If any key listed on the command line has
+     been revoked (or an error encountered) then ssh-keygen will exit with a
+     non-zero exit status.  A zero exit status will only be returned if no key
+     was revoked.
 FILES
     ~/.ssh/identity
             Contains the protocol version 1 RSA authentication identity of
@@ -465,4 +543,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 5.2                      July 6, 2012                      OpenBSD 5.2
+OpenBSD 5.3                    January 19, 2013                    OpenBSD 5.3

diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 8f9fbd179..3c7a64753 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0
@@ -25,6 +25,9 @@ SYNOPSIS
25	[-O option] [-V validity_interval] [-z serial_number] file ...	25	[-O option] [-V validity_interval] [-z serial_number] file ...
26	ssh-keygen -L [-f input_keyfile]	26	ssh-keygen -L [-f input_keyfile]
27	ssh-keygen -A	27	ssh-keygen -A
		28	ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
		29	file ...
		30	ssh-keygen -Q -f krl_file file ...
28		31
29	DESCRIPTION	32	DESCRIPTION
30	ssh-keygen generates, manages and converts authentication keys for	33	ssh-keygen generates, manages and converts authentication keys for
@@ -37,6 +40,10 @@ DESCRIPTION
37	ssh-keygen is also used to generate groups for use in Diffie-Hellman	40	ssh-keygen is also used to generate groups for use in Diffie-Hellman
38	group exchange (DH-GEX). See the MODULI GENERATION section for details.	41	group exchange (DH-GEX). See the MODULI GENERATION section for details.
39		42
		43	Finally, ssh-keygen can be used to generate and update Key Revocation
		44	Lists, and to test whether given keys have been revoked by one. See the
		45	KEY REVOCATION LISTS section for details.
		46
40	Normally each user wishing to use SSH with public key authentication runs	47	Normally each user wishing to use SSH with public key authentication runs
41	this once to create the authentication key in ~/.ssh/identity,	48	this once to create the authentication key in ~/.ssh/identity,
42	~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the	49	~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the
@@ -167,6 +174,13 @@ DESCRIPTION
167	keys from other software, including several commercial SSH	174	keys from other software, including several commercial SSH
168	implementations. The default import format is ``RFC4716''.	175	implementations. The default import format is ``RFC4716''.
169		176
		177	-k Generate a KRL file. In this mode, ssh-keygen will generate a
		178	KRL file at the location specified via the -f flag that revokes
		179	every key or certificate presented on the command line.
		180	Keys/certificates to be revoked may be specified by public key
		181	file or using the format described in the KEY REVOCATION LISTS
		182	section.
		183
170	-L Prints the contents of a certificate.	184	-L Prints the contents of a certificate.
171		185
172	-l Show fingerprint of specified public key file. Private RSA1 keys	186	-l Show fingerprint of specified public key file. Private RSA1 keys
@@ -256,6 +270,8 @@ DESCRIPTION
256	containing the private key, for the old passphrase, and twice for	270	containing the private key, for the old passphrase, and twice for
257	the new passphrase.	271	the new passphrase.
258		272
		273	-Q Test whether keys have been revoked in a KRL.
		274
259	-q Silence ssh-keygen.	275	-q Silence ssh-keygen.
260		276
261	-R hostname	277	-R hostname
@@ -275,6 +291,10 @@ DESCRIPTION
275	Certify (sign) a public key using the specified CA key. Please	291	Certify (sign) a public key using the specified CA key. Please
276	see the CERTIFICATES section for details.	292	see the CERTIFICATES section for details.
277		293
		294	When generating a KRL, -s specifies a path to a CA public key
		295	file used to revoke certificates directly by key ID or serial
		296	number. See the KEY REVOCATION LISTS section for details.
		297
278	-T output_file	298	-T output_file
279	Test DH group exchange candidate primes (generated using the -G	299	Test DH group exchange candidate primes (generated using the -G
280	option) for safety.	300	option) for safety.
@@ -284,6 +304,10 @@ DESCRIPTION
284	``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa''	304	``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa''
285	for protocol version 2.	305	for protocol version 2.
286		306
		307	-u Update a KRL. When specified with -k, keys listed via the
		308	command line are added to the existing KRL rather than a new KRL
		309	being created.
		310
287	-V validity_interval	311	-V validity_interval
288	Specify a validity interval when signing a certificate. A	312	Specify a validity interval when signing a certificate. A
289	validity interval may consist of a single time, indicating that	313	validity interval may consist of a single time, indicating that
@@ -321,6 +345,9 @@ DESCRIPTION
321	distinguish this certificate from others from the same CA. The	345	distinguish this certificate from others from the same CA. The
322	default serial number is zero.	346	default serial number is zero.
323		347
		348	When generating a KRL, the -z flag is used to specify a KRL
		349	version number.
		350
324	MODULI GENERATION	351	MODULI GENERATION
325	ssh-keygen may be used to generate groups for the Diffie-Hellman Group	352	ssh-keygen may be used to generate groups for the Diffie-Hellman Group
326	Exchange (DH-GEX) protocol. Generating these groups is a two-step	353	Exchange (DH-GEX) protocol. Generating these groups is a two-step
@@ -404,13 +431,64 @@ CERTIFICATES
404	Finally, certificates may be defined with a validity lifetime. The -V	431	Finally, certificates may be defined with a validity lifetime. The -V
405	option allows specification of certificate start and end times. A	432	option allows specification of certificate start and end times. A
406	certificate that is presented at a time outside this range will not be	433	certificate that is presented at a time outside this range will not be
407	considered valid. By default, certificates have a maximum validity	434	considered valid. By default, certificates are valid from UNIX Epoch to
408	interval.	435	the distant future.
409		436
410	For certificates to be used for user or host authentication, the CA	437	For certificates to be used for user or host authentication, the CA
411	public key must be trusted by sshd(8) or ssh(1). Please refer to those	438	public key must be trusted by sshd(8) or ssh(1). Please refer to those
412	manual pages for details.	439	manual pages for details.
413		440
		441	KEY REVOCATION LISTS
		442	ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
		443	These binary files specify keys or certificates to be revoked using a
		444	compact format, taking as little a one bit per certificate if they are
		445	being revoked by serial number.
		446
		447	KRLs may be generated using the -k flag. This option reads one or more
		448	files from the command line and generates a new KRL. The files may
		449	either contain a KRL specification (see below) or public keys, listed one
		450	per line. Plain public keys are revoked by listing their hash or
		451	contents in the KRL and certificates revoked by serial number or key ID
		452	(if the serial is zero or not available).
		453
		454	Revoking keys using a KRL specification offers explicit control over the
		455	types of record used to revoke keys and may be used to directly revoke
		456	certificates by serial number or key ID without having the complete
		457	original certificate on hand. A KRL specification consists of lines
		458	containing one of the following directives followed by a colon and some
		459	directive-specific information.
		460
		461	serial: serial_number[-serial_number]
		462	Revokes a certificate with the specified serial number. Serial
		463	numbers are 64-bit values, not including zero and may be
		464	expressed in decimal, hex or octal. If two serial numbers are
		465	specified separated by a hyphen, then the range of serial numbers
		466	including and between each is revoked. The CA key must have been
		467	specified on the ssh-keygen command line using the -s option.
		468
		469	id: key_id
		470	Revokes a certificate with the specified key ID string. The CA
		471	key must have been specified on the ssh-keygen command line using
		472	the -s option.
		473
		474	key: public_key
		475	Revokes the specified key. If a certificate is listed, then it
		476	is revoked as a plain public key.
		477
		478	sha1: public_key
		479	Revokes the specified key by its SHA1 hash.
		480
		481	KRLs may be updated using the -u flag in addition to -k. When this
		482	option is specified, keys listed via the command line are merged into the
		483	KRL, adding to those already there.
		484
		485	It is also possible, given a KRL, to test whether it revokes a particular
		486	key (or keys). The -Q flag will query an existing KRL, testing each key
		487	specified on the commandline. If any key listed on the command line has
		488	been revoked (or an error encountered) then ssh-keygen will exit with a
		489	non-zero exit status. A zero exit status will only be returned if no key
		490	was revoked.
		491
414	FILES	492	FILES
415	~/.ssh/identity	493	~/.ssh/identity
416	Contains the protocol version 1 RSA authentication identity of	494	Contains the protocol version 1 RSA authentication identity of
@@ -465,4 +543,4 @@ AUTHORS
465	created OpenSSH. Markus Friedl contributed the support for SSH protocol	543	created OpenSSH. Markus Friedl contributed the support for SSH protocol
466	versions 1.5 and 2.0.	544	versions 1.5 and 2.0.
467		545
468	OpenBSD 5.2 July 6, 2012 OpenBSD 5.2	546	OpenBSD 5.3 January 19, 2013 OpenBSD 5.3