diff options
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 125 |
1 files changed, 122 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index fe26750a4..0d84ebd1e 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: July 6 2012 $ | 38 | .Dd $Mdocdate: January 19 2013 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -122,6 +122,17 @@ | |||
122 | .Op Fl f Ar input_keyfile | 122 | .Op Fl f Ar input_keyfile |
123 | .Nm ssh-keygen | 123 | .Nm ssh-keygen |
124 | .Fl A | 124 | .Fl A |
125 | .Nm ssh-keygen | ||
126 | .Fl k | ||
127 | .Fl f Ar krl_file | ||
128 | .Op Fl u | ||
129 | .Op Fl s Ar ca_public | ||
130 | .Op Fl z Ar version_number | ||
131 | .Ar | ||
132 | .Nm ssh-keygen | ||
133 | .Fl Q | ||
134 | .Fl f Ar krl_file | ||
135 | .Ar | ||
125 | .Ek | 136 | .Ek |
126 | .Sh DESCRIPTION | 137 | .Sh DESCRIPTION |
127 | .Nm | 138 | .Nm |
@@ -144,6 +155,14 @@ See the | |||
144 | .Sx MODULI GENERATION | 155 | .Sx MODULI GENERATION |
145 | section for details. | 156 | section for details. |
146 | .Pp | 157 | .Pp |
158 | Finally, | ||
159 | .Nm | ||
160 | can be used to generate and update Key Revocation Lists, and to test whether | ||
161 | given keys have been revoked by one. | ||
162 | See the | ||
163 | .Sx KEY REVOCATION LISTS | ||
164 | section for details. | ||
165 | .Pp | ||
147 | Normally each user wishing to use SSH | 166 | Normally each user wishing to use SSH |
148 | with public key authentication runs this once to create the authentication | 167 | with public key authentication runs this once to create the authentication |
149 | key in | 168 | key in |
@@ -317,6 +336,17 @@ This option allows importing keys from other software, including several | |||
317 | commercial SSH implementations. | 336 | commercial SSH implementations. |
318 | The default import format is | 337 | The default import format is |
319 | .Dq RFC4716 . | 338 | .Dq RFC4716 . |
339 | .It Fl k | ||
340 | Generate a KRL file. | ||
341 | In this mode, | ||
342 | .Nm | ||
343 | will generate a KRL file at the location specified via the | ||
344 | .Fl f | ||
345 | flag that revokes every key or certificate presented on the command line. | ||
346 | Keys/certificates to be revoked may be specified by public key file or | ||
347 | using the format described in the | ||
348 | .Sx KEY REVOCATION LISTS | ||
349 | section. | ||
320 | .It Fl L | 350 | .It Fl L |
321 | Prints the contents of a certificate. | 351 | Prints the contents of a certificate. |
322 | .It Fl l | 352 | .It Fl l |
@@ -421,6 +451,8 @@ creating a new private key. | |||
421 | The program will prompt for the file | 451 | The program will prompt for the file |
422 | containing the private key, for the old passphrase, and twice for the | 452 | containing the private key, for the old passphrase, and twice for the |
423 | new passphrase. | 453 | new passphrase. |
454 | .It Fl Q | ||
455 | Test whether keys have been revoked in a KRL. | ||
424 | .It Fl q | 456 | .It Fl q |
425 | Silence | 457 | Silence |
426 | .Nm ssh-keygen . | 458 | .Nm ssh-keygen . |
@@ -444,6 +476,14 @@ Certify (sign) a public key using the specified CA key. | |||
444 | Please see the | 476 | Please see the |
445 | .Sx CERTIFICATES | 477 | .Sx CERTIFICATES |
446 | section for details. | 478 | section for details. |
479 | .Pp | ||
480 | When generating a KRL, | ||
481 | .Fl s | ||
482 | specifies a path to a CA public key file used to revoke certificates directly | ||
483 | by key ID or serial number. | ||
484 | See the | ||
485 | .Sx KEY REVOCATION LISTS | ||
486 | section for details. | ||
447 | .It Fl T Ar output_file | 487 | .It Fl T Ar output_file |
448 | Test DH group exchange candidate primes (generated using the | 488 | Test DH group exchange candidate primes (generated using the |
449 | .Fl G | 489 | .Fl G |
@@ -458,6 +498,12 @@ for protocol version 1 and | |||
458 | or | 498 | or |
459 | .Dq rsa | 499 | .Dq rsa |
460 | for protocol version 2. | 500 | for protocol version 2. |
501 | .It Fl u | ||
502 | Update a KRL. | ||
503 | When specified with | ||
504 | .Fl k , | ||
505 | keys listed via the command line are added to the existing KRL rather than | ||
506 | a new KRL being created. | ||
461 | .It Fl V Ar validity_interval | 507 | .It Fl V Ar validity_interval |
462 | Specify a validity interval when signing a certificate. | 508 | Specify a validity interval when signing a certificate. |
463 | A validity interval may consist of a single time, indicating that the | 509 | A validity interval may consist of a single time, indicating that the |
@@ -500,6 +546,10 @@ OpenSSH format file and print an OpenSSH public key to stdout. | |||
500 | Specifies a serial number to be embedded in the certificate to distinguish | 546 | Specifies a serial number to be embedded in the certificate to distinguish |
501 | this certificate from others from the same CA. | 547 | this certificate from others from the same CA. |
502 | The default serial number is zero. | 548 | The default serial number is zero. |
549 | .Pp | ||
550 | When generating a KRL, the | ||
551 | .Fl z | ||
552 | flag is used to specify a KRL version number. | ||
503 | .El | 553 | .El |
504 | .Sh MODULI GENERATION | 554 | .Sh MODULI GENERATION |
505 | .Nm | 555 | .Nm |
@@ -624,7 +674,9 @@ The | |||
624 | option allows specification of certificate start and end times. | 674 | option allows specification of certificate start and end times. |
625 | A certificate that is presented at a time outside this range will not be | 675 | A certificate that is presented at a time outside this range will not be |
626 | considered valid. | 676 | considered valid. |
627 | By default, certificates have a maximum validity interval. | 677 | By default, certificates are valid from |
678 | .Ux | ||
679 | Epoch to the distant future. | ||
628 | .Pp | 680 | .Pp |
629 | For certificates to be used for user or host authentication, the CA | 681 | For certificates to be used for user or host authentication, the CA |
630 | public key must be trusted by | 682 | public key must be trusted by |
@@ -632,6 +684,73 @@ public key must be trusted by | |||
632 | or | 684 | or |
633 | .Xr ssh 1 . | 685 | .Xr ssh 1 . |
634 | Please refer to those manual pages for details. | 686 | Please refer to those manual pages for details. |
687 | .Sh KEY REVOCATION LISTS | ||
688 | .Nm | ||
689 | is able to manage OpenSSH format Key Revocation Lists (KRLs). | ||
690 | These binary files specify keys or certificates to be revoked using a | ||
691 | compact format, taking as little a one bit per certificate if they are being | ||
692 | revoked by serial number. | ||
693 | .Pp | ||
694 | KRLs may be generated using the | ||
695 | .Fl k | ||
696 | flag. | ||
697 | This option reads one or more files from the command line and generates a new | ||
698 | KRL. | ||
699 | The files may either contain a KRL specification (see below) or public keys, | ||
700 | listed one per line. | ||
701 | Plain public keys are revoked by listing their hash or contents in the KRL and | ||
702 | certificates revoked by serial number or key ID (if the serial is zero or | ||
703 | not available). | ||
704 | .Pp | ||
705 | Revoking keys using a KRL specification offers explicit control over the | ||
706 | types of record used to revoke keys and may be used to directly revoke | ||
707 | certificates by serial number or key ID without having the complete original | ||
708 | certificate on hand. | ||
709 | A KRL specification consists of lines containing one of the following directives | ||
710 | followed by a colon and some directive-specific information. | ||
711 | .Bl -tag -width Ds | ||
712 | .It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number | ||
713 | Revokes a certificate with the specified serial number. | ||
714 | Serial numbers are 64-bit values, not including zero and may be expressed | ||
715 | in decimal, hex or octal. | ||
716 | If two serial numbers are specified separated by a hyphen, then the range | ||
717 | of serial numbers including and between each is revoked. | ||
718 | The CA key must have been specified on the | ||
719 | .Nm | ||
720 | command line using the | ||
721 | .Fl s | ||
722 | option. | ||
723 | .It Cm id : Ar key_id | ||
724 | Revokes a certificate with the specified key ID string. | ||
725 | The CA key must have been specified on the | ||
726 | .Nm | ||
727 | command line using the | ||
728 | .Fl s | ||
729 | option. | ||
730 | .It Cm key : Ar public_key | ||
731 | Revokes the specified key. | ||
732 | If a certificate is listed, then it is revoked as a plain public key. | ||
733 | .It Cm sha1 : Ar public_key | ||
734 | Revokes the specified key by its SHA1 hash. | ||
735 | .El | ||
736 | .Pp | ||
737 | KRLs may be updated using the | ||
738 | .Fl u | ||
739 | flag in addition to | ||
740 | .Fl k . | ||
741 | When this option is specified, keys listed via the command line are merged into | ||
742 | the KRL, adding to those already there. | ||
743 | .Pp | ||
744 | It is also possible, given a KRL, to test whether it revokes a particular key | ||
745 | (or keys). | ||
746 | The | ||
747 | .Fl Q | ||
748 | flag will query an existing KRL, testing each key specified on the commandline. | ||
749 | If any key listed on the command line has been revoked (or an error encountered) | ||
750 | then | ||
751 | .Nm | ||
752 | will exit with a non-zero exit status. | ||
753 | A zero exit status will only be returned if no key was revoked. | ||
635 | .Sh FILES | 754 | .Sh FILES |
636 | .Bl -tag -width Ds -compact | 755 | .Bl -tag -width Ds -compact |
637 | .It Pa ~/.ssh/identity | 756 | .It Pa ~/.ssh/identity |