1 files changed, 122 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 03f927edf..7da73e07c 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 6 2012 $
+.Dd $Mdocdate: January 19 2013 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -122,6 +122,17 @@
 .Op Fl f Ar input_keyfile
 .Nm ssh-keygen
 .Fl A
+.Nm ssh-keygen
+.Fl k
+.Fl f Ar krl_file
+.Op Fl u
+.Op Fl s Ar ca_public
+.Op Fl z Ar version_number
+.Ar
+.Nm ssh-keygen
+.Fl Q
+.Fl f Ar krl_file
+.Ar
 .Ek
 .Sh DESCRIPTION
 .Nm
@@ -144,6 +155,14 @@ See the
 .Sx MODULI GENERATION
 section for details.
 .Pp
+Finally,
+.Nm
+can be used to generate and update Key Revocation Lists, and to test whether
+given keys have been revoked by one.
+See the
+.Sx KEY REVOCATION LISTS
+section for details.
+.Pp
 Normally each user wishing to use SSH
 with public key authentication runs this once to create the authentication
 key in
@@ -321,6 +340,17 @@ This option allows importing keys from other software, including several
 commercial SSH implementations.
 The default import format is
 .Dq RFC4716 .
+.It Fl k
+Generate a KRL file.
+In this mode,
+.Nm
+will generate a KRL file at the location specified via the
+.Fl f
+flag that revokes every key or certificate presented on the command line.
+Keys/certificates to be revoked may be specified by public key file or
+using the format described in the
+.Sx KEY REVOCATION LISTS
+section.
 .It Fl L
 Prints the contents of a certificate.
 .It Fl l
@@ -425,6 +455,8 @@ creating a new private key.
 The program will prompt for the file
 containing the private key, for the old passphrase, and twice for the
 new passphrase.
+.It Fl Q
+Test whether keys have been revoked in a KRL.
 .It Fl q
 Silence
 .Nm ssh-keygen .
@@ -448,6 +480,14 @@ Certify (sign) a public key using the specified CA key.
 Please see the
 .Sx CERTIFICATES
 section for details.
+.Pp
+When generating a KRL,
+.Fl s
+specifies a path to a CA public key file used to revoke certificates directly
+by key ID or serial number.
+See the
+.Sx KEY REVOCATION LISTS
+section for details.
 .It Fl T Ar output_file
 Test DH group exchange candidate primes (generated using the
 .Fl G
@@ -462,6 +502,12 @@ for protocol version 1 and
 or
 .Dq rsa
 for protocol version 2.
+.It Fl u
+Update a KRL.
+When specified with
+.Fl k ,
+keys listed via the command line are added to the existing KRL rather than
+a new KRL being created.
 .It Fl V Ar validity_interval
 Specify a validity interval when signing a certificate.
 A validity interval may consist of a single time, indicating that the
@@ -504,6 +550,10 @@ OpenSSH format file and print an OpenSSH public key to stdout.
 Specifies a serial number to be embedded in the certificate to distinguish
 this certificate from others from the same CA.
 The default serial number is zero.
+.Pp
+When generating a KRL, the
+.Fl z
+flag is used to specify a KRL version number.
 .El
 .Sh MODULI GENERATION
 .Nm
@@ -628,7 +678,9 @@ The
 option allows specification of certificate start and end times.
 A certificate that is presented at a time outside this range will not be
 considered valid.
-By default, certificates have a maximum validity interval.
+By default, certificates are valid from
+.Ux
+Epoch to the distant future.
 .Pp
 For certificates to be used for user or host authentication, the CA
 public key must be trusted by
@@ -636,6 +688,73 @@ public key must be trusted by
 or
 .Xr ssh 1 .
 Please refer to those manual pages for details.
+.Sh KEY REVOCATION LISTS
+.Nm
+is able to manage OpenSSH format Key Revocation Lists (KRLs).
+These binary files specify keys or certificates to be revoked using a
+compact format, taking as little a one bit per certificate if they are being
+revoked by serial number.
+.Pp
+KRLs may be generated using the
+.Fl k
+flag.
+This option reads one or more files from the command line and generates a new
+KRL.
+The files may either contain a KRL specification (see below) or public keys,
+listed one per line.
+Plain public keys are revoked by listing their hash or contents in the KRL and
+certificates revoked by serial number or key ID (if the serial is zero or
+not available).
+.Pp
+Revoking keys using a KRL specification offers explicit control over the
+types of record used to revoke keys and may be used to directly revoke
+certificates by serial number or key ID without having the complete original
+certificate on hand.
+A KRL specification consists of lines containing one of the following directives
+followed by a colon and some directive-specific information.
+.Bl -tag -width Ds
+.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
+Revokes a certificate with the specified serial number.
+Serial numbers are 64-bit values, not including zero and may be expressed
+in decimal, hex or octal.
+If two serial numbers are specified separated by a hyphen, then the range
+of serial numbers including and between each is revoked.
+The CA key must have been specified on the
+.Nm
+command line using the
+.Fl s
+option.
+.It Cm id : Ar key_id
+Revokes a certificate with the specified key ID string.
+The CA key must have been specified on the
+.Nm
+command line using the
+.Fl s
+option.
+.It Cm key : Ar public_key
+Revokes the specified key.
+If a certificate is listed, then it is revoked as a plain public key.
+.It Cm sha1 : Ar public_key
+Revokes the specified key by its SHA1 hash.
+.El
+.Pp
+KRLs may be updated using the
+.Fl u
+flag in addition to
+.Fl k .
+When this option is specified, keys listed via the command line are merged into
+the KRL, adding to those already there.
+.Pp
+It is also possible, given a KRL, to test whether it revokes a particular key
+(or keys).
+The
+.Fl Q
+flag will query an existing KRL, testing each key specified on the commandline.
+If any key listed on the command line has been revoked (or an error encountered)
+then
+.Nm
+will exit with a non-zero exit status.
+A zero exit status will only be returned if no key was revoked.
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.ssh/identity

diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 03f927edf..7da73e07c 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $	1	.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $
2	.\"	2	.\"
3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>	3	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	35	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	36	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37	.\"	37	.\"
38	.Dd $Mdocdate: July 6 2012 $	38	.Dd $Mdocdate: January 19 2013 $
39	.Dt SSH-KEYGEN 1	39	.Dt SSH-KEYGEN 1
40	.Os	40	.Os
41	.Sh NAME	41	.Sh NAME
@@ -122,6 +122,17 @@
122	.Op Fl f Ar input_keyfile	122	.Op Fl f Ar input_keyfile
123	.Nm ssh-keygen	123	.Nm ssh-keygen
124	.Fl A	124	.Fl A
		125	.Nm ssh-keygen
		126	.Fl k
		127	.Fl f Ar krl_file
		128	.Op Fl u
		129	.Op Fl s Ar ca_public
		130	.Op Fl z Ar version_number
		131	.Ar
		132	.Nm ssh-keygen
		133	.Fl Q
		134	.Fl f Ar krl_file
		135	.Ar
125	.Ek	136	.Ek
126	.Sh DESCRIPTION	137	.Sh DESCRIPTION
127	.Nm	138	.Nm
@@ -144,6 +155,14 @@ See the
144	.Sx MODULI GENERATION	155	.Sx MODULI GENERATION
145	section for details.	156	section for details.
146	.Pp	157	.Pp
		158	Finally,
		159	.Nm
		160	can be used to generate and update Key Revocation Lists, and to test whether
		161	given keys have been revoked by one.
		162	See the
		163	.Sx KEY REVOCATION LISTS
		164	section for details.
		165	.Pp
147	Normally each user wishing to use SSH	166	Normally each user wishing to use SSH
148	with public key authentication runs this once to create the authentication	167	with public key authentication runs this once to create the authentication
149	key in	168	key in
@@ -321,6 +340,17 @@ This option allows importing keys from other software, including several
321	commercial SSH implementations.	340	commercial SSH implementations.
322	The default import format is	341	The default import format is
323	.Dq RFC4716 .	342	.Dq RFC4716 .
		343	.It Fl k
		344	Generate a KRL file.
		345	In this mode,
		346	.Nm
		347	will generate a KRL file at the location specified via the
		348	.Fl f
		349	flag that revokes every key or certificate presented on the command line.
		350	Keys/certificates to be revoked may be specified by public key file or
		351	using the format described in the
		352	.Sx KEY REVOCATION LISTS
		353	section.
324	.It Fl L	354	.It Fl L
325	Prints the contents of a certificate.	355	Prints the contents of a certificate.
326	.It Fl l	356	.It Fl l
@@ -425,6 +455,8 @@ creating a new private key.
425	The program will prompt for the file	455	The program will prompt for the file
426	containing the private key, for the old passphrase, and twice for the	456	containing the private key, for the old passphrase, and twice for the
427	new passphrase.	457	new passphrase.
		458	.It Fl Q
		459	Test whether keys have been revoked in a KRL.
428	.It Fl q	460	.It Fl q
429	Silence	461	Silence
430	.Nm ssh-keygen .	462	.Nm ssh-keygen .
@@ -448,6 +480,14 @@ Certify (sign) a public key using the specified CA key.
448	Please see the	480	Please see the
449	.Sx CERTIFICATES	481	.Sx CERTIFICATES
450	section for details.	482	section for details.
		483	.Pp
		484	When generating a KRL,
		485	.Fl s
		486	specifies a path to a CA public key file used to revoke certificates directly
		487	by key ID or serial number.
		488	See the
		489	.Sx KEY REVOCATION LISTS
		490	section for details.
451	.It Fl T Ar output_file	491	.It Fl T Ar output_file
452	Test DH group exchange candidate primes (generated using the	492	Test DH group exchange candidate primes (generated using the
453	.Fl G	493	.Fl G
@@ -462,6 +502,12 @@ for protocol version 1 and
462	or	502	or
463	.Dq rsa	503	.Dq rsa
464	for protocol version 2.	504	for protocol version 2.
		505	.It Fl u
		506	Update a KRL.
		507	When specified with
		508	.Fl k ,
		509	keys listed via the command line are added to the existing KRL rather than
		510	a new KRL being created.
465	.It Fl V Ar validity_interval	511	.It Fl V Ar validity_interval
466	Specify a validity interval when signing a certificate.	512	Specify a validity interval when signing a certificate.
467	A validity interval may consist of a single time, indicating that the	513	A validity interval may consist of a single time, indicating that the
@@ -504,6 +550,10 @@ OpenSSH format file and print an OpenSSH public key to stdout.
504	Specifies a serial number to be embedded in the certificate to distinguish	550	Specifies a serial number to be embedded in the certificate to distinguish
505	this certificate from others from the same CA.	551	this certificate from others from the same CA.
506	The default serial number is zero.	552	The default serial number is zero.
		553	.Pp
		554	When generating a KRL, the
		555	.Fl z
		556	flag is used to specify a KRL version number.
507	.El	557	.El
508	.Sh MODULI GENERATION	558	.Sh MODULI GENERATION
509	.Nm	559	.Nm
@@ -628,7 +678,9 @@ The
628	option allows specification of certificate start and end times.	678	option allows specification of certificate start and end times.
629	A certificate that is presented at a time outside this range will not be	679	A certificate that is presented at a time outside this range will not be
630	considered valid.	680	considered valid.
631	By default, certificates have a maximum validity interval.	681	By default, certificates are valid from
		682	.Ux
		683	Epoch to the distant future.
632	.Pp	684	.Pp
633	For certificates to be used for user or host authentication, the CA	685	For certificates to be used for user or host authentication, the CA
634	public key must be trusted by	686	public key must be trusted by
@@ -636,6 +688,73 @@ public key must be trusted by
636	or	688	or
637	.Xr ssh 1 .	689	.Xr ssh 1 .
638	Please refer to those manual pages for details.	690	Please refer to those manual pages for details.
		691	.Sh KEY REVOCATION LISTS
		692	.Nm
		693	is able to manage OpenSSH format Key Revocation Lists (KRLs).
		694	These binary files specify keys or certificates to be revoked using a
		695	compact format, taking as little a one bit per certificate if they are being
		696	revoked by serial number.
		697	.Pp
		698	KRLs may be generated using the
		699	.Fl k
		700	flag.
		701	This option reads one or more files from the command line and generates a new
		702	KRL.
		703	The files may either contain a KRL specification (see below) or public keys,
		704	listed one per line.
		705	Plain public keys are revoked by listing their hash or contents in the KRL and
		706	certificates revoked by serial number or key ID (if the serial is zero or
		707	not available).
		708	.Pp
		709	Revoking keys using a KRL specification offers explicit control over the
		710	types of record used to revoke keys and may be used to directly revoke
		711	certificates by serial number or key ID without having the complete original
		712	certificate on hand.
		713	A KRL specification consists of lines containing one of the following directives
		714	followed by a colon and some directive-specific information.
		715	.Bl -tag -width Ds
		716	.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
		717	Revokes a certificate with the specified serial number.
		718	Serial numbers are 64-bit values, not including zero and may be expressed
		719	in decimal, hex or octal.
		720	If two serial numbers are specified separated by a hyphen, then the range
		721	of serial numbers including and between each is revoked.
		722	The CA key must have been specified on the
		723	.Nm
		724	command line using the
		725	.Fl s
		726	option.
		727	.It Cm id : Ar key_id
		728	Revokes a certificate with the specified key ID string.
		729	The CA key must have been specified on the
		730	.Nm
		731	command line using the
		732	.Fl s
		733	option.
		734	.It Cm key : Ar public_key
		735	Revokes the specified key.
		736	If a certificate is listed, then it is revoked as a plain public key.
		737	.It Cm sha1 : Ar public_key
		738	Revokes the specified key by its SHA1 hash.
		739	.El
		740	.Pp
		741	KRLs may be updated using the
		742	.Fl u
		743	flag in addition to
		744	.Fl k .
		745	When this option is specified, keys listed via the command line are merged into
		746	the KRL, adding to those already there.
		747	.Pp
		748	It is also possible, given a KRL, to test whether it revokes a particular key
		749	(or keys).
		750	The
		751	.Fl Q
		752	flag will query an existing KRL, testing each key specified on the commandline.
		753	If any key listed on the command line has been revoked (or an error encountered)
		754	then
		755	.Nm
		756	will exit with a non-zero exit status.
		757	A zero exit status will only be returned if no key was revoked.
639	.Sh FILES	758	.Sh FILES
640	.Bl -tag -width Ds -compact	759	.Bl -tag -width Ds -compact
641	.It Pa ~/.ssh/identity	760	.It Pa ~/.ssh/identity