summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r--ssh-keygen.1125
1 files changed, 122 insertions, 3 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index fe26750a4..0d84ebd1e 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.115 2013/01/19 07:13:25 jmc Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: July 6 2012 $ 38.Dd $Mdocdate: January 19 2013 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -122,6 +122,17 @@
122.Op Fl f Ar input_keyfile 122.Op Fl f Ar input_keyfile
123.Nm ssh-keygen 123.Nm ssh-keygen
124.Fl A 124.Fl A
125.Nm ssh-keygen
126.Fl k
127.Fl f Ar krl_file
128.Op Fl u
129.Op Fl s Ar ca_public
130.Op Fl z Ar version_number
131.Ar
132.Nm ssh-keygen
133.Fl Q
134.Fl f Ar krl_file
135.Ar
125.Ek 136.Ek
126.Sh DESCRIPTION 137.Sh DESCRIPTION
127.Nm 138.Nm
@@ -144,6 +155,14 @@ See the
144.Sx MODULI GENERATION 155.Sx MODULI GENERATION
145section for details. 156section for details.
146.Pp 157.Pp
158Finally,
159.Nm
160can be used to generate and update Key Revocation Lists, and to test whether
161given keys have been revoked by one.
162See the
163.Sx KEY REVOCATION LISTS
164section for details.
165.Pp
147Normally each user wishing to use SSH 166Normally each user wishing to use SSH
148with public key authentication runs this once to create the authentication 167with public key authentication runs this once to create the authentication
149key in 168key in
@@ -317,6 +336,17 @@ This option allows importing keys from other software, including several
317commercial SSH implementations. 336commercial SSH implementations.
318The default import format is 337The default import format is
319.Dq RFC4716 . 338.Dq RFC4716 .
339.It Fl k
340Generate a KRL file.
341In this mode,
342.Nm
343will generate a KRL file at the location specified via the
344.Fl f
345flag that revokes every key or certificate presented on the command line.
346Keys/certificates to be revoked may be specified by public key file or
347using the format described in the
348.Sx KEY REVOCATION LISTS
349section.
320.It Fl L 350.It Fl L
321Prints the contents of a certificate. 351Prints the contents of a certificate.
322.It Fl l 352.It Fl l
@@ -421,6 +451,8 @@ creating a new private key.
421The program will prompt for the file 451The program will prompt for the file
422containing the private key, for the old passphrase, and twice for the 452containing the private key, for the old passphrase, and twice for the
423new passphrase. 453new passphrase.
454.It Fl Q
455Test whether keys have been revoked in a KRL.
424.It Fl q 456.It Fl q
425Silence 457Silence
426.Nm ssh-keygen . 458.Nm ssh-keygen .
@@ -444,6 +476,14 @@ Certify (sign) a public key using the specified CA key.
444Please see the 476Please see the
445.Sx CERTIFICATES 477.Sx CERTIFICATES
446section for details. 478section for details.
479.Pp
480When generating a KRL,
481.Fl s
482specifies a path to a CA public key file used to revoke certificates directly
483by key ID or serial number.
484See the
485.Sx KEY REVOCATION LISTS
486section for details.
447.It Fl T Ar output_file 487.It Fl T Ar output_file
448Test DH group exchange candidate primes (generated using the 488Test DH group exchange candidate primes (generated using the
449.Fl G 489.Fl G
@@ -458,6 +498,12 @@ for protocol version 1 and
458or 498or
459.Dq rsa 499.Dq rsa
460for protocol version 2. 500for protocol version 2.
501.It Fl u
502Update a KRL.
503When specified with
504.Fl k ,
505keys listed via the command line are added to the existing KRL rather than
506a new KRL being created.
461.It Fl V Ar validity_interval 507.It Fl V Ar validity_interval
462Specify a validity interval when signing a certificate. 508Specify a validity interval when signing a certificate.
463A validity interval may consist of a single time, indicating that the 509A validity interval may consist of a single time, indicating that the
@@ -500,6 +546,10 @@ OpenSSH format file and print an OpenSSH public key to stdout.
500Specifies a serial number to be embedded in the certificate to distinguish 546Specifies a serial number to be embedded in the certificate to distinguish
501this certificate from others from the same CA. 547this certificate from others from the same CA.
502The default serial number is zero. 548The default serial number is zero.
549.Pp
550When generating a KRL, the
551.Fl z
552flag is used to specify a KRL version number.
503.El 553.El
504.Sh MODULI GENERATION 554.Sh MODULI GENERATION
505.Nm 555.Nm
@@ -624,7 +674,9 @@ The
624option allows specification of certificate start and end times. 674option allows specification of certificate start and end times.
625A certificate that is presented at a time outside this range will not be 675A certificate that is presented at a time outside this range will not be
626considered valid. 676considered valid.
627By default, certificates have a maximum validity interval. 677By default, certificates are valid from
678.Ux
679Epoch to the distant future.
628.Pp 680.Pp
629For certificates to be used for user or host authentication, the CA 681For certificates to be used for user or host authentication, the CA
630public key must be trusted by 682public key must be trusted by
@@ -632,6 +684,73 @@ public key must be trusted by
632or 684or
633.Xr ssh 1 . 685.Xr ssh 1 .
634Please refer to those manual pages for details. 686Please refer to those manual pages for details.
687.Sh KEY REVOCATION LISTS
688.Nm
689is able to manage OpenSSH format Key Revocation Lists (KRLs).
690These binary files specify keys or certificates to be revoked using a
691compact format, taking as little a one bit per certificate if they are being
692revoked by serial number.
693.Pp
694KRLs may be generated using the
695.Fl k
696flag.
697This option reads one or more files from the command line and generates a new
698KRL.
699The files may either contain a KRL specification (see below) or public keys,
700listed one per line.
701Plain public keys are revoked by listing their hash or contents in the KRL and
702certificates revoked by serial number or key ID (if the serial is zero or
703not available).
704.Pp
705Revoking keys using a KRL specification offers explicit control over the
706types of record used to revoke keys and may be used to directly revoke
707certificates by serial number or key ID without having the complete original
708certificate on hand.
709A KRL specification consists of lines containing one of the following directives
710followed by a colon and some directive-specific information.
711.Bl -tag -width Ds
712.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
713Revokes a certificate with the specified serial number.
714Serial numbers are 64-bit values, not including zero and may be expressed
715in decimal, hex or octal.
716If two serial numbers are specified separated by a hyphen, then the range
717of serial numbers including and between each is revoked.
718The CA key must have been specified on the
719.Nm
720command line using the
721.Fl s
722option.
723.It Cm id : Ar key_id
724Revokes a certificate with the specified key ID string.
725The CA key must have been specified on the
726.Nm
727command line using the
728.Fl s
729option.
730.It Cm key : Ar public_key
731Revokes the specified key.
732If a certificate is listed, then it is revoked as a plain public key.
733.It Cm sha1 : Ar public_key
734Revokes the specified key by its SHA1 hash.
735.El
736.Pp
737KRLs may be updated using the
738.Fl u
739flag in addition to
740.Fl k .
741When this option is specified, keys listed via the command line are merged into
742the KRL, adding to those already there.
743.Pp
744It is also possible, given a KRL, to test whether it revokes a particular key
745(or keys).
746The
747.Fl Q
748flag will query an existing KRL, testing each key specified on the commandline.
749If any key listed on the command line has been revoked (or an error encountered)
750then
751.Nm
752will exit with a non-zero exit status.
753A zero exit status will only be returned if no key was revoked.
635.Sh FILES 754.Sh FILES
636.Bl -tag -width Ds -compact 755.Bl -tag -width Ds -compact
637.It Pa ~/.ssh/identity 756.It Pa ~/.ssh/identity