| version 1.110, 2012/08/15 18:25:50 |
version 1.111, 2013/01/17 23:00:01 |
|
|
| .Op Fl f Ar input_keyfile |
.Op Fl f Ar input_keyfile |
| .Nm ssh-keygen |
.Nm ssh-keygen |
| .Fl A |
.Fl A |
| |
.Nm ssh-keygen |
| |
.Fl k |
| |
.Fl f Ar krl_file |
| |
.Op Fl u |
| |
.Op Fl s ca_public |
| |
.Op Fl z version_number |
| |
.Ar |
| |
.Nm ssh-keygen |
| |
.Fl Q |
| |
.Fl f Ar krl_file |
| |
.Ar |
| .Ek |
.Ek |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
|
|
| .Sx MODULI GENERATION |
.Sx MODULI GENERATION |
| section for details. |
section for details. |
| .Pp |
.Pp |
| |
Finally, |
| |
.Nm |
| |
can be used to generate and update Key Revocation Lists, and to test whether |
| |
given keys have been revoked by one. See the |
| |
.Sx KEY REVOCATION LISTS |
| |
section for details. |
| |
.Pp |
| Normally each user wishing to use SSH |
Normally each user wishing to use SSH |
| with public key authentication runs this once to create the authentication |
with public key authentication runs this once to create the authentication |
| key in |
key in |
|
|
| commercial SSH implementations. |
commercial SSH implementations. |
| The default import format is |
The default import format is |
| .Dq RFC4716 . |
.Dq RFC4716 . |
| |
.It Fl k |
| |
Generate a KRL file. |
| |
In this mode, |
| |
.Nm |
| |
will generate a KRL file at the location specified via the |
| |
.Fl f |
| |
flag that revokes every key or certificate presented on the command-line. |
| |
Keys/certificates to be revoked may be specified by public key file or |
| |
using the format described in the |
| |
.Sx KEY REVOCATION LISTS |
| |
section. |
| .It Fl L |
.It Fl L |
| Prints the contents of a certificate. |
Prints the contents of a certificate. |
| .It Fl l |
.It Fl l |
|
|
| Please see the |
Please see the |
| .Sx CERTIFICATES |
.Sx CERTIFICATES |
| section for details. |
section for details. |
| |
.Pp |
| |
When generating a KRL, |
| |
.Fl s |
| |
specifies a path to a CA public key file used to revoke certificated directly |
| |
by key ID or serial number. |
| |
See the |
| |
.Sx KEY REVOCATION LISTS |
| |
section for details. |
| .It Fl T Ar output_file |
.It Fl T Ar output_file |
| Test DH group exchange candidate primes (generated using the |
Test DH group exchange candidate primes (generated using the |
| .Fl G |
.Fl G |
|
|
| (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), |
(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), |
| .Dq -1d:20110101 |
.Dq -1d:20110101 |
| (valid from yesterday to midnight, January 1st, 2011). |
(valid from yesterday to midnight, January 1st, 2011). |
| |
.It Fl u |
| |
Update a KRL. |
| |
When specified with |
| |
.Fl k , |
| |
keys listed via the command-line are added to the existing KRL rather than |
| |
a new KRL being created. |
| .It Fl v |
.It Fl v |
| Verbose mode. |
Verbose mode. |
| Causes |
Causes |
|
|
| Specifies a serial number to be embedded in the certificate to distinguish |
Specifies a serial number to be embedded in the certificate to distinguish |
| this certificate from others from the same CA. |
this certificate from others from the same CA. |
| The default serial number is zero. |
The default serial number is zero. |
| |
.Pp |
| |
When generating a KRL, the |
| |
.Fl z |
| |
flag is used to specify a KRL version number. |
| .El |
.El |
| .Sh MODULI GENERATION |
.Sh MODULI GENERATION |
| .Nm |
.Nm |
|
|
| or |
or |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| Please refer to those manual pages for details. |
Please refer to those manual pages for details. |
| |
.Sh KEY REVOCATION LISTS |
| |
.Nm |
| |
is able to manage OpenSSH format Key Revocation Lists (KRLs). |
| |
These binary files specify keys or certificates to be revoked using a |
| |
compact format; taking as little a one bit per certificate if they are being |
| |
revoked by serial number. |
| |
.Pp |
| |
KRLs may be generated using the |
| |
.Fl k |
| |
flag. |
| |
This option reads one or more files from the command-line and generates a new |
| |
KRL. |
| |
The files may either contain a KRL specification (see below) or public keys, |
| |
listed one per line. |
| |
Plain public keys are revoked by listing their hash or contents in the KRL and |
| |
certificates revoked by serial number or key ID (if the serial is zero or |
| |
not available). |
| |
.Pp |
| |
Revoking keys using a KRL specification offers explicit control over the |
| |
types of record used to revoke keys and may be used to directly revoke |
| |
certificates by serial number or key ID without having the complete original |
| |
certificate on hand. |
| |
A KRL specification consists of lines containing one of the following directives |
| |
followed by a colon and some directive-specific information. |
| |
.Bl -tag -width Ds |
| |
.It Cm serial : Ar serial_number Op -serial_number |
| |
Revokes a certificate with the specified serial number. |
| |
Serial numbers are 64 bit values, not including zero and may be expressed |
| |
in decimal, hex or octal. |
| |
If two serial numbers are specified separated by a hyphen, then the range |
| |
of serial numbers including and between each is revoked. |
| |
The CA key must have been specified on the |
| |
.Nm |
| |
command-line using the |
| |
.Fl s |
| |
option. |
| |
.It Cm id : Ar key_id |
| |
Revokes a certificate with the specified key ID string. |
| |
The CA key must have been specified on the |
| |
.Nm |
| |
command-line using the |
| |
.Fl s |
| |
option. |
| |
.It Cm key : Ar public_key |
| |
Revokes the specified key. |
| |
In a certificate is listed, then it is revoked as a plain public key. |
| |
.It Cm sha1 : Ar public_key |
| |
Revokes the specified key by its SHA1 hash. |
| |
.El |
| |
.Pp |
| |
KRLs may be updated using the |
| |
.Fl u |
| |
flag in addition to |
| |
.Fl k . |
| |
When this option is specified, keys listed via the command-line are merged into |
| |
the KRL, adding to those already there. |
| |
.Pp |
| |
It is also possible, given a KRL, to test whether it revokes a particular key |
| |
(or keys). |
| |
The |
| |
.Fl Q |
| |
flag will query an existing KRL, testing each key specified on the commandline. |
| |
If any key listed on the command-line has been revoked (or an error encountered) |
| |
then |
| |
.Nm |
| |
will exit with a non-zero exit status. |
| |
A zero exit status will only be returned if no key was revoked. |
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds -compact |
.Bl -tag -width Ds -compact |
| .It Pa ~/.ssh/identity |
.It Pa ~/.ssh/identity |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh