xref: /freebsd/crypto/openssh/ssh-keygen.1 (revision 076ad2f836d5f49dc1375f1677335a48fe0d4b82)
1.\"	$OpenBSD: ssh-keygen.1,v 1.133 2016/06/16 06:10:45 jmc Exp $
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\"                    All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose.  Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\"
14.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
17.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\"    notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\"    notice, this list of conditions and the following disclaimer in the
25.\"    documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\"
38.Dd $Mdocdate: June 16 2016 $
39.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
43.Nd authentication key generation, management and conversion
44.Sh SYNOPSIS
45.Bk -words
46.Nm ssh-keygen
47.Op Fl q
48.Op Fl b Ar bits
49.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
50.Op Fl N Ar new_passphrase
51.Op Fl C Ar comment
52.Op Fl f Ar output_keyfile
53.Nm ssh-keygen
54.Fl p
55.Op Fl P Ar old_passphrase
56.Op Fl N Ar new_passphrase
57.Op Fl f Ar keyfile
58.Nm ssh-keygen
59.Fl i
60.Op Fl m Ar key_format
61.Op Fl f Ar input_keyfile
62.Nm ssh-keygen
63.Fl e
64.Op Fl m Ar key_format
65.Op Fl f Ar input_keyfile
66.Nm ssh-keygen
67.Fl y
68.Op Fl f Ar input_keyfile
69.Nm ssh-keygen
70.Fl c
71.Op Fl P Ar passphrase
72.Op Fl C Ar comment
73.Op Fl f Ar keyfile
74.Nm ssh-keygen
75.Fl l
76.Op Fl v
77.Op Fl E Ar fingerprint_hash
78.Op Fl f Ar input_keyfile
79.Nm ssh-keygen
80.Fl B
81.Op Fl f Ar input_keyfile
82.Nm ssh-keygen
83.Fl D Ar pkcs11
84.Nm ssh-keygen
85.Fl F Ar hostname
86.Op Fl f Ar known_hosts_file
87.Op Fl l
88.Nm ssh-keygen
89.Fl H
90.Op Fl f Ar known_hosts_file
91.Nm ssh-keygen
92.Fl R Ar hostname
93.Op Fl f Ar known_hosts_file
94.Nm ssh-keygen
95.Fl r Ar hostname
96.Op Fl f Ar input_keyfile
97.Op Fl g
98.Nm ssh-keygen
99.Fl G Ar output_file
100.Op Fl v
101.Op Fl b Ar bits
102.Op Fl M Ar memory
103.Op Fl S Ar start_point
104.Nm ssh-keygen
105.Fl T Ar output_file
106.Fl f Ar input_file
107.Op Fl v
108.Op Fl a Ar rounds
109.Op Fl J Ar num_lines
110.Op Fl j Ar start_line
111.Op Fl K Ar checkpt
112.Op Fl W Ar generator
113.Nm ssh-keygen
114.Fl s Ar ca_key
115.Fl I Ar certificate_identity
116.Op Fl h
117.Op Fl n Ar principals
118.Op Fl O Ar option
119.Op Fl V Ar validity_interval
120.Op Fl z Ar serial_number
121.Ar
122.Nm ssh-keygen
123.Fl L
124.Op Fl f Ar input_keyfile
125.Nm ssh-keygen
126.Fl A
127.Nm ssh-keygen
128.Fl k
129.Fl f Ar krl_file
130.Op Fl u
131.Op Fl s Ar ca_public
132.Op Fl z Ar version_number
133.Ar
134.Nm ssh-keygen
135.Fl Q
136.Fl f Ar krl_file
137.Ar
138.Ek
139.Sh DESCRIPTION
140.Nm
141generates, manages and converts authentication keys for
142.Xr ssh 1 .
143.Nm
144can create keys for use by SSH protocol versions 1 and 2.
145Protocol 1 should not be used
146and is only offered to support legacy devices.
147It suffers from a number of cryptographic weaknesses
148and doesn't support many of the advanced features available for protocol 2.
149.Pp
150The type of key to be generated is specified with the
151.Fl t
152option.
153If invoked without any arguments,
154.Nm
155will generate an RSA key for use in SSH protocol 2 connections.
156.Pp
157.Nm
158is also used to generate groups for use in Diffie-Hellman group
159exchange (DH-GEX).
160See the
161.Sx MODULI GENERATION
162section for details.
163.Pp
164Finally,
165.Nm
166can be used to generate and update Key Revocation Lists, and to test whether
167given keys have been revoked by one.
168See the
169.Sx KEY REVOCATION LISTS
170section for details.
171.Pp
172Normally each user wishing to use SSH
173with public key authentication runs this once to create the authentication
174key in
175.Pa ~/.ssh/identity ,
176.Pa ~/.ssh/id_dsa ,
177.Pa ~/.ssh/id_ecdsa ,
178.Pa ~/.ssh/id_ed25519
179or
180.Pa ~/.ssh/id_rsa .
181Additionally, the system administrator may use this to generate host keys,
182as seen in
183.Pa /etc/rc .
184.Pp
185Normally this program generates the key and asks for a file in which
186to store the private key.
187The public key is stored in a file with the same name but
188.Dq .pub
189appended.
190The program also asks for a passphrase.
191The passphrase may be empty to indicate no passphrase
192(host keys must have an empty passphrase), or it may be a string of
193arbitrary length.
194A passphrase is similar to a password, except it can be a phrase with a
195series of words, punctuation, numbers, whitespace, or any string of
196characters you want.
197Good passphrases are 10-30 characters long, are
198not simple sentences or otherwise easily guessable (English
199prose has only 1-2 bits of entropy per character, and provides very bad
200passphrases), and contain a mix of upper and lowercase letters,
201numbers, and non-alphanumeric characters.
202The passphrase can be changed later by using the
203.Fl p
204option.
205.Pp
206There is no way to recover a lost passphrase.
207If the passphrase is lost or forgotten, a new key must be generated
208and the corresponding public key copied to other machines.
209.Pp
210For RSA1 keys and keys stored in the newer OpenSSH format,
211there is also a comment field in the key file that is only for
212convenience to the user to help identify the key.
213The comment can tell what the key is for, or whatever is useful.
214The comment is initialized to
215.Dq user@host
216when the key is created, but can be changed using the
217.Fl c
218option.
219.Pp
220After a key is generated, instructions below detail where the keys
221should be placed to be activated.
222.Pp
223The options are as follows:
224.Bl -tag -width Ds
225.It Fl A
226For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
227for which host keys
228do not exist, generate the host keys with the default key file path,
229an empty passphrase, default bits for the key type, and default comment.
230This is used by
231.Pa /etc/rc
232to generate new host keys.
233.It Fl a Ar rounds
234When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
2352 key when the
236.Fl o
237flag is set), this option specifies the number of KDF (key derivation function)
238rounds used.
239Higher numbers result in slower passphrase verification and increased
240resistance to brute-force password cracking (should the keys be stolen).
241.Pp
242When screening DH-GEX candidates (
243using the
244.Fl T
245command).
246This option specifies the number of primality tests to perform.
247.It Fl B
248Show the bubblebabble digest of specified private or public key file.
249.It Fl b Ar bits
250Specifies the number of bits in the key to create.
251For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
252Generally, 2048 bits is considered sufficient.
253DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
254For ECDSA keys, the
255.Fl b
256flag determines the key length by selecting from one of three elliptic
257curve sizes: 256, 384 or 521 bits.
258Attempting to use bit lengths other than these three values for ECDSA keys
259will fail.
260Ed25519 keys have a fixed length and the
261.Fl b
262flag will be ignored.
263.It Fl C Ar comment
264Provides a new comment.
265.It Fl c
266Requests changing the comment in the private and public key files.
267This operation is only supported for RSA1 keys and keys stored in the
268newer OpenSSH format.
269The program will prompt for the file containing the private keys, for
270the passphrase if the key has one, and for the new comment.
271.It Fl D Ar pkcs11
272Download the RSA public keys provided by the PKCS#11 shared library
273.Ar pkcs11 .
274When used in combination with
275.Fl s ,
276this option indicates that a CA key resides in a PKCS#11 token (see the
277.Sx CERTIFICATES
278section for details).
279.It Fl E Ar fingerprint_hash
280Specifies the hash algorithm used when displaying key fingerprints.
281Valid options are:
282.Dq md5
283and
284.Dq sha256 .
285The default is
286.Dq sha256 .
287.It Fl e
288This option will read a private or public OpenSSH key file and
289print to stdout the key in one of the formats specified by the
290.Fl m
291option.
292The default export format is
293.Dq RFC4716 .
294This option allows exporting OpenSSH keys for use by other programs, including
295several commercial SSH implementations.
296.It Fl F Ar hostname
297Search for the specified
298.Ar hostname
299in a
300.Pa known_hosts
301file, listing any occurrences found.
302This option is useful to find hashed host names or addresses and may also be
303used in conjunction with the
304.Fl H
305option to print found keys in a hashed format.
306.It Fl f Ar filename
307Specifies the filename of the key file.
308.It Fl G Ar output_file
309Generate candidate primes for DH-GEX.
310These primes must be screened for
311safety (using the
312.Fl T
313option) before use.
314.It Fl g
315Use generic DNS format when printing fingerprint resource records using the
316.Fl r
317command.
318.It Fl H
319Hash a
320.Pa known_hosts
321file.
322This replaces all hostnames and addresses with hashed representations
323within the specified file; the original content is moved to a file with
324a .old suffix.
325These hashes may be used normally by
326.Nm ssh
327and
328.Nm sshd ,
329but they do not reveal identifying information should the file's contents
330be disclosed.
331This option will not modify existing hashed hostnames and is therefore safe
332to use on files that mix hashed and non-hashed names.
333.It Fl h
334When signing a key, create a host certificate instead of a user
335certificate.
336Please see the
337.Sx CERTIFICATES
338section for details.
339.It Fl I Ar certificate_identity
340Specify the key identity when signing a public key.
341Please see the
342.Sx CERTIFICATES
343section for details.
344.It Fl i
345This option will read an unencrypted private (or public) key file
346in the format specified by the
347.Fl m
348option and print an OpenSSH compatible private
349(or public) key to stdout.
350This option allows importing keys from other software, including several
351commercial SSH implementations.
352The default import format is
353.Dq RFC4716 .
354.It Fl J Ar num_lines
355Exit after screening the specified number of lines
356while performing DH candidate screening using the
357.Fl T
358option.
359.It Fl j Ar start_line
360Start screening at the specified line number
361while performing DH candidate screening using the
362.Fl T
363option.
364.It Fl K Ar checkpt
365Write the last line processed to the file
366.Ar checkpt
367while performing DH candidate screening using the
368.Fl T
369option.
370This will be used to skip lines in the input file that have already been
371processed if the job is restarted.
372.It Fl k
373Generate a KRL file.
374In this mode,
375.Nm
376will generate a KRL file at the location specified via the
377.Fl f
378flag that revokes every key or certificate presented on the command line.
379Keys/certificates to be revoked may be specified by public key file or
380using the format described in the
381.Sx KEY REVOCATION LISTS
382section.
383.It Fl L
384Prints the contents of one or more certificates.
385.It Fl l
386Show fingerprint of specified public key file.
387Private RSA1 keys are also supported.
388For RSA and DSA keys
389.Nm
390tries to find the matching public key file and prints its fingerprint.
391If combined with
392.Fl v ,
393a visual ASCII art representation of the key is supplied with the
394fingerprint.
395.It Fl M Ar memory
396Specify the amount of memory to use (in megabytes) when generating
397candidate moduli for DH-GEX.
398.It Fl m Ar key_format
399Specify a key format for the
400.Fl i
401(import) or
402.Fl e
403(export) conversion options.
404The supported key formats are:
405.Dq RFC4716
406(RFC 4716/SSH2 public or private key),
407.Dq PKCS8
408(PEM PKCS8 public key)
409or
410.Dq PEM
411(PEM public key).
412The default conversion format is
413.Dq RFC4716 .
414.It Fl N Ar new_passphrase
415Provides the new passphrase.
416.It Fl n Ar principals
417Specify one or more principals (user or host names) to be included in
418a certificate when signing a key.
419Multiple principals may be specified, separated by commas.
420Please see the
421.Sx CERTIFICATES
422section for details.
423.It Fl O Ar option
424Specify a certificate option when signing a key.
425This option may be specified multiple times.
426Please see the
427.Sx CERTIFICATES
428section for details.
429The options that are valid for user certificates are:
430.Bl -tag -width Ds
431.It Ic clear
432Clear all enabled permissions.
433This is useful for clearing the default set of permissions so permissions may
434be added individually.
435.It Ic force-command Ns = Ns Ar command
436Forces the execution of
437.Ar command
438instead of any shell or command specified by the user when
439the certificate is used for authentication.
440.It Ic no-agent-forwarding
441Disable
442.Xr ssh-agent 1
443forwarding (permitted by default).
444.It Ic no-port-forwarding
445Disable port forwarding (permitted by default).
446.It Ic no-pty
447Disable PTY allocation (permitted by default).
448.It Ic no-user-rc
449Disable execution of
450.Pa ~/.ssh/rc
451by
452.Xr sshd 8
453(permitted by default).
454.It Ic no-x11-forwarding
455Disable X11 forwarding (permitted by default).
456.It Ic permit-agent-forwarding
457Allows
458.Xr ssh-agent 1
459forwarding.
460.It Ic permit-port-forwarding
461Allows port forwarding.
462.It Ic permit-pty
463Allows PTY allocation.
464.It Ic permit-user-rc
465Allows execution of
466.Pa ~/.ssh/rc
467by
468.Xr sshd 8 .
469.It Ic permit-x11-forwarding
470Allows X11 forwarding.
471.It Ic source-address Ns = Ns Ar address_list
472Restrict the source addresses from which the certificate is considered valid.
473The
474.Ar address_list
475is a comma-separated list of one or more address/netmask pairs in CIDR
476format.
477.El
478.Pp
479At present, no options are valid for host keys.
480.It Fl o
481Causes
482.Nm
483to save private keys using the new OpenSSH format rather than
484the more compatible PEM format.
485The new format has increased resistance to brute-force password cracking
486but is not supported by versions of OpenSSH prior to 6.5.
487Ed25519 keys always use the new private key format.
488.It Fl P Ar passphrase
489Provides the (old) passphrase.
490.It Fl p
491Requests changing the passphrase of a private key file instead of
492creating a new private key.
493The program will prompt for the file
494containing the private key, for the old passphrase, and twice for the
495new passphrase.
496.It Fl Q
497Test whether keys have been revoked in a KRL.
498.It Fl q
499Silence
500.Nm ssh-keygen .
501.It Fl R Ar hostname
502Removes all keys belonging to
503.Ar hostname
504from a
505.Pa known_hosts
506file.
507This option is useful to delete hashed hosts (see the
508.Fl H
509option above).
510.It Fl r Ar hostname
511Print the SSHFP fingerprint resource record named
512.Ar hostname
513for the specified public key file.
514.It Fl S Ar start
515Specify start point (in hex) when generating candidate moduli for DH-GEX.
516.It Fl s Ar ca_key
517Certify (sign) a public key using the specified CA key.
518Please see the
519.Sx CERTIFICATES
520section for details.
521.Pp
522When generating a KRL,
523.Fl s
524specifies a path to a CA public key file used to revoke certificates directly
525by key ID or serial number.
526See the
527.Sx KEY REVOCATION LISTS
528section for details.
529.It Fl T Ar output_file
530Test DH group exchange candidate primes (generated using the
531.Fl G
532option) for safety.
533.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
534Specifies the type of key to create.
535The possible values are
536.Dq rsa1
537for protocol version 1 and
538.Dq dsa ,
539.Dq ecdsa ,
540.Dq ed25519 ,
541or
542.Dq rsa
543for protocol version 2.
544.It Fl u
545Update a KRL.
546When specified with
547.Fl k ,
548keys listed via the command line are added to the existing KRL rather than
549a new KRL being created.
550.It Fl V Ar validity_interval
551Specify a validity interval when signing a certificate.
552A validity interval may consist of a single time, indicating that the
553certificate is valid beginning now and expiring at that time, or may consist
554of two times separated by a colon to indicate an explicit time interval.
555The start time may be specified as a date in YYYYMMDD format, a time
556in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
557of a minus sign followed by a relative time in the format described in the
558TIME FORMATS section of
559.Xr sshd_config 5 .
560The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
561a relative time starting with a plus character.
562.Pp
563For example:
564.Dq +52w1d
565(valid from now to 52 weeks and one day from now),
566.Dq -4w:+4w
567(valid from four weeks ago to four weeks from now),
568.Dq 20100101123000:20110101123000
569(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
570.Dq -1d:20110101
571(valid from yesterday to midnight, January 1st, 2011).
572.It Fl v
573Verbose mode.
574Causes
575.Nm
576to print debugging messages about its progress.
577This is helpful for debugging moduli generation.
578Multiple
579.Fl v
580options increase the verbosity.
581The maximum is 3.
582.It Fl W Ar generator
583Specify desired generator when testing candidate moduli for DH-GEX.
584.It Fl y
585This option will read a private
586OpenSSH format file and print an OpenSSH public key to stdout.
587.It Fl z Ar serial_number
588Specifies a serial number to be embedded in the certificate to distinguish
589this certificate from others from the same CA.
590The default serial number is zero.
591.Pp
592When generating a KRL, the
593.Fl z
594flag is used to specify a KRL version number.
595.El
596.Sh MODULI GENERATION
597.Nm
598may be used to generate groups for the Diffie-Hellman Group Exchange
599(DH-GEX) protocol.
600Generating these groups is a two-step process: first, candidate
601primes are generated using a fast, but memory intensive process.
602These candidate primes are then tested for suitability (a CPU-intensive
603process).
604.Pp
605Generation of primes is performed using the
606.Fl G
607option.
608The desired length of the primes may be specified by the
609.Fl b
610option.
611For example:
612.Pp
613.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
614.Pp
615By default, the search for primes begins at a random point in the
616desired length range.
617This may be overridden using the
618.Fl S
619option, which specifies a different start point (in hex).
620.Pp
621Once a set of candidates have been generated, they must be screened for
622suitability.
623This may be performed using the
624.Fl T
625option.
626In this mode
627.Nm
628will read candidates from standard input (or a file specified using the
629.Fl f
630option).
631For example:
632.Pp
633.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
634.Pp
635By default, each candidate will be subjected to 100 primality tests.
636This may be overridden using the
637.Fl a
638option.
639The DH generator value will be chosen automatically for the
640prime under consideration.
641If a specific generator is desired, it may be requested using the
642.Fl W
643option.
644Valid generator values are 2, 3, and 5.
645.Pp
646Screened DH groups may be installed in
647.Pa /etc/moduli .
648It is important that this file contains moduli of a range of bit lengths and
649that both ends of a connection share common moduli.
650.Sh CERTIFICATES
651.Nm
652supports signing of keys to produce certificates that may be used for
653user or host authentication.
654Certificates consist of a public key, some identity information, zero or
655more principal (user or host) names and a set of options that
656are signed by a Certification Authority (CA) key.
657Clients or servers may then trust only the CA key and verify its signature
658on a certificate rather than trusting many user/host keys.
659Note that OpenSSH certificates are a different, and much simpler, format to
660the X.509 certificates used in
661.Xr ssl 8 .
662.Pp
663.Nm
664supports two types of certificates: user and host.
665User certificates authenticate users to servers, whereas host certificates
666authenticate server hosts to users.
667To generate a user certificate:
668.Pp
669.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
670.Pp
671The resultant certificate will be placed in
672.Pa /path/to/user_key-cert.pub .
673A host certificate requires the
674.Fl h
675option:
676.Pp
677.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
678.Pp
679The host certificate will be output to
680.Pa /path/to/host_key-cert.pub .
681.Pp
682It is possible to sign using a CA key stored in a PKCS#11 token by
683providing the token library using
684.Fl D
685and identifying the CA key by providing its public half as an argument
686to
687.Fl s :
688.Pp
689.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
690.Pp
691In all cases,
692.Ar key_id
693is a "key identifier" that is logged by the server when the certificate
694is used for authentication.
695.Pp
696Certificates may be limited to be valid for a set of principal (user/host)
697names.
698By default, generated certificates are valid for all users or hosts.
699To generate a certificate for a specified set of principals:
700.Pp
701.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
702.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
703.Pp
704Additional limitations on the validity and use of user certificates may
705be specified through certificate options.
706A certificate option may disable features of the SSH session, may be
707valid only when presented from particular source addresses or may
708force the use of a specific command.
709For a list of valid certificate options, see the documentation for the
710.Fl O
711option above.
712.Pp
713Finally, certificates may be defined with a validity lifetime.
714The
715.Fl V
716option allows specification of certificate start and end times.
717A certificate that is presented at a time outside this range will not be
718considered valid.
719By default, certificates are valid from
720.Ux
721Epoch to the distant future.
722.Pp
723For certificates to be used for user or host authentication, the CA
724public key must be trusted by
725.Xr sshd 8
726or
727.Xr ssh 1 .
728Please refer to those manual pages for details.
729.Sh KEY REVOCATION LISTS
730.Nm
731is able to manage OpenSSH format Key Revocation Lists (KRLs).
732These binary files specify keys or certificates to be revoked using a
733compact format, taking as little as one bit per certificate if they are being
734revoked by serial number.
735.Pp
736KRLs may be generated using the
737.Fl k
738flag.
739This option reads one or more files from the command line and generates a new
740KRL.
741The files may either contain a KRL specification (see below) or public keys,
742listed one per line.
743Plain public keys are revoked by listing their hash or contents in the KRL and
744certificates revoked by serial number or key ID (if the serial is zero or
745not available).
746.Pp
747Revoking keys using a KRL specification offers explicit control over the
748types of record used to revoke keys and may be used to directly revoke
749certificates by serial number or key ID without having the complete original
750certificate on hand.
751A KRL specification consists of lines containing one of the following directives
752followed by a colon and some directive-specific information.
753.Bl -tag -width Ds
754.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
755Revokes a certificate with the specified serial number.
756Serial numbers are 64-bit values, not including zero and may be expressed
757in decimal, hex or octal.
758If two serial numbers are specified separated by a hyphen, then the range
759of serial numbers including and between each is revoked.
760The CA key must have been specified on the
761.Nm
762command line using the
763.Fl s
764option.
765.It Cm id : Ar key_id
766Revokes a certificate with the specified key ID string.
767The CA key must have been specified on the
768.Nm
769command line using the
770.Fl s
771option.
772.It Cm key : Ar public_key
773Revokes the specified key.
774If a certificate is listed, then it is revoked as a plain public key.
775.It Cm sha1 : Ar public_key
776Revokes the specified key by its SHA1 hash.
777.El
778.Pp
779KRLs may be updated using the
780.Fl u
781flag in addition to
782.Fl k .
783When this option is specified, keys listed via the command line are merged into
784the KRL, adding to those already there.
785.Pp
786It is also possible, given a KRL, to test whether it revokes a particular key
787(or keys).
788The
789.Fl Q
790flag will query an existing KRL, testing each key specified on the command line.
791If any key listed on the command line has been revoked (or an error encountered)
792then
793.Nm
794will exit with a non-zero exit status.
795A zero exit status will only be returned if no key was revoked.
796.Sh FILES
797.Bl -tag -width Ds -compact
798.It Pa ~/.ssh/identity
799Contains the protocol version 1 RSA authentication identity of the user.
800This file should not be readable by anyone but the user.
801It is possible to
802specify a passphrase when generating the key; that passphrase will be
803used to encrypt the private part of this file using 3DES.
804This file is not automatically accessed by
805.Nm
806but it is offered as the default file for the private key.
807.Xr ssh 1
808will read this file when a login attempt is made.
809.Pp
810.It Pa ~/.ssh/identity.pub
811Contains the protocol version 1 RSA public key for authentication.
812The contents of this file should be added to
813.Pa ~/.ssh/authorized_keys
814on all machines
815where the user wishes to log in using RSA authentication.
816There is no need to keep the contents of this file secret.
817.Pp
818.It Pa ~/.ssh/id_dsa
819.It Pa ~/.ssh/id_ecdsa
820.It Pa ~/.ssh/id_ed25519
821.It Pa ~/.ssh/id_rsa
822Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
823authentication identity of the user.
824This file should not be readable by anyone but the user.
825It is possible to
826specify a passphrase when generating the key; that passphrase will be
827used to encrypt the private part of this file using 128-bit AES.
828This file is not automatically accessed by
829.Nm
830but it is offered as the default file for the private key.
831.Xr ssh 1
832will read this file when a login attempt is made.
833.Pp
834.It Pa ~/.ssh/id_dsa.pub
835.It Pa ~/.ssh/id_ecdsa.pub
836.It Pa ~/.ssh/id_ed25519.pub
837.It Pa ~/.ssh/id_rsa.pub
838Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
839public key for authentication.
840The contents of this file should be added to
841.Pa ~/.ssh/authorized_keys
842on all machines
843where the user wishes to log in using public key authentication.
844There is no need to keep the contents of this file secret.
845.Pp
846.It Pa /etc/moduli
847Contains Diffie-Hellman groups used for DH-GEX.
848The file format is described in
849.Xr moduli 5 .
850.El
851.Sh SEE ALSO
852.Xr ssh 1 ,
853.Xr ssh-add 1 ,
854.Xr ssh-agent 1 ,
855.Xr moduli 5 ,
856.Xr sshd 8
857.Rs
858.%R RFC 4716
859.%T "The Secure Shell (SSH) Public Key File Format"
860.%D 2006
861.Re
862.Sh AUTHORS
863OpenSSH is a derivative of the original and free
864ssh 1.2.12 release by Tatu Ylonen.
865Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
866Theo de Raadt and Dug Song
867removed many bugs, re-added newer features and
868created OpenSSH.
869Markus Friedl contributed the support for SSH
870protocol versions 1.5 and 2.0.
871