xref: /freebsd/crypto/openssh/ssh-keygen.1 (revision 1f4bcc459a76b7aa664f3fd557684cd0ba6da352)
1.\"	$OpenBSD: ssh-keygen.1,v 1.127 2015/08/20 19:20:06 naddy Exp $
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\"                    All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose.  Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\"
14.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
17.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\"    notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\"    notice, this list of conditions and the following disclaimer in the
25.\"    documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\"
38.Dd $Mdocdate: August 20 2015 $
39.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
43.Nd authentication key generation, management and conversion
44.Sh SYNOPSIS
45.Bk -words
46.Nm ssh-keygen
47.Op Fl q
48.Op Fl b Ar bits
49.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
50.Op Fl N Ar new_passphrase
51.Op Fl C Ar comment
52.Op Fl f Ar output_keyfile
53.Nm ssh-keygen
54.Fl p
55.Op Fl P Ar old_passphrase
56.Op Fl N Ar new_passphrase
57.Op Fl f Ar keyfile
58.Nm ssh-keygen
59.Fl i
60.Op Fl m Ar key_format
61.Op Fl f Ar input_keyfile
62.Nm ssh-keygen
63.Fl e
64.Op Fl m Ar key_format
65.Op Fl f Ar input_keyfile
66.Nm ssh-keygen
67.Fl y
68.Op Fl f Ar input_keyfile
69.Nm ssh-keygen
70.Fl c
71.Op Fl P Ar passphrase
72.Op Fl C Ar comment
73.Op Fl f Ar keyfile
74.Nm ssh-keygen
75.Fl l
76.Op Fl v
77.Op Fl E Ar fingerprint_hash
78.Op Fl f Ar input_keyfile
79.Nm ssh-keygen
80.Fl B
81.Op Fl f Ar input_keyfile
82.Nm ssh-keygen
83.Fl D Ar pkcs11
84.Nm ssh-keygen
85.Fl F Ar hostname
86.Op Fl f Ar known_hosts_file
87.Op Fl l
88.Nm ssh-keygen
89.Fl H
90.Op Fl f Ar known_hosts_file
91.Nm ssh-keygen
92.Fl R Ar hostname
93.Op Fl f Ar known_hosts_file
94.Nm ssh-keygen
95.Fl r Ar hostname
96.Op Fl f Ar input_keyfile
97.Op Fl g
98.Nm ssh-keygen
99.Fl G Ar output_file
100.Op Fl v
101.Op Fl b Ar bits
102.Op Fl M Ar memory
103.Op Fl S Ar start_point
104.Nm ssh-keygen
105.Fl T Ar output_file
106.Fl f Ar input_file
107.Op Fl v
108.Op Fl a Ar rounds
109.Op Fl J Ar num_lines
110.Op Fl j Ar start_line
111.Op Fl K Ar checkpt
112.Op Fl W Ar generator
113.Nm ssh-keygen
114.Fl s Ar ca_key
115.Fl I Ar certificate_identity
116.Op Fl h
117.Op Fl n Ar principals
118.Op Fl O Ar option
119.Op Fl V Ar validity_interval
120.Op Fl z Ar serial_number
121.Ar
122.Nm ssh-keygen
123.Fl L
124.Op Fl f Ar input_keyfile
125.Nm ssh-keygen
126.Fl A
127.Nm ssh-keygen
128.Fl k
129.Fl f Ar krl_file
130.Op Fl u
131.Op Fl s Ar ca_public
132.Op Fl z Ar version_number
133.Ar
134.Nm ssh-keygen
135.Fl Q
136.Fl f Ar krl_file
137.Ar
138.Ek
139.Sh DESCRIPTION
140.Nm
141generates, manages and converts authentication keys for
142.Xr ssh 1 .
143.Nm
144can create RSA keys for use by SSH protocol version 1 and
145DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2.
146The type of key to be generated is specified with the
147.Fl t
148option.
149If invoked without any arguments,
150.Nm
151will generate an RSA key for use in SSH protocol 2 connections.
152.Pp
153.Nm
154is also used to generate groups for use in Diffie-Hellman group
155exchange (DH-GEX).
156See the
157.Sx MODULI GENERATION
158section for details.
159.Pp
160Finally,
161.Nm
162can be used to generate and update Key Revocation Lists, and to test whether
163given keys have been revoked by one.
164See the
165.Sx KEY REVOCATION LISTS
166section for details.
167.Pp
168Normally each user wishing to use SSH
169with public key authentication runs this once to create the authentication
170key in
171.Pa ~/.ssh/identity ,
172.Pa ~/.ssh/id_dsa ,
173.Pa ~/.ssh/id_ecdsa ,
174.Pa ~/.ssh/id_ed25519
175or
176.Pa ~/.ssh/id_rsa .
177Additionally, the system administrator may use this to generate host keys,
178as seen in
179.Pa /etc/rc .
180.Pp
181Normally this program generates the key and asks for a file in which
182to store the private key.
183The public key is stored in a file with the same name but
184.Dq .pub
185appended.
186The program also asks for a passphrase.
187The passphrase may be empty to indicate no passphrase
188(host keys must have an empty passphrase), or it may be a string of
189arbitrary length.
190A passphrase is similar to a password, except it can be a phrase with a
191series of words, punctuation, numbers, whitespace, or any string of
192characters you want.
193Good passphrases are 10-30 characters long, are
194not simple sentences or otherwise easily guessable (English
195prose has only 1-2 bits of entropy per character, and provides very bad
196passphrases), and contain a mix of upper and lowercase letters,
197numbers, and non-alphanumeric characters.
198The passphrase can be changed later by using the
199.Fl p
200option.
201.Pp
202There is no way to recover a lost passphrase.
203If the passphrase is lost or forgotten, a new key must be generated
204and the corresponding public key copied to other machines.
205.Pp
206For RSA1 keys,
207there is also a comment field in the key file that is only for
208convenience to the user to help identify the key.
209The comment can tell what the key is for, or whatever is useful.
210The comment is initialized to
211.Dq user@host
212when the key is created, but can be changed using the
213.Fl c
214option.
215.Pp
216After a key is generated, instructions below detail where the keys
217should be placed to be activated.
218.Pp
219The options are as follows:
220.Bl -tag -width Ds
221.It Fl A
222For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
223for which host keys
224do not exist, generate the host keys with the default key file path,
225an empty passphrase, default bits for the key type, and default comment.
226This is used by
227.Pa /etc/rc
228to generate new host keys.
229.It Fl a Ar rounds
230When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
2312 key when the
232.Fl o
233flag is set), this option specifies the number of KDF (key derivation function)
234rounds used.
235Higher numbers result in slower passphrase verification and increased
236resistance to brute-force password cracking (should the keys be stolen).
237.Pp
238When screening DH-GEX candidates (
239using the
240.Fl T
241command).
242This option specifies the number of primality tests to perform.
243.It Fl B
244Show the bubblebabble digest of specified private or public key file.
245.It Fl b Ar bits
246Specifies the number of bits in the key to create.
247For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
248Generally, 2048 bits is considered sufficient.
249DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
250For ECDSA keys, the
251.Fl b
252flag determines the key length by selecting from one of three elliptic
253curve sizes: 256, 384 or 521 bits.
254Attempting to use bit lengths other than these three values for ECDSA keys
255will fail.
256Ed25519 keys have a fixed length and the
257.Fl b
258flag will be ignored.
259.It Fl C Ar comment
260Provides a new comment.
261.It Fl c
262Requests changing the comment in the private and public key files.
263This operation is only supported for RSA1 keys.
264The program will prompt for the file containing the private keys, for
265the passphrase if the key has one, and for the new comment.
266.It Fl D Ar pkcs11
267Download the RSA public keys provided by the PKCS#11 shared library
268.Ar pkcs11 .
269When used in combination with
270.Fl s ,
271this option indicates that a CA key resides in a PKCS#11 token (see the
272.Sx CERTIFICATES
273section for details).
274.It Fl E Ar fingerprint_hash
275Specifies the hash algorithm used when displaying key fingerprints.
276Valid options are:
277.Dq md5
278and
279.Dq sha256 .
280The default is
281.Dq sha256 .
282.It Fl e
283This option will read a private or public OpenSSH key file and
284print to stdout the key in one of the formats specified by the
285.Fl m
286option.
287The default export format is
288.Dq RFC4716 .
289This option allows exporting OpenSSH keys for use by other programs, including
290several commercial SSH implementations.
291.It Fl F Ar hostname
292Search for the specified
293.Ar hostname
294in a
295.Pa known_hosts
296file, listing any occurrences found.
297This option is useful to find hashed host names or addresses and may also be
298used in conjunction with the
299.Fl H
300option to print found keys in a hashed format.
301.It Fl f Ar filename
302Specifies the filename of the key file.
303.It Fl G Ar output_file
304Generate candidate primes for DH-GEX.
305These primes must be screened for
306safety (using the
307.Fl T
308option) before use.
309.It Fl g
310Use generic DNS format when printing fingerprint resource records using the
311.Fl r
312command.
313.It Fl H
314Hash a
315.Pa known_hosts
316file.
317This replaces all hostnames and addresses with hashed representations
318within the specified file; the original content is moved to a file with
319a .old suffix.
320These hashes may be used normally by
321.Nm ssh
322and
323.Nm sshd ,
324but they do not reveal identifying information should the file's contents
325be disclosed.
326This option will not modify existing hashed hostnames and is therefore safe
327to use on files that mix hashed and non-hashed names.
328.It Fl h
329When signing a key, create a host certificate instead of a user
330certificate.
331Please see the
332.Sx CERTIFICATES
333section for details.
334.It Fl I Ar certificate_identity
335Specify the key identity when signing a public key.
336Please see the
337.Sx CERTIFICATES
338section for details.
339.It Fl i
340This option will read an unencrypted private (or public) key file
341in the format specified by the
342.Fl m
343option and print an OpenSSH compatible private
344(or public) key to stdout.
345This option allows importing keys from other software, including several
346commercial SSH implementations.
347The default import format is
348.Dq RFC4716 .
349.It Fl J Ar num_lines
350Exit after screening the specified number of lines
351while performing DH candidate screening using the
352.Fl T
353option.
354.It Fl j Ar start_line
355Start screening at the specified line number
356while performing DH candidate screening using the
357.Fl T
358option.
359.It Fl K Ar checkpt
360Write the last line processed to the file
361.Ar checkpt
362while performing DH candidate screening using the
363.Fl T
364option.
365This will be used to skip lines in the input file that have already been
366processed if the job is restarted.
367.It Fl k
368Generate a KRL file.
369In this mode,
370.Nm
371will generate a KRL file at the location specified via the
372.Fl f
373flag that revokes every key or certificate presented on the command line.
374Keys/certificates to be revoked may be specified by public key file or
375using the format described in the
376.Sx KEY REVOCATION LISTS
377section.
378.It Fl L
379Prints the contents of a certificate.
380.It Fl l
381Show fingerprint of specified public key file.
382Private RSA1 keys are also supported.
383For RSA and DSA keys
384.Nm
385tries to find the matching public key file and prints its fingerprint.
386If combined with
387.Fl v ,
388an ASCII art representation of the key is supplied with the fingerprint.
389.It Fl M Ar memory
390Specify the amount of memory to use (in megabytes) when generating
391candidate moduli for DH-GEX.
392.It Fl m Ar key_format
393Specify a key format for the
394.Fl i
395(import) or
396.Fl e
397(export) conversion options.
398The supported key formats are:
399.Dq RFC4716
400(RFC 4716/SSH2 public or private key),
401.Dq PKCS8
402(PEM PKCS8 public key)
403or
404.Dq PEM
405(PEM public key).
406The default conversion format is
407.Dq RFC4716 .
408.It Fl N Ar new_passphrase
409Provides the new passphrase.
410.It Fl n Ar principals
411Specify one or more principals (user or host names) to be included in
412a certificate when signing a key.
413Multiple principals may be specified, separated by commas.
414Please see the
415.Sx CERTIFICATES
416section for details.
417.It Fl O Ar option
418Specify a certificate option when signing a key.
419This option may be specified multiple times.
420Please see the
421.Sx CERTIFICATES
422section for details.
423The options that are valid for user certificates are:
424.Bl -tag -width Ds
425.It Ic clear
426Clear all enabled permissions.
427This is useful for clearing the default set of permissions so permissions may
428be added individually.
429.It Ic force-command Ns = Ns Ar command
430Forces the execution of
431.Ar command
432instead of any shell or command specified by the user when
433the certificate is used for authentication.
434.It Ic no-agent-forwarding
435Disable
436.Xr ssh-agent 1
437forwarding (permitted by default).
438.It Ic no-port-forwarding
439Disable port forwarding (permitted by default).
440.It Ic no-pty
441Disable PTY allocation (permitted by default).
442.It Ic no-user-rc
443Disable execution of
444.Pa ~/.ssh/rc
445by
446.Xr sshd 8
447(permitted by default).
448.It Ic no-x11-forwarding
449Disable X11 forwarding (permitted by default).
450.It Ic permit-agent-forwarding
451Allows
452.Xr ssh-agent 1
453forwarding.
454.It Ic permit-port-forwarding
455Allows port forwarding.
456.It Ic permit-pty
457Allows PTY allocation.
458.It Ic permit-user-rc
459Allows execution of
460.Pa ~/.ssh/rc
461by
462.Xr sshd 8 .
463.It Ic permit-x11-forwarding
464Allows X11 forwarding.
465.It Ic source-address Ns = Ns Ar address_list
466Restrict the source addresses from which the certificate is considered valid.
467The
468.Ar address_list
469is a comma-separated list of one or more address/netmask pairs in CIDR
470format.
471.El
472.Pp
473At present, no options are valid for host keys.
474.It Fl o
475Causes
476.Nm
477to save SSH protocol 2 private keys using the new OpenSSH format rather than
478the more compatible PEM format.
479The new format has increased resistance to brute-force password cracking
480but is not supported by versions of OpenSSH prior to 6.5.
481Ed25519 keys always use the new private key format.
482.It Fl P Ar passphrase
483Provides the (old) passphrase.
484.It Fl p
485Requests changing the passphrase of a private key file instead of
486creating a new private key.
487The program will prompt for the file
488containing the private key, for the old passphrase, and twice for the
489new passphrase.
490.It Fl Q
491Test whether keys have been revoked in a KRL.
492.It Fl q
493Silence
494.Nm ssh-keygen .
495.It Fl R Ar hostname
496Removes all keys belonging to
497.Ar hostname
498from a
499.Pa known_hosts
500file.
501This option is useful to delete hashed hosts (see the
502.Fl H
503option above).
504.It Fl r Ar hostname
505Print the SSHFP fingerprint resource record named
506.Ar hostname
507for the specified public key file.
508.It Fl S Ar start
509Specify start point (in hex) when generating candidate moduli for DH-GEX.
510.It Fl s Ar ca_key
511Certify (sign) a public key using the specified CA key.
512Please see the
513.Sx CERTIFICATES
514section for details.
515.Pp
516When generating a KRL,
517.Fl s
518specifies a path to a CA public key file used to revoke certificates directly
519by key ID or serial number.
520See the
521.Sx KEY REVOCATION LISTS
522section for details.
523.It Fl T Ar output_file
524Test DH group exchange candidate primes (generated using the
525.Fl G
526option) for safety.
527.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
528Specifies the type of key to create.
529The possible values are
530.Dq rsa1
531for protocol version 1 and
532.Dq dsa ,
533.Dq ecdsa ,
534.Dq ed25519 ,
535or
536.Dq rsa
537for protocol version 2.
538.It Fl u
539Update a KRL.
540When specified with
541.Fl k ,
542keys listed via the command line are added to the existing KRL rather than
543a new KRL being created.
544.It Fl V Ar validity_interval
545Specify a validity interval when signing a certificate.
546A validity interval may consist of a single time, indicating that the
547certificate is valid beginning now and expiring at that time, or may consist
548of two times separated by a colon to indicate an explicit time interval.
549The start time may be specified as a date in YYYYMMDD format, a time
550in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
551of a minus sign followed by a relative time in the format described in the
552TIME FORMATS section of
553.Xr sshd_config 5 .
554The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
555a relative time starting with a plus character.
556.Pp
557For example:
558.Dq +52w1d
559(valid from now to 52 weeks and one day from now),
560.Dq -4w:+4w
561(valid from four weeks ago to four weeks from now),
562.Dq 20100101123000:20110101123000
563(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
564.Dq -1d:20110101
565(valid from yesterday to midnight, January 1st, 2011).
566.It Fl v
567Verbose mode.
568Causes
569.Nm
570to print debugging messages about its progress.
571This is helpful for debugging moduli generation.
572Multiple
573.Fl v
574options increase the verbosity.
575The maximum is 3.
576.It Fl W Ar generator
577Specify desired generator when testing candidate moduli for DH-GEX.
578.It Fl y
579This option will read a private
580OpenSSH format file and print an OpenSSH public key to stdout.
581.It Fl z Ar serial_number
582Specifies a serial number to be embedded in the certificate to distinguish
583this certificate from others from the same CA.
584The default serial number is zero.
585.Pp
586When generating a KRL, the
587.Fl z
588flag is used to specify a KRL version number.
589.El
590.Sh MODULI GENERATION
591.Nm
592may be used to generate groups for the Diffie-Hellman Group Exchange
593(DH-GEX) protocol.
594Generating these groups is a two-step process: first, candidate
595primes are generated using a fast, but memory intensive process.
596These candidate primes are then tested for suitability (a CPU-intensive
597process).
598.Pp
599Generation of primes is performed using the
600.Fl G
601option.
602The desired length of the primes may be specified by the
603.Fl b
604option.
605For example:
606.Pp
607.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
608.Pp
609By default, the search for primes begins at a random point in the
610desired length range.
611This may be overridden using the
612.Fl S
613option, which specifies a different start point (in hex).
614.Pp
615Once a set of candidates have been generated, they must be screened for
616suitability.
617This may be performed using the
618.Fl T
619option.
620In this mode
621.Nm
622will read candidates from standard input (or a file specified using the
623.Fl f
624option).
625For example:
626.Pp
627.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
628.Pp
629By default, each candidate will be subjected to 100 primality tests.
630This may be overridden using the
631.Fl a
632option.
633The DH generator value will be chosen automatically for the
634prime under consideration.
635If a specific generator is desired, it may be requested using the
636.Fl W
637option.
638Valid generator values are 2, 3, and 5.
639.Pp
640Screened DH groups may be installed in
641.Pa /etc/moduli .
642It is important that this file contains moduli of a range of bit lengths and
643that both ends of a connection share common moduli.
644.Sh CERTIFICATES
645.Nm
646supports signing of keys to produce certificates that may be used for
647user or host authentication.
648Certificates consist of a public key, some identity information, zero or
649more principal (user or host) names and a set of options that
650are signed by a Certification Authority (CA) key.
651Clients or servers may then trust only the CA key and verify its signature
652on a certificate rather than trusting many user/host keys.
653Note that OpenSSH certificates are a different, and much simpler, format to
654the X.509 certificates used in
655.Xr ssl 8 .
656.Pp
657.Nm
658supports two types of certificates: user and host.
659User certificates authenticate users to servers, whereas host certificates
660authenticate server hosts to users.
661To generate a user certificate:
662.Pp
663.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
664.Pp
665The resultant certificate will be placed in
666.Pa /path/to/user_key-cert.pub .
667A host certificate requires the
668.Fl h
669option:
670.Pp
671.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
672.Pp
673The host certificate will be output to
674.Pa /path/to/host_key-cert.pub .
675.Pp
676It is possible to sign using a CA key stored in a PKCS#11 token by
677providing the token library using
678.Fl D
679and identifying the CA key by providing its public half as an argument
680to
681.Fl s :
682.Pp
683.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
684.Pp
685In all cases,
686.Ar key_id
687is a "key identifier" that is logged by the server when the certificate
688is used for authentication.
689.Pp
690Certificates may be limited to be valid for a set of principal (user/host)
691names.
692By default, generated certificates are valid for all users or hosts.
693To generate a certificate for a specified set of principals:
694.Pp
695.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
696.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
697.Pp
698Additional limitations on the validity and use of user certificates may
699be specified through certificate options.
700A certificate option may disable features of the SSH session, may be
701valid only when presented from particular source addresses or may
702force the use of a specific command.
703For a list of valid certificate options, see the documentation for the
704.Fl O
705option above.
706.Pp
707Finally, certificates may be defined with a validity lifetime.
708The
709.Fl V
710option allows specification of certificate start and end times.
711A certificate that is presented at a time outside this range will not be
712considered valid.
713By default, certificates are valid from
714.Ux
715Epoch to the distant future.
716.Pp
717For certificates to be used for user or host authentication, the CA
718public key must be trusted by
719.Xr sshd 8
720or
721.Xr ssh 1 .
722Please refer to those manual pages for details.
723.Sh KEY REVOCATION LISTS
724.Nm
725is able to manage OpenSSH format Key Revocation Lists (KRLs).
726These binary files specify keys or certificates to be revoked using a
727compact format, taking as little as one bit per certificate if they are being
728revoked by serial number.
729.Pp
730KRLs may be generated using the
731.Fl k
732flag.
733This option reads one or more files from the command line and generates a new
734KRL.
735The files may either contain a KRL specification (see below) or public keys,
736listed one per line.
737Plain public keys are revoked by listing their hash or contents in the KRL and
738certificates revoked by serial number or key ID (if the serial is zero or
739not available).
740.Pp
741Revoking keys using a KRL specification offers explicit control over the
742types of record used to revoke keys and may be used to directly revoke
743certificates by serial number or key ID without having the complete original
744certificate on hand.
745A KRL specification consists of lines containing one of the following directives
746followed by a colon and some directive-specific information.
747.Bl -tag -width Ds
748.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
749Revokes a certificate with the specified serial number.
750Serial numbers are 64-bit values, not including zero and may be expressed
751in decimal, hex or octal.
752If two serial numbers are specified separated by a hyphen, then the range
753of serial numbers including and between each is revoked.
754The CA key must have been specified on the
755.Nm
756command line using the
757.Fl s
758option.
759.It Cm id : Ar key_id
760Revokes a certificate with the specified key ID string.
761The CA key must have been specified on the
762.Nm
763command line using the
764.Fl s
765option.
766.It Cm key : Ar public_key
767Revokes the specified key.
768If a certificate is listed, then it is revoked as a plain public key.
769.It Cm sha1 : Ar public_key
770Revokes the specified key by its SHA1 hash.
771.El
772.Pp
773KRLs may be updated using the
774.Fl u
775flag in addition to
776.Fl k .
777When this option is specified, keys listed via the command line are merged into
778the KRL, adding to those already there.
779.Pp
780It is also possible, given a KRL, to test whether it revokes a particular key
781(or keys).
782The
783.Fl Q
784flag will query an existing KRL, testing each key specified on the commandline.
785If any key listed on the command line has been revoked (or an error encountered)
786then
787.Nm
788will exit with a non-zero exit status.
789A zero exit status will only be returned if no key was revoked.
790.Sh FILES
791.Bl -tag -width Ds -compact
792.It Pa ~/.ssh/identity
793Contains the protocol version 1 RSA authentication identity of the user.
794This file should not be readable by anyone but the user.
795It is possible to
796specify a passphrase when generating the key; that passphrase will be
797used to encrypt the private part of this file using 3DES.
798This file is not automatically accessed by
799.Nm
800but it is offered as the default file for the private key.
801.Xr ssh 1
802will read this file when a login attempt is made.
803.Pp
804.It Pa ~/.ssh/identity.pub
805Contains the protocol version 1 RSA public key for authentication.
806The contents of this file should be added to
807.Pa ~/.ssh/authorized_keys
808on all machines
809where the user wishes to log in using RSA authentication.
810There is no need to keep the contents of this file secret.
811.Pp
812.It Pa ~/.ssh/id_dsa
813.It Pa ~/.ssh/id_ecdsa
814.It Pa ~/.ssh/id_ed25519
815.It Pa ~/.ssh/id_rsa
816Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
817authentication identity of the user.
818This file should not be readable by anyone but the user.
819It is possible to
820specify a passphrase when generating the key; that passphrase will be
821used to encrypt the private part of this file using 128-bit AES.
822This file is not automatically accessed by
823.Nm
824but it is offered as the default file for the private key.
825.Xr ssh 1
826will read this file when a login attempt is made.
827.Pp
828.It Pa ~/.ssh/id_dsa.pub
829.It Pa ~/.ssh/id_ecdsa.pub
830.It Pa ~/.ssh/id_ed25519.pub
831.It Pa ~/.ssh/id_rsa.pub
832Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
833public key for authentication.
834The contents of this file should be added to
835.Pa ~/.ssh/authorized_keys
836on all machines
837where the user wishes to log in using public key authentication.
838There is no need to keep the contents of this file secret.
839.Pp
840.It Pa /etc/moduli
841Contains Diffie-Hellman groups used for DH-GEX.
842The file format is described in
843.Xr moduli 5 .
844.El
845.Sh SEE ALSO
846.Xr ssh 1 ,
847.Xr ssh-add 1 ,
848.Xr ssh-agent 1 ,
849.Xr moduli 5 ,
850.Xr sshd 8
851.Rs
852.%R RFC 4716
853.%T "The Secure Shell (SSH) Public Key File Format"
854.%D 2006
855.Re
856.Sh AUTHORS
857OpenSSH is a derivative of the original and free
858ssh 1.2.12 release by Tatu Ylonen.
859Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
860Theo de Raadt and Dug Song
861removed many bugs, re-added newer features and
862created OpenSSH.
863Markus Friedl contributed the support for SSH
864protocol versions 1.5 and 2.0.
865