1.\" $OpenBSD: ssh-keygen.1,v 1.119 2013/12/21 07:10:47 tedu Exp $ 2.\" $FreeBSD$ 3.\" 4.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 5.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6.\" All rights reserved 7.\" 8.\" As far as I am concerned, the code I have written for this software 9.\" can be used freely for any purpose. Any derived versions of this 10.\" software must be clearly marked as such, and if the derived work is 11.\" incompatible with the protocol description in the RFC file, it must be 12.\" called by a name other than "ssh" or "Secure Shell". 13.\" 14.\" 15.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 16.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 17.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 18.\" 19.\" Redistribution and use in source and binary forms, with or without 20.\" modification, are permitted provided that the following conditions 21.\" are met: 22.\" 1. Redistributions of source code must retain the above copyright 23.\" notice, this list of conditions and the following disclaimer. 24.\" 2. Redistributions in binary form must reproduce the above copyright 25.\" notice, this list of conditions and the following disclaimer in the 26.\" documentation and/or other materials provided with the distribution. 27.\" 28.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 29.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 30.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 31.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 32.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 33.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 34.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 35.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 36.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 37.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 38.\" 39.Dd December 21, 2013 40.Dt SSH-KEYGEN 1 41.Os 42.Sh NAME 43.Nm ssh-keygen 44.Nd authentication key generation, management and conversion 45.Sh SYNOPSIS 46.Bk -words 47.Nm ssh-keygen 48.Op Fl q 49.Op Fl b Ar bits 50.Fl t Ar type 51.Op Fl N Ar new_passphrase 52.Op Fl C Ar comment 53.Op Fl f Ar output_keyfile 54.Nm ssh-keygen 55.Fl p 56.Op Fl P Ar old_passphrase 57.Op Fl N Ar new_passphrase 58.Op Fl f Ar keyfile 59.Nm ssh-keygen 60.Fl i 61.Op Fl m Ar key_format 62.Op Fl f Ar input_keyfile 63.Nm ssh-keygen 64.Fl e 65.Op Fl m Ar key_format 66.Op Fl f Ar input_keyfile 67.Nm ssh-keygen 68.Fl y 69.Op Fl f Ar input_keyfile 70.Nm ssh-keygen 71.Fl c 72.Op Fl P Ar passphrase 73.Op Fl C Ar comment 74.Op Fl f Ar keyfile 75.Nm ssh-keygen 76.Fl l 77.Op Fl f Ar input_keyfile 78.Nm ssh-keygen 79.Fl B 80.Op Fl f Ar input_keyfile 81.Nm ssh-keygen 82.Fl D Ar pkcs11 83.Nm ssh-keygen 84.Fl F Ar hostname 85.Op Fl f Ar known_hosts_file 86.Op Fl l 87.Nm ssh-keygen 88.Fl H 89.Op Fl f Ar known_hosts_file 90.Nm ssh-keygen 91.Fl R Ar hostname 92.Op Fl f Ar known_hosts_file 93.Nm ssh-keygen 94.Fl r Ar hostname 95.Op Fl f Ar input_keyfile 96.Op Fl g 97.Nm ssh-keygen 98.Fl G Ar output_file 99.Op Fl v 100.Op Fl b Ar bits 101.Op Fl M Ar memory 102.Op Fl S Ar start_point 103.Nm ssh-keygen 104.Fl T Ar output_file 105.Fl f Ar input_file 106.Op Fl v 107.Op Fl a Ar rounds 108.Op Fl J Ar num_lines 109.Op Fl j Ar start_line 110.Op Fl K Ar checkpt 111.Op Fl W Ar generator 112.Nm ssh-keygen 113.Fl s Ar ca_key 114.Fl I Ar certificate_identity 115.Op Fl h 116.Op Fl n Ar principals 117.Op Fl O Ar option 118.Op Fl V Ar validity_interval 119.Op Fl z Ar serial_number 120.Ar 121.Nm ssh-keygen 122.Fl L 123.Op Fl f Ar input_keyfile 124.Nm ssh-keygen 125.Fl A 126.Nm ssh-keygen 127.Fl k 128.Fl f Ar krl_file 129.Op Fl u 130.Op Fl s Ar ca_public 131.Op Fl z Ar version_number 132.Ar 133.Nm ssh-keygen 134.Fl Q 135.Fl f Ar krl_file 136.Ar 137.Ek 138.Sh DESCRIPTION 139.Nm 140generates, manages and converts authentication keys for 141.Xr ssh 1 . 142.Nm 143can create RSA keys for use by SSH protocol version 1 and 144DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. 145The type of key to be generated is specified with the 146.Fl t 147option. 148If invoked without any arguments, 149.Nm 150will generate an RSA key for use in SSH protocol 2 connections. 151.Pp 152.Nm 153is also used to generate groups for use in Diffie-Hellman group 154exchange (DH-GEX). 155See the 156.Sx MODULI GENERATION 157section for details. 158.Pp 159Finally, 160.Nm 161can be used to generate and update Key Revocation Lists, and to test whether 162given keys have been revoked by one. 163See the 164.Sx KEY REVOCATION LISTS 165section for details. 166.Pp 167Normally each user wishing to use SSH 168with public key authentication runs this once to create the authentication 169key in 170.Pa ~/.ssh/identity , 171.Pa ~/.ssh/id_dsa , 172.Pa ~/.ssh/id_ecdsa , 173.Pa ~/.ssh/id_ed25519 174or 175.Pa ~/.ssh/id_rsa . 176Additionally, the system administrator may use this to generate host keys, 177as seen in 178.Pa /etc/rc . 179.Pp 180Normally this program generates the key and asks for a file in which 181to store the private key. 182The public key is stored in a file with the same name but 183.Dq .pub 184appended. 185The program also asks for a passphrase. 186The passphrase may be empty to indicate no passphrase 187(host keys must have an empty passphrase), or it may be a string of 188arbitrary length. 189A passphrase is similar to a password, except it can be a phrase with a 190series of words, punctuation, numbers, whitespace, or any string of 191characters you want. 192Good passphrases are 10-30 characters long, are 193not simple sentences or otherwise easily guessable (English 194prose has only 1-2 bits of entropy per character, and provides very bad 195passphrases), and contain a mix of upper and lowercase letters, 196numbers, and non-alphanumeric characters. 197The passphrase can be changed later by using the 198.Fl p 199option. 200.Pp 201There is no way to recover a lost passphrase. 202If the passphrase is lost or forgotten, a new key must be generated 203and the corresponding public key copied to other machines. 204.Pp 205For RSA1 keys, 206there is also a comment field in the key file that is only for 207convenience to the user to help identify the key. 208The comment can tell what the key is for, or whatever is useful. 209The comment is initialized to 210.Dq user@host 211when the key is created, but can be changed using the 212.Fl c 213option. 214.Pp 215After a key is generated, instructions below detail where the keys 216should be placed to be activated. 217.Pp 218The options are as follows: 219.Bl -tag -width Ds 220.It Fl A 221For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) 222for which host keys 223do not exist, generate the host keys with the default key file path, 224an empty passphrase, default bits for the key type, and default comment. 225This is used by 226.Pa /etc/rc 227to generate new host keys. 228.It Fl a Ar rounds 229When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 2302 key when the 231.Fl o 232flag is set), this option specifies the number of KDF (key derivation function) 233rounds used. 234Higher numbers result in slower passphrase verification and increased 235resistance to brute-force password cracking (should the keys be stolen). 236.Pp 237When screening DH-GEX candidates ( 238using the 239.Fl T 240command). 241This option specifies the number of primality tests to perform. 242.It Fl B 243Show the bubblebabble digest of specified private or public key file. 244.It Fl b Ar bits 245Specifies the number of bits in the key to create. 246For RSA keys, the minimum size is 768 bits and the default is 2048 bits. 247Generally, 2048 bits is considered sufficient. 248DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 249For ECDSA keys, the 250.Fl b 251flag determines the key length by selecting from one of three elliptic 252curve sizes: 256, 384 or 521 bits. 253Attempting to use bit lengths other than these three values for ECDSA keys 254will fail. 255ED25519 keys have a fixed length and the 256.Fl b 257flag will be ignored. 258.It Fl C Ar comment 259Provides a new comment. 260.It Fl c 261Requests changing the comment in the private and public key files. 262This operation is only supported for RSA1 keys. 263The program will prompt for the file containing the private keys, for 264the passphrase if the key has one, and for the new comment. 265.It Fl D Ar pkcs11 266Download the RSA public keys provided by the PKCS#11 shared library 267.Ar pkcs11 . 268When used in combination with 269.Fl s , 270this option indicates that a CA key resides in a PKCS#11 token (see the 271.Sx CERTIFICATES 272section for details). 273.It Fl e 274This option will read a private or public OpenSSH key file and 275print to stdout the key in one of the formats specified by the 276.Fl m 277option. 278The default export format is 279.Dq RFC4716 . 280This option allows exporting OpenSSH keys for use by other programs, including 281several commercial SSH implementations. 282.It Fl F Ar hostname 283Search for the specified 284.Ar hostname 285in a 286.Pa known_hosts 287file, listing any occurrences found. 288This option is useful to find hashed host names or addresses and may also be 289used in conjunction with the 290.Fl H 291option to print found keys in a hashed format. 292.It Fl f Ar filename 293Specifies the filename of the key file. 294.It Fl G Ar output_file 295Generate candidate primes for DH-GEX. 296These primes must be screened for 297safety (using the 298.Fl T 299option) before use. 300.It Fl g 301Use generic DNS format when printing fingerprint resource records using the 302.Fl r 303command. 304.It Fl H 305Hash a 306.Pa known_hosts 307file. 308This replaces all hostnames and addresses with hashed representations 309within the specified file; the original content is moved to a file with 310a .old suffix. 311These hashes may be used normally by 312.Nm ssh 313and 314.Nm sshd , 315but they do not reveal identifying information should the file's contents 316be disclosed. 317This option will not modify existing hashed hostnames and is therefore safe 318to use on files that mix hashed and non-hashed names. 319.It Fl h 320When signing a key, create a host certificate instead of a user 321certificate. 322Please see the 323.Sx CERTIFICATES 324section for details. 325.It Fl I Ar certificate_identity 326Specify the key identity when signing a public key. 327Please see the 328.Sx CERTIFICATES 329section for details. 330.It Fl i 331This option will read an unencrypted private (or public) key file 332in the format specified by the 333.Fl m 334option and print an OpenSSH compatible private 335(or public) key to stdout. 336.It Fl J Ar num_lines 337Exit after screening the specified number of lines 338while performing DH candidate screening using the 339.Fl T 340option. 341.It Fl j Ar start_line 342Start screening at the specified line number 343while performing DH candidate screening using the 344.Fl T 345option. 346.It Fl K Ar checkpt 347Write the last line processed to the file 348.Ar checkpt 349while performing DH candidate screening using the 350.Fl T 351option. 352This will be used to skip lines in the input file that have already been 353processed if the job is restarted. 354This option allows importing keys from other software, including several 355commercial SSH implementations. 356The default import format is 357.Dq RFC4716 . 358.It Fl k 359Generate a KRL file. 360In this mode, 361.Nm 362will generate a KRL file at the location specified via the 363.Fl f 364flag that revokes every key or certificate presented on the command line. 365Keys/certificates to be revoked may be specified by public key file or 366using the format described in the 367.Sx KEY REVOCATION LISTS 368section. 369.It Fl L 370Prints the contents of a certificate. 371.It Fl l 372Show fingerprint of specified public key file. 373Private RSA1 keys are also supported. 374For RSA and DSA keys 375.Nm 376tries to find the matching public key file and prints its fingerprint. 377If combined with 378.Fl v , 379an ASCII art representation of the key is supplied with the fingerprint. 380.It Fl M Ar memory 381Specify the amount of memory to use (in megabytes) when generating 382candidate moduli for DH-GEX. 383.It Fl m Ar key_format 384Specify a key format for the 385.Fl i 386(import) or 387.Fl e 388(export) conversion options. 389The supported key formats are: 390.Dq RFC4716 391(RFC 4716/SSH2 public or private key), 392.Dq PKCS8 393(PEM PKCS8 public key) 394or 395.Dq PEM 396(PEM public key). 397The default conversion format is 398.Dq RFC4716 . 399.It Fl N Ar new_passphrase 400Provides the new passphrase. 401.It Fl n Ar principals 402Specify one or more principals (user or host names) to be included in 403a certificate when signing a key. 404Multiple principals may be specified, separated by commas. 405Please see the 406.Sx CERTIFICATES 407section for details. 408.It Fl O Ar option 409Specify a certificate option when signing a key. 410This option may be specified multiple times. 411Please see the 412.Sx CERTIFICATES 413section for details. 414The options that are valid for user certificates are: 415.Bl -tag -width Ds 416.It Ic clear 417Clear all enabled permissions. 418This is useful for clearing the default set of permissions so permissions may 419be added individually. 420.It Ic force-command Ns = Ns Ar command 421Forces the execution of 422.Ar command 423instead of any shell or command specified by the user when 424the certificate is used for authentication. 425.It Ic no-agent-forwarding 426Disable 427.Xr ssh-agent 1 428forwarding (permitted by default). 429.It Ic no-port-forwarding 430Disable port forwarding (permitted by default). 431.It Ic no-pty 432Disable PTY allocation (permitted by default). 433.It Ic no-user-rc 434Disable execution of 435.Pa ~/.ssh/rc 436by 437.Xr sshd 8 438(permitted by default). 439.It Ic no-x11-forwarding 440Disable X11 forwarding (permitted by default). 441.It Ic permit-agent-forwarding 442Allows 443.Xr ssh-agent 1 444forwarding. 445.It Ic permit-port-forwarding 446Allows port forwarding. 447.It Ic permit-pty 448Allows PTY allocation. 449.It Ic permit-user-rc 450Allows execution of 451.Pa ~/.ssh/rc 452by 453.Xr sshd 8 . 454.It Ic permit-x11-forwarding 455Allows X11 forwarding. 456.It Ic source-address Ns = Ns Ar address_list 457Restrict the source addresses from which the certificate is considered valid. 458The 459.Ar address_list 460is a comma-separated list of one or more address/netmask pairs in CIDR 461format. 462.El 463.Pp 464At present, no options are valid for host keys. 465.It Fl o 466Causes 467.Nm 468to save SSH protocol 2 private keys using the new OpenSSH format rather than 469the more compatible PEM format. 470The new format has increased resistance to brute-force password cracking 471but is not supported by versions of OpenSSH prior to 6.5. 472Ed25519 keys always use the new private key format. 473.It Fl P Ar passphrase 474Provides the (old) passphrase. 475.It Fl p 476Requests changing the passphrase of a private key file instead of 477creating a new private key. 478The program will prompt for the file 479containing the private key, for the old passphrase, and twice for the 480new passphrase. 481.It Fl Q 482Test whether keys have been revoked in a KRL. 483.It Fl q 484Silence 485.Nm ssh-keygen . 486.It Fl R Ar hostname 487Removes all keys belonging to 488.Ar hostname 489from a 490.Pa known_hosts 491file. 492This option is useful to delete hashed hosts (see the 493.Fl H 494option above). 495.It Fl r Ar hostname 496Print the SSHFP fingerprint resource record named 497.Ar hostname 498for the specified public key file. 499.It Fl S Ar start 500Specify start point (in hex) when generating candidate moduli for DH-GEX. 501.It Fl s Ar ca_key 502Certify (sign) a public key using the specified CA key. 503Please see the 504.Sx CERTIFICATES 505section for details. 506.Pp 507When generating a KRL, 508.Fl s 509specifies a path to a CA public key file used to revoke certificates directly 510by key ID or serial number. 511See the 512.Sx KEY REVOCATION LISTS 513section for details. 514.It Fl T Ar output_file 515Test DH group exchange candidate primes (generated using the 516.Fl G 517option) for safety. 518.It Fl t Ar type 519Specifies the type of key to create. 520The possible values are 521.Dq rsa1 522for protocol version 1 and 523.Dq dsa , 524.Dq ecdsa , 525.Dq ed25519 , 526or 527.Dq rsa 528for protocol version 2. 529.It Fl u 530Update a KRL. 531When specified with 532.Fl k , 533keys listed via the command line are added to the existing KRL rather than 534a new KRL being created. 535.It Fl V Ar validity_interval 536Specify a validity interval when signing a certificate. 537A validity interval may consist of a single time, indicating that the 538certificate is valid beginning now and expiring at that time, or may consist 539of two times separated by a colon to indicate an explicit time interval. 540The start time may be specified as a date in YYYYMMDD format, a time 541in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 542of a minus sign followed by a relative time in the format described in the 543TIME FORMATS section of 544.Xr sshd_config 5 . 545The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 546a relative time starting with a plus character. 547.Pp 548For example: 549.Dq +52w1d 550(valid from now to 52 weeks and one day from now), 551.Dq -4w:+4w 552(valid from four weeks ago to four weeks from now), 553.Dq 20100101123000:20110101123000 554(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), 555.Dq -1d:20110101 556(valid from yesterday to midnight, January 1st, 2011). 557.It Fl v 558Verbose mode. 559Causes 560.Nm 561to print debugging messages about its progress. 562This is helpful for debugging moduli generation. 563Multiple 564.Fl v 565options increase the verbosity. 566The maximum is 3. 567.It Fl W Ar generator 568Specify desired generator when testing candidate moduli for DH-GEX. 569.It Fl y 570This option will read a private 571OpenSSH format file and print an OpenSSH public key to stdout. 572.It Fl z Ar serial_number 573Specifies a serial number to be embedded in the certificate to distinguish 574this certificate from others from the same CA. 575The default serial number is zero. 576.Pp 577When generating a KRL, the 578.Fl z 579flag is used to specify a KRL version number. 580.El 581.Sh MODULI GENERATION 582.Nm 583may be used to generate groups for the Diffie-Hellman Group Exchange 584(DH-GEX) protocol. 585Generating these groups is a two-step process: first, candidate 586primes are generated using a fast, but memory intensive process. 587These candidate primes are then tested for suitability (a CPU-intensive 588process). 589.Pp 590Generation of primes is performed using the 591.Fl G 592option. 593The desired length of the primes may be specified by the 594.Fl b 595option. 596For example: 597.Pp 598.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 599.Pp 600By default, the search for primes begins at a random point in the 601desired length range. 602This may be overridden using the 603.Fl S 604option, which specifies a different start point (in hex). 605.Pp 606Once a set of candidates have been generated, they must be screened for 607suitability. 608This may be performed using the 609.Fl T 610option. 611In this mode 612.Nm 613will read candidates from standard input (or a file specified using the 614.Fl f 615option). 616For example: 617.Pp 618.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates 619.Pp 620By default, each candidate will be subjected to 100 primality tests. 621This may be overridden using the 622.Fl a 623option. 624The DH generator value will be chosen automatically for the 625prime under consideration. 626If a specific generator is desired, it may be requested using the 627.Fl W 628option. 629Valid generator values are 2, 3, and 5. 630.Pp 631Screened DH groups may be installed in 632.Pa /etc/moduli . 633It is important that this file contains moduli of a range of bit lengths and 634that both ends of a connection share common moduli. 635.Sh CERTIFICATES 636.Nm 637supports signing of keys to produce certificates that may be used for 638user or host authentication. 639Certificates consist of a public key, some identity information, zero or 640more principal (user or host) names and a set of options that 641are signed by a Certification Authority (CA) key. 642Clients or servers may then trust only the CA key and verify its signature 643on a certificate rather than trusting many user/host keys. 644Note that OpenSSH certificates are a different, and much simpler, format to 645the X.509 certificates used in 646.Xr ssl 8 . 647.Pp 648.Nm 649supports two types of certificates: user and host. 650User certificates authenticate users to servers, whereas host certificates 651authenticate server hosts to users. 652To generate a user certificate: 653.Pp 654.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 655.Pp 656The resultant certificate will be placed in 657.Pa /path/to/user_key-cert.pub . 658A host certificate requires the 659.Fl h 660option: 661.Pp 662.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 663.Pp 664The host certificate will be output to 665.Pa /path/to/host_key-cert.pub . 666.Pp 667It is possible to sign using a CA key stored in a PKCS#11 token by 668providing the token library using 669.Fl D 670and identifying the CA key by providing its public half as an argument 671to 672.Fl s : 673.Pp 674.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub 675.Pp 676In all cases, 677.Ar key_id 678is a "key identifier" that is logged by the server when the certificate 679is used for authentication. 680.Pp 681Certificates may be limited to be valid for a set of principal (user/host) 682names. 683By default, generated certificates are valid for all users or hosts. 684To generate a certificate for a specified set of principals: 685.Pp 686.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 687.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" 688.Pp 689Additional limitations on the validity and use of user certificates may 690be specified through certificate options. 691A certificate option may disable features of the SSH session, may be 692valid only when presented from particular source addresses or may 693force the use of a specific command. 694For a list of valid certificate options, see the documentation for the 695.Fl O 696option above. 697.Pp 698Finally, certificates may be defined with a validity lifetime. 699The 700.Fl V 701option allows specification of certificate start and end times. 702A certificate that is presented at a time outside this range will not be 703considered valid. 704By default, certificates are valid from 705.Ux 706Epoch to the distant future. 707.Pp 708For certificates to be used for user or host authentication, the CA 709public key must be trusted by 710.Xr sshd 8 711or 712.Xr ssh 1 . 713Please refer to those manual pages for details. 714.Sh KEY REVOCATION LISTS 715.Nm 716is able to manage OpenSSH format Key Revocation Lists (KRLs). 717These binary files specify keys or certificates to be revoked using a 718compact format, taking as little as one bit per certificate if they are being 719revoked by serial number. 720.Pp 721KRLs may be generated using the 722.Fl k 723flag. 724This option reads one or more files from the command line and generates a new 725KRL. 726The files may either contain a KRL specification (see below) or public keys, 727listed one per line. 728Plain public keys are revoked by listing their hash or contents in the KRL and 729certificates revoked by serial number or key ID (if the serial is zero or 730not available). 731.Pp 732Revoking keys using a KRL specification offers explicit control over the 733types of record used to revoke keys and may be used to directly revoke 734certificates by serial number or key ID without having the complete original 735certificate on hand. 736A KRL specification consists of lines containing one of the following directives 737followed by a colon and some directive-specific information. 738.Bl -tag -width Ds 739.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number 740Revokes a certificate with the specified serial number. 741Serial numbers are 64-bit values, not including zero and may be expressed 742in decimal, hex or octal. 743If two serial numbers are specified separated by a hyphen, then the range 744of serial numbers including and between each is revoked. 745The CA key must have been specified on the 746.Nm 747command line using the 748.Fl s 749option. 750.It Cm id : Ar key_id 751Revokes a certificate with the specified key ID string. 752The CA key must have been specified on the 753.Nm 754command line using the 755.Fl s 756option. 757.It Cm key : Ar public_key 758Revokes the specified key. 759If a certificate is listed, then it is revoked as a plain public key. 760.It Cm sha1 : Ar public_key 761Revokes the specified key by its SHA1 hash. 762.El 763.Pp 764KRLs may be updated using the 765.Fl u 766flag in addition to 767.Fl k . 768When this option is specified, keys listed via the command line are merged into 769the KRL, adding to those already there. 770.Pp 771It is also possible, given a KRL, to test whether it revokes a particular key 772(or keys). 773The 774.Fl Q 775flag will query an existing KRL, testing each key specified on the commandline. 776If any key listed on the command line has been revoked (or an error encountered) 777then 778.Nm 779will exit with a non-zero exit status. 780A zero exit status will only be returned if no key was revoked. 781.Sh FILES 782.Bl -tag -width Ds -compact 783.It Pa ~/.ssh/identity 784Contains the protocol version 1 RSA authentication identity of the user. 785This file should not be readable by anyone but the user. 786It is possible to 787specify a passphrase when generating the key; that passphrase will be 788used to encrypt the private part of this file using 3DES. 789This file is not automatically accessed by 790.Nm 791but it is offered as the default file for the private key. 792.Xr ssh 1 793will read this file when a login attempt is made. 794.Pp 795.It Pa ~/.ssh/identity.pub 796Contains the protocol version 1 RSA public key for authentication. 797The contents of this file should be added to 798.Pa ~/.ssh/authorized_keys 799on all machines 800where the user wishes to log in using RSA authentication. 801There is no need to keep the contents of this file secret. 802.Pp 803.It Pa ~/.ssh/id_dsa 804.It Pa ~/.ssh/id_ecdsa 805.It Pa ~/.ssh/id_ed25519 806.It Pa ~/.ssh/id_rsa 807Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA 808authentication identity of the user. 809This file should not be readable by anyone but the user. 810It is possible to 811specify a passphrase when generating the key; that passphrase will be 812used to encrypt the private part of this file using 128-bit AES. 813This file is not automatically accessed by 814.Nm 815but it is offered as the default file for the private key. 816.Xr ssh 1 817will read this file when a login attempt is made. 818.Pp 819.It Pa ~/.ssh/id_dsa.pub 820.It Pa ~/.ssh/id_ecdsa.pub 821.It Pa ~/.ssh/id_ed25519.pub 822.It Pa ~/.ssh/id_rsa.pub 823Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA 824public key for authentication. 825The contents of this file should be added to 826.Pa ~/.ssh/authorized_keys 827on all machines 828where the user wishes to log in using public key authentication. 829There is no need to keep the contents of this file secret. 830.Pp 831.It Pa /etc/moduli 832Contains Diffie-Hellman groups used for DH-GEX. 833The file format is described in 834.Xr moduli 5 . 835.El 836.Sh SEE ALSO 837.Xr ssh 1 , 838.Xr ssh-add 1 , 839.Xr ssh-agent 1 , 840.Xr moduli 5 , 841.Xr sshd 8 842.Rs 843.%R RFC 4716 844.%T "The Secure Shell (SSH) Public Key File Format" 845.%D 2006 846.Re 847.Sh AUTHORS 848OpenSSH is a derivative of the original and free 849ssh 1.2.12 release by Tatu Ylonen. 850Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 851Theo de Raadt and Dug Song 852removed many bugs, re-added newer features and 853created OpenSSH. 854Markus Friedl contributed the support for SSH 855protocol versions 1.5 and 2.0. 856