1.\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $ 2.\" $FreeBSD$ 3.\" 4.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 5.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6.\" All rights reserved 7.\" 8.\" As far as I am concerned, the code I have written for this software 9.\" can be used freely for any purpose. Any derived versions of this 10.\" software must be clearly marked as such, and if the derived work is 11.\" incompatible with the protocol description in the RFC file, it must be 12.\" called by a name other than "ssh" or "Secure Shell". 13.\" 14.\" 15.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 16.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 17.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 18.\" 19.\" Redistribution and use in source and binary forms, with or without 20.\" modification, are permitted provided that the following conditions 21.\" are met: 22.\" 1. Redistributions of source code must retain the above copyright 23.\" notice, this list of conditions and the following disclaimer. 24.\" 2. Redistributions in binary form must reproduce the above copyright 25.\" notice, this list of conditions and the following disclaimer in the 26.\" documentation and/or other materials provided with the distribution. 27.\" 28.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 29.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 30.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 31.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 32.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 33.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 34.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 35.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 36.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 37.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 38.\" 39.Dd June 27, 2013 40.Dt SSH-KEYGEN 1 41.Os 42.Sh NAME 43.Nm ssh-keygen 44.Nd authentication key generation, management and conversion 45.Sh SYNOPSIS 46.Bk -words 47.Nm ssh-keygen 48.Op Fl q 49.Op Fl b Ar bits 50.Fl t Ar type 51.Op Fl N Ar new_passphrase 52.Op Fl C Ar comment 53.Op Fl f Ar output_keyfile 54.Nm ssh-keygen 55.Fl p 56.Op Fl P Ar old_passphrase 57.Op Fl N Ar new_passphrase 58.Op Fl f Ar keyfile 59.Nm ssh-keygen 60.Fl i 61.Op Fl m Ar key_format 62.Op Fl f Ar input_keyfile 63.Nm ssh-keygen 64.Fl e 65.Op Fl m Ar key_format 66.Op Fl f Ar input_keyfile 67.Nm ssh-keygen 68.Fl y 69.Op Fl f Ar input_keyfile 70.Nm ssh-keygen 71.Fl c 72.Op Fl P Ar passphrase 73.Op Fl C Ar comment 74.Op Fl f Ar keyfile 75.Nm ssh-keygen 76.Fl l 77.Op Fl f Ar input_keyfile 78.Nm ssh-keygen 79.Fl B 80.Op Fl f Ar input_keyfile 81.Nm ssh-keygen 82.Fl D Ar pkcs11 83.Nm ssh-keygen 84.Fl F Ar hostname 85.Op Fl f Ar known_hosts_file 86.Op Fl l 87.Nm ssh-keygen 88.Fl H 89.Op Fl f Ar known_hosts_file 90.Nm ssh-keygen 91.Fl R Ar hostname 92.Op Fl f Ar known_hosts_file 93.Nm ssh-keygen 94.Fl r Ar hostname 95.Op Fl f Ar input_keyfile 96.Op Fl g 97.Nm ssh-keygen 98.Fl G Ar output_file 99.Op Fl v 100.Op Fl b Ar bits 101.Op Fl M Ar memory 102.Op Fl S Ar start_point 103.Nm ssh-keygen 104.Fl T Ar output_file 105.Fl f Ar input_file 106.Op Fl v 107.Op Fl a Ar num_trials 108.Op Fl J Ar num_lines 109.Op Fl j Ar start_line 110.Op Fl K Ar checkpt 111.Op Fl W Ar generator 112.Nm ssh-keygen 113.Fl s Ar ca_key 114.Fl I Ar certificate_identity 115.Op Fl h 116.Op Fl n Ar principals 117.Op Fl O Ar option 118.Op Fl V Ar validity_interval 119.Op Fl z Ar serial_number 120.Ar 121.Nm ssh-keygen 122.Fl L 123.Op Fl f Ar input_keyfile 124.Nm ssh-keygen 125.Fl A 126.Nm ssh-keygen 127.Fl k 128.Fl f Ar krl_file 129.Op Fl u 130.Op Fl s Ar ca_public 131.Op Fl z Ar version_number 132.Ar 133.Nm ssh-keygen 134.Fl Q 135.Fl f Ar krl_file 136.Ar 137.Ek 138.Sh DESCRIPTION 139.Nm 140generates, manages and converts authentication keys for 141.Xr ssh 1 . 142.Nm 143can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA 144keys for use by SSH protocol version 2. 145The type of key to be generated is specified with the 146.Fl t 147option. 148If invoked without any arguments, 149.Nm 150will generate an RSA key for use in SSH protocol 2 connections. 151.Pp 152.Nm 153is also used to generate groups for use in Diffie-Hellman group 154exchange (DH-GEX). 155See the 156.Sx MODULI GENERATION 157section for details. 158.Pp 159Finally, 160.Nm 161can be used to generate and update Key Revocation Lists, and to test whether 162given keys have been revoked by one. 163See the 164.Sx KEY REVOCATION LISTS 165section for details. 166.Pp 167Normally each user wishing to use SSH 168with public key authentication runs this once to create the authentication 169key in 170.Pa ~/.ssh/identity , 171.Pa ~/.ssh/id_ecdsa , 172.Pa ~/.ssh/id_dsa 173or 174.Pa ~/.ssh/id_rsa . 175Additionally, the system administrator may use this to generate host keys, 176as seen in 177.Pa /etc/rc . 178.Pp 179Normally this program generates the key and asks for a file in which 180to store the private key. 181The public key is stored in a file with the same name but 182.Dq .pub 183appended. 184The program also asks for a passphrase. 185The passphrase may be empty to indicate no passphrase 186(host keys must have an empty passphrase), or it may be a string of 187arbitrary length. 188A passphrase is similar to a password, except it can be a phrase with a 189series of words, punctuation, numbers, whitespace, or any string of 190characters you want. 191Good passphrases are 10-30 characters long, are 192not simple sentences or otherwise easily guessable (English 193prose has only 1-2 bits of entropy per character, and provides very bad 194passphrases), and contain a mix of upper and lowercase letters, 195numbers, and non-alphanumeric characters. 196The passphrase can be changed later by using the 197.Fl p 198option. 199.Pp 200There is no way to recover a lost passphrase. 201If the passphrase is lost or forgotten, a new key must be generated 202and the corresponding public key copied to other machines. 203.Pp 204For RSA1 keys, 205there is also a comment field in the key file that is only for 206convenience to the user to help identify the key. 207The comment can tell what the key is for, or whatever is useful. 208The comment is initialized to 209.Dq user@host 210when the key is created, but can be changed using the 211.Fl c 212option. 213.Pp 214After a key is generated, instructions below detail where the keys 215should be placed to be activated. 216.Pp 217The options are as follows: 218.Bl -tag -width Ds 219.It Fl A 220For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys 221do not exist, generate the host keys with the default key file path, 222an empty passphrase, default bits for the key type, and default comment. 223This is used by 224.Pa /etc/rc 225to generate new host keys. 226.It Fl a Ar trials 227Specifies the number of primality tests to perform when screening DH-GEX 228candidates using the 229.Fl T 230command. 231.It Fl B 232Show the bubblebabble digest of specified private or public key file. 233.It Fl b Ar bits 234Specifies the number of bits in the key to create. 235For RSA keys, the minimum size is 768 bits and the default is 2048 bits. 236Generally, 2048 bits is considered sufficient. 237DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 238For ECDSA keys, the 239.Fl b 240flag determines the key length by selecting from one of three elliptic 241curve sizes: 256, 384 or 521 bits. 242Attempting to use bit lengths other than these three values for ECDSA keys 243will fail. 244.It Fl C Ar comment 245Provides a new comment. 246.It Fl c 247Requests changing the comment in the private and public key files. 248This operation is only supported for RSA1 keys. 249The program will prompt for the file containing the private keys, for 250the passphrase if the key has one, and for the new comment. 251.It Fl D Ar pkcs11 252Download the RSA public keys provided by the PKCS#11 shared library 253.Ar pkcs11 . 254When used in combination with 255.Fl s , 256this option indicates that a CA key resides in a PKCS#11 token (see the 257.Sx CERTIFICATES 258section for details). 259.It Fl e 260This option will read a private or public OpenSSH key file and 261print to stdout the key in one of the formats specified by the 262.Fl m 263option. 264The default export format is 265.Dq RFC4716 . 266This option allows exporting OpenSSH keys for use by other programs, including 267several commercial SSH implementations. 268.It Fl F Ar hostname 269Search for the specified 270.Ar hostname 271in a 272.Pa known_hosts 273file, listing any occurrences found. 274This option is useful to find hashed host names or addresses and may also be 275used in conjunction with the 276.Fl H 277option to print found keys in a hashed format. 278.It Fl f Ar filename 279Specifies the filename of the key file. 280.It Fl G Ar output_file 281Generate candidate primes for DH-GEX. 282These primes must be screened for 283safety (using the 284.Fl T 285option) before use. 286.It Fl g 287Use generic DNS format when printing fingerprint resource records using the 288.Fl r 289command. 290.It Fl H 291Hash a 292.Pa known_hosts 293file. 294This replaces all hostnames and addresses with hashed representations 295within the specified file; the original content is moved to a file with 296a .old suffix. 297These hashes may be used normally by 298.Nm ssh 299and 300.Nm sshd , 301but they do not reveal identifying information should the file's contents 302be disclosed. 303This option will not modify existing hashed hostnames and is therefore safe 304to use on files that mix hashed and non-hashed names. 305.It Fl h 306When signing a key, create a host certificate instead of a user 307certificate. 308Please see the 309.Sx CERTIFICATES 310section for details. 311.It Fl I Ar certificate_identity 312Specify the key identity when signing a public key. 313Please see the 314.Sx CERTIFICATES 315section for details. 316.It Fl i 317This option will read an unencrypted private (or public) key file 318in the format specified by the 319.Fl m 320option and print an OpenSSH compatible private 321(or public) key to stdout. 322.It Fl J Ar num_lines 323Exit after screening the specified number of lines 324while performing DH candidate screening using the 325.Fl T 326option. 327.It Fl j Ar start_line 328Start screening at the specified line number 329while performing DH candidate screening using the 330.Fl T 331option. 332.It Fl K Ar checkpt 333Write the last line processed to the file 334.Ar checkpt 335while performing DH candidate screening using the 336.Fl T 337option. 338This will be used to skip lines in the input file that have already been 339processed if the job is restarted. 340This option allows importing keys from other software, including several 341commercial SSH implementations. 342The default import format is 343.Dq RFC4716 . 344.It Fl k 345Generate a KRL file. 346In this mode, 347.Nm 348will generate a KRL file at the location specified via the 349.Fl f 350flag that revokes every key or certificate presented on the command line. 351Keys/certificates to be revoked may be specified by public key file or 352using the format described in the 353.Sx KEY REVOCATION LISTS 354section. 355.It Fl L 356Prints the contents of a certificate. 357.It Fl l 358Show fingerprint of specified public key file. 359Private RSA1 keys are also supported. 360For RSA and DSA keys 361.Nm 362tries to find the matching public key file and prints its fingerprint. 363If combined with 364.Fl v , 365an ASCII art representation of the key is supplied with the fingerprint. 366.It Fl M Ar memory 367Specify the amount of memory to use (in megabytes) when generating 368candidate moduli for DH-GEX. 369.It Fl m Ar key_format 370Specify a key format for the 371.Fl i 372(import) or 373.Fl e 374(export) conversion options. 375The supported key formats are: 376.Dq RFC4716 377(RFC 4716/SSH2 public or private key), 378.Dq PKCS8 379(PEM PKCS8 public key) 380or 381.Dq PEM 382(PEM public key). 383The default conversion format is 384.Dq RFC4716 . 385.It Fl N Ar new_passphrase 386Provides the new passphrase. 387.It Fl n Ar principals 388Specify one or more principals (user or host names) to be included in 389a certificate when signing a key. 390Multiple principals may be specified, separated by commas. 391Please see the 392.Sx CERTIFICATES 393section for details. 394.It Fl O Ar option 395Specify a certificate option when signing a key. 396This option may be specified multiple times. 397Please see the 398.Sx CERTIFICATES 399section for details. 400The options that are valid for user certificates are: 401.Bl -tag -width Ds 402.It Ic clear 403Clear all enabled permissions. 404This is useful for clearing the default set of permissions so permissions may 405be added individually. 406.It Ic force-command Ns = Ns Ar command 407Forces the execution of 408.Ar command 409instead of any shell or command specified by the user when 410the certificate is used for authentication. 411.It Ic no-agent-forwarding 412Disable 413.Xr ssh-agent 1 414forwarding (permitted by default). 415.It Ic no-port-forwarding 416Disable port forwarding (permitted by default). 417.It Ic no-pty 418Disable PTY allocation (permitted by default). 419.It Ic no-user-rc 420Disable execution of 421.Pa ~/.ssh/rc 422by 423.Xr sshd 8 424(permitted by default). 425.It Ic no-x11-forwarding 426Disable X11 forwarding (permitted by default). 427.It Ic permit-agent-forwarding 428Allows 429.Xr ssh-agent 1 430forwarding. 431.It Ic permit-port-forwarding 432Allows port forwarding. 433.It Ic permit-pty 434Allows PTY allocation. 435.It Ic permit-user-rc 436Allows execution of 437.Pa ~/.ssh/rc 438by 439.Xr sshd 8 . 440.It Ic permit-x11-forwarding 441Allows X11 forwarding. 442.It Ic source-address Ns = Ns Ar address_list 443Restrict the source addresses from which the certificate is considered valid. 444The 445.Ar address_list 446is a comma-separated list of one or more address/netmask pairs in CIDR 447format. 448.El 449.Pp 450At present, no options are valid for host keys. 451.It Fl P Ar passphrase 452Provides the (old) passphrase. 453.It Fl p 454Requests changing the passphrase of a private key file instead of 455creating a new private key. 456The program will prompt for the file 457containing the private key, for the old passphrase, and twice for the 458new passphrase. 459.It Fl Q 460Test whether keys have been revoked in a KRL. 461.It Fl q 462Silence 463.Nm ssh-keygen . 464.It Fl R Ar hostname 465Removes all keys belonging to 466.Ar hostname 467from a 468.Pa known_hosts 469file. 470This option is useful to delete hashed hosts (see the 471.Fl H 472option above). 473.It Fl r Ar hostname 474Print the SSHFP fingerprint resource record named 475.Ar hostname 476for the specified public key file. 477.It Fl S Ar start 478Specify start point (in hex) when generating candidate moduli for DH-GEX. 479.It Fl s Ar ca_key 480Certify (sign) a public key using the specified CA key. 481Please see the 482.Sx CERTIFICATES 483section for details. 484.Pp 485When generating a KRL, 486.Fl s 487specifies a path to a CA public key file used to revoke certificates directly 488by key ID or serial number. 489See the 490.Sx KEY REVOCATION LISTS 491section for details. 492.It Fl T Ar output_file 493Test DH group exchange candidate primes (generated using the 494.Fl G 495option) for safety. 496.It Fl t Ar type 497Specifies the type of key to create. 498The possible values are 499.Dq rsa1 500for protocol version 1 and 501.Dq dsa , 502.Dq ecdsa 503or 504.Dq rsa 505for protocol version 2. 506.It Fl u 507Update a KRL. 508When specified with 509.Fl k , 510keys listed via the command line are added to the existing KRL rather than 511a new KRL being created. 512.It Fl V Ar validity_interval 513Specify a validity interval when signing a certificate. 514A validity interval may consist of a single time, indicating that the 515certificate is valid beginning now and expiring at that time, or may consist 516of two times separated by a colon to indicate an explicit time interval. 517The start time may be specified as a date in YYYYMMDD format, a time 518in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 519of a minus sign followed by a relative time in the format described in the 520TIME FORMATS section of 521.Xr sshd_config 5 . 522The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 523a relative time starting with a plus character. 524.Pp 525For example: 526.Dq +52w1d 527(valid from now to 52 weeks and one day from now), 528.Dq -4w:+4w 529(valid from four weeks ago to four weeks from now), 530.Dq 20100101123000:20110101123000 531(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), 532.Dq -1d:20110101 533(valid from yesterday to midnight, January 1st, 2011). 534.It Fl v 535Verbose mode. 536Causes 537.Nm 538to print debugging messages about its progress. 539This is helpful for debugging moduli generation. 540Multiple 541.Fl v 542options increase the verbosity. 543The maximum is 3. 544.It Fl W Ar generator 545Specify desired generator when testing candidate moduli for DH-GEX. 546.It Fl y 547This option will read a private 548OpenSSH format file and print an OpenSSH public key to stdout. 549.It Fl z Ar serial_number 550Specifies a serial number to be embedded in the certificate to distinguish 551this certificate from others from the same CA. 552The default serial number is zero. 553.Pp 554When generating a KRL, the 555.Fl z 556flag is used to specify a KRL version number. 557.El 558.Sh MODULI GENERATION 559.Nm 560may be used to generate groups for the Diffie-Hellman Group Exchange 561(DH-GEX) protocol. 562Generating these groups is a two-step process: first, candidate 563primes are generated using a fast, but memory intensive process. 564These candidate primes are then tested for suitability (a CPU-intensive 565process). 566.Pp 567Generation of primes is performed using the 568.Fl G 569option. 570The desired length of the primes may be specified by the 571.Fl b 572option. 573For example: 574.Pp 575.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 576.Pp 577By default, the search for primes begins at a random point in the 578desired length range. 579This may be overridden using the 580.Fl S 581option, which specifies a different start point (in hex). 582.Pp 583Once a set of candidates have been generated, they must be screened for 584suitability. 585This may be performed using the 586.Fl T 587option. 588In this mode 589.Nm 590will read candidates from standard input (or a file specified using the 591.Fl f 592option). 593For example: 594.Pp 595.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates 596.Pp 597By default, each candidate will be subjected to 100 primality tests. 598This may be overridden using the 599.Fl a 600option. 601The DH generator value will be chosen automatically for the 602prime under consideration. 603If a specific generator is desired, it may be requested using the 604.Fl W 605option. 606Valid generator values are 2, 3, and 5. 607.Pp 608Screened DH groups may be installed in 609.Pa /etc/moduli . 610It is important that this file contains moduli of a range of bit lengths and 611that both ends of a connection share common moduli. 612.Sh CERTIFICATES 613.Nm 614supports signing of keys to produce certificates that may be used for 615user or host authentication. 616Certificates consist of a public key, some identity information, zero or 617more principal (user or host) names and a set of options that 618are signed by a Certification Authority (CA) key. 619Clients or servers may then trust only the CA key and verify its signature 620on a certificate rather than trusting many user/host keys. 621Note that OpenSSH certificates are a different, and much simpler, format to 622the X.509 certificates used in 623.Xr ssl 8 . 624.Pp 625.Nm 626supports two types of certificates: user and host. 627User certificates authenticate users to servers, whereas host certificates 628authenticate server hosts to users. 629To generate a user certificate: 630.Pp 631.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 632.Pp 633The resultant certificate will be placed in 634.Pa /path/to/user_key-cert.pub . 635A host certificate requires the 636.Fl h 637option: 638.Pp 639.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 640.Pp 641The host certificate will be output to 642.Pa /path/to/host_key-cert.pub . 643.Pp 644It is possible to sign using a CA key stored in a PKCS#11 token by 645providing the token library using 646.Fl D 647and identifying the CA key by providing its public half as an argument 648to 649.Fl s : 650.Pp 651.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub 652.Pp 653In all cases, 654.Ar key_id 655is a "key identifier" that is logged by the server when the certificate 656is used for authentication. 657.Pp 658Certificates may be limited to be valid for a set of principal (user/host) 659names. 660By default, generated certificates are valid for all users or hosts. 661To generate a certificate for a specified set of principals: 662.Pp 663.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 664.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" 665.Pp 666Additional limitations on the validity and use of user certificates may 667be specified through certificate options. 668A certificate option may disable features of the SSH session, may be 669valid only when presented from particular source addresses or may 670force the use of a specific command. 671For a list of valid certificate options, see the documentation for the 672.Fl O 673option above. 674.Pp 675Finally, certificates may be defined with a validity lifetime. 676The 677.Fl V 678option allows specification of certificate start and end times. 679A certificate that is presented at a time outside this range will not be 680considered valid. 681By default, certificates are valid from 682.Ux 683Epoch to the distant future. 684.Pp 685For certificates to be used for user or host authentication, the CA 686public key must be trusted by 687.Xr sshd 8 688or 689.Xr ssh 1 . 690Please refer to those manual pages for details. 691.Sh KEY REVOCATION LISTS 692.Nm 693is able to manage OpenSSH format Key Revocation Lists (KRLs). 694These binary files specify keys or certificates to be revoked using a 695compact format, taking as little a one bit per certificate if they are being 696revoked by serial number. 697.Pp 698KRLs may be generated using the 699.Fl k 700flag. 701This option reads one or more files from the command line and generates a new 702KRL. 703The files may either contain a KRL specification (see below) or public keys, 704listed one per line. 705Plain public keys are revoked by listing their hash or contents in the KRL and 706certificates revoked by serial number or key ID (if the serial is zero or 707not available). 708.Pp 709Revoking keys using a KRL specification offers explicit control over the 710types of record used to revoke keys and may be used to directly revoke 711certificates by serial number or key ID without having the complete original 712certificate on hand. 713A KRL specification consists of lines containing one of the following directives 714followed by a colon and some directive-specific information. 715.Bl -tag -width Ds 716.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number 717Revokes a certificate with the specified serial number. 718Serial numbers are 64-bit values, not including zero and may be expressed 719in decimal, hex or octal. 720If two serial numbers are specified separated by a hyphen, then the range 721of serial numbers including and between each is revoked. 722The CA key must have been specified on the 723.Nm 724command line using the 725.Fl s 726option. 727.It Cm id : Ar key_id 728Revokes a certificate with the specified key ID string. 729The CA key must have been specified on the 730.Nm 731command line using the 732.Fl s 733option. 734.It Cm key : Ar public_key 735Revokes the specified key. 736If a certificate is listed, then it is revoked as a plain public key. 737.It Cm sha1 : Ar public_key 738Revokes the specified key by its SHA1 hash. 739.El 740.Pp 741KRLs may be updated using the 742.Fl u 743flag in addition to 744.Fl k . 745When this option is specified, keys listed via the command line are merged into 746the KRL, adding to those already there. 747.Pp 748It is also possible, given a KRL, to test whether it revokes a particular key 749(or keys). 750The 751.Fl Q 752flag will query an existing KRL, testing each key specified on the commandline. 753If any key listed on the command line has been revoked (or an error encountered) 754then 755.Nm 756will exit with a non-zero exit status. 757A zero exit status will only be returned if no key was revoked. 758.Sh FILES 759.Bl -tag -width Ds -compact 760.It Pa ~/.ssh/identity 761Contains the protocol version 1 RSA authentication identity of the user. 762This file should not be readable by anyone but the user. 763It is possible to 764specify a passphrase when generating the key; that passphrase will be 765used to encrypt the private part of this file using 3DES. 766This file is not automatically accessed by 767.Nm 768but it is offered as the default file for the private key. 769.Xr ssh 1 770will read this file when a login attempt is made. 771.Pp 772.It Pa ~/.ssh/identity.pub 773Contains the protocol version 1 RSA public key for authentication. 774The contents of this file should be added to 775.Pa ~/.ssh/authorized_keys 776on all machines 777where the user wishes to log in using RSA authentication. 778There is no need to keep the contents of this file secret. 779.Pp 780.It Pa ~/.ssh/id_dsa 781.It Pa ~/.ssh/id_ecdsa 782.It Pa ~/.ssh/id_rsa 783Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user. 784This file should not be readable by anyone but the user. 785It is possible to 786specify a passphrase when generating the key; that passphrase will be 787used to encrypt the private part of this file using 128-bit AES. 788This file is not automatically accessed by 789.Nm 790but it is offered as the default file for the private key. 791.Xr ssh 1 792will read this file when a login attempt is made. 793.Pp 794.It Pa ~/.ssh/id_dsa.pub 795.It Pa ~/.ssh/id_ecdsa.pub 796.It Pa ~/.ssh/id_rsa.pub 797Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication. 798The contents of this file should be added to 799.Pa ~/.ssh/authorized_keys 800on all machines 801where the user wishes to log in using public key authentication. 802There is no need to keep the contents of this file secret. 803.Pp 804.It Pa /etc/moduli 805Contains Diffie-Hellman groups used for DH-GEX. 806The file format is described in 807.Xr moduli 5 . 808.El 809.Sh SEE ALSO 810.Xr ssh 1 , 811.Xr ssh-add 1 , 812.Xr ssh-agent 1 , 813.Xr moduli 5 , 814.Xr sshd 8 815.Rs 816.%R RFC 4716 817.%T "The Secure Shell (SSH) Public Key File Format" 818.%D 2006 819.Re 820.Sh AUTHORS 821OpenSSH is a derivative of the original and free 822ssh 1.2.12 release by Tatu Ylonen. 823Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 824Theo de Raadt and Dug Song 825removed many bugs, re-added newer features and 826created OpenSSH. 827Markus Friedl contributed the support for SSH 828protocol versions 1.5 and 2.0. 829