xref: /freebsd/crypto/openssh/ssh-keygen.1 (revision b1b73fc4c9924c4ca2f94b76155a0895373a0b5c)
1.\"	$OpenBSD: ssh-keygen.1,v 1.130 2016/02/17 07:38:19 jmc Exp $
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\"                    All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose.  Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\"
14.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
17.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\"    notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\"    notice, this list of conditions and the following disclaimer in the
25.\"    documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\"
38.Dd $Mdocdate: February 17 2016 $
39.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
43.Nd authentication key generation, management and conversion
44.Sh SYNOPSIS
45.Bk -words
46.Nm ssh-keygen
47.Op Fl q
48.Op Fl b Ar bits
49.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
50.Op Fl N Ar new_passphrase
51.Op Fl C Ar comment
52.Op Fl f Ar output_keyfile
53.Nm ssh-keygen
54.Fl p
55.Op Fl P Ar old_passphrase
56.Op Fl N Ar new_passphrase
57.Op Fl f Ar keyfile
58.Nm ssh-keygen
59.Fl i
60.Op Fl m Ar key_format
61.Op Fl f Ar input_keyfile
62.Nm ssh-keygen
63.Fl e
64.Op Fl m Ar key_format
65.Op Fl f Ar input_keyfile
66.Nm ssh-keygen
67.Fl y
68.Op Fl f Ar input_keyfile
69.Nm ssh-keygen
70.Fl c
71.Op Fl P Ar passphrase
72.Op Fl C Ar comment
73.Op Fl f Ar keyfile
74.Nm ssh-keygen
75.Fl l
76.Op Fl v
77.Op Fl E Ar fingerprint_hash
78.Op Fl f Ar input_keyfile
79.Nm ssh-keygen
80.Fl B
81.Op Fl f Ar input_keyfile
82.Nm ssh-keygen
83.Fl D Ar pkcs11
84.Nm ssh-keygen
85.Fl F Ar hostname
86.Op Fl f Ar known_hosts_file
87.Op Fl l
88.Nm ssh-keygen
89.Fl H
90.Op Fl f Ar known_hosts_file
91.Nm ssh-keygen
92.Fl R Ar hostname
93.Op Fl f Ar known_hosts_file
94.Nm ssh-keygen
95.Fl r Ar hostname
96.Op Fl f Ar input_keyfile
97.Op Fl g
98.Nm ssh-keygen
99.Fl G Ar output_file
100.Op Fl v
101.Op Fl b Ar bits
102.Op Fl M Ar memory
103.Op Fl S Ar start_point
104.Nm ssh-keygen
105.Fl T Ar output_file
106.Fl f Ar input_file
107.Op Fl v
108.Op Fl a Ar rounds
109.Op Fl J Ar num_lines
110.Op Fl j Ar start_line
111.Op Fl K Ar checkpt
112.Op Fl W Ar generator
113.Nm ssh-keygen
114.Fl s Ar ca_key
115.Fl I Ar certificate_identity
116.Op Fl h
117.Op Fl n Ar principals
118.Op Fl O Ar option
119.Op Fl V Ar validity_interval
120.Op Fl z Ar serial_number
121.Ar
122.Nm ssh-keygen
123.Fl L
124.Op Fl f Ar input_keyfile
125.Nm ssh-keygen
126.Fl A
127.Nm ssh-keygen
128.Fl k
129.Fl f Ar krl_file
130.Op Fl u
131.Op Fl s Ar ca_public
132.Op Fl z Ar version_number
133.Ar
134.Nm ssh-keygen
135.Fl Q
136.Fl f Ar krl_file
137.Ar
138.Ek
139.Sh DESCRIPTION
140.Nm
141generates, manages and converts authentication keys for
142.Xr ssh 1 .
143.Nm
144can create keys for use by SSH protocol versions 1 and 2.
145Protocol 1 should not be used
146and is only offered to support legacy devices.
147It suffers from a number of cryptographic weaknesses
148and doesn't support many of the advanced features available for protocol 2.
149.Pp
150The type of key to be generated is specified with the
151.Fl t
152option.
153If invoked without any arguments,
154.Nm
155will generate an RSA key for use in SSH protocol 2 connections.
156.Pp
157.Nm
158is also used to generate groups for use in Diffie-Hellman group
159exchange (DH-GEX).
160See the
161.Sx MODULI GENERATION
162section for details.
163.Pp
164Finally,
165.Nm
166can be used to generate and update Key Revocation Lists, and to test whether
167given keys have been revoked by one.
168See the
169.Sx KEY REVOCATION LISTS
170section for details.
171.Pp
172Normally each user wishing to use SSH
173with public key authentication runs this once to create the authentication
174key in
175.Pa ~/.ssh/identity ,
176.Pa ~/.ssh/id_dsa ,
177.Pa ~/.ssh/id_ecdsa ,
178.Pa ~/.ssh/id_ed25519
179or
180.Pa ~/.ssh/id_rsa .
181Additionally, the system administrator may use this to generate host keys,
182as seen in
183.Pa /etc/rc .
184.Pp
185Normally this program generates the key and asks for a file in which
186to store the private key.
187The public key is stored in a file with the same name but
188.Dq .pub
189appended.
190The program also asks for a passphrase.
191The passphrase may be empty to indicate no passphrase
192(host keys must have an empty passphrase), or it may be a string of
193arbitrary length.
194A passphrase is similar to a password, except it can be a phrase with a
195series of words, punctuation, numbers, whitespace, or any string of
196characters you want.
197Good passphrases are 10-30 characters long, are
198not simple sentences or otherwise easily guessable (English
199prose has only 1-2 bits of entropy per character, and provides very bad
200passphrases), and contain a mix of upper and lowercase letters,
201numbers, and non-alphanumeric characters.
202The passphrase can be changed later by using the
203.Fl p
204option.
205.Pp
206There is no way to recover a lost passphrase.
207If the passphrase is lost or forgotten, a new key must be generated
208and the corresponding public key copied to other machines.
209.Pp
210For RSA1 keys,
211there is also a comment field in the key file that is only for
212convenience to the user to help identify the key.
213The comment can tell what the key is for, or whatever is useful.
214The comment is initialized to
215.Dq user@host
216when the key is created, but can be changed using the
217.Fl c
218option.
219.Pp
220After a key is generated, instructions below detail where the keys
221should be placed to be activated.
222.Pp
223The options are as follows:
224.Bl -tag -width Ds
225.It Fl A
226For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
227for which host keys
228do not exist, generate the host keys with the default key file path,
229an empty passphrase, default bits for the key type, and default comment.
230This is used by
231.Pa /etc/rc
232to generate new host keys.
233.It Fl a Ar rounds
234When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
2352 key when the
236.Fl o
237flag is set), this option specifies the number of KDF (key derivation function)
238rounds used.
239Higher numbers result in slower passphrase verification and increased
240resistance to brute-force password cracking (should the keys be stolen).
241.Pp
242When screening DH-GEX candidates (
243using the
244.Fl T
245command).
246This option specifies the number of primality tests to perform.
247.It Fl B
248Show the bubblebabble digest of specified private or public key file.
249.It Fl b Ar bits
250Specifies the number of bits in the key to create.
251For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
252Generally, 2048 bits is considered sufficient.
253DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
254For ECDSA keys, the
255.Fl b
256flag determines the key length by selecting from one of three elliptic
257curve sizes: 256, 384 or 521 bits.
258Attempting to use bit lengths other than these three values for ECDSA keys
259will fail.
260Ed25519 keys have a fixed length and the
261.Fl b
262flag will be ignored.
263.It Fl C Ar comment
264Provides a new comment.
265.It Fl c
266Requests changing the comment in the private and public key files.
267This operation is only supported for RSA1 keys.
268The program will prompt for the file containing the private keys, for
269the passphrase if the key has one, and for the new comment.
270.It Fl D Ar pkcs11
271Download the RSA public keys provided by the PKCS#11 shared library
272.Ar pkcs11 .
273When used in combination with
274.Fl s ,
275this option indicates that a CA key resides in a PKCS#11 token (see the
276.Sx CERTIFICATES
277section for details).
278.It Fl E Ar fingerprint_hash
279Specifies the hash algorithm used when displaying key fingerprints.
280Valid options are:
281.Dq md5
282and
283.Dq sha256 .
284The default is
285.Dq sha256 .
286.It Fl e
287This option will read a private or public OpenSSH key file and
288print to stdout the key in one of the formats specified by the
289.Fl m
290option.
291The default export format is
292.Dq RFC4716 .
293This option allows exporting OpenSSH keys for use by other programs, including
294several commercial SSH implementations.
295.It Fl F Ar hostname
296Search for the specified
297.Ar hostname
298in a
299.Pa known_hosts
300file, listing any occurrences found.
301This option is useful to find hashed host names or addresses and may also be
302used in conjunction with the
303.Fl H
304option to print found keys in a hashed format.
305.It Fl f Ar filename
306Specifies the filename of the key file.
307.It Fl G Ar output_file
308Generate candidate primes for DH-GEX.
309These primes must be screened for
310safety (using the
311.Fl T
312option) before use.
313.It Fl g
314Use generic DNS format when printing fingerprint resource records using the
315.Fl r
316command.
317.It Fl H
318Hash a
319.Pa known_hosts
320file.
321This replaces all hostnames and addresses with hashed representations
322within the specified file; the original content is moved to a file with
323a .old suffix.
324These hashes may be used normally by
325.Nm ssh
326and
327.Nm sshd ,
328but they do not reveal identifying information should the file's contents
329be disclosed.
330This option will not modify existing hashed hostnames and is therefore safe
331to use on files that mix hashed and non-hashed names.
332.It Fl h
333When signing a key, create a host certificate instead of a user
334certificate.
335Please see the
336.Sx CERTIFICATES
337section for details.
338.It Fl I Ar certificate_identity
339Specify the key identity when signing a public key.
340Please see the
341.Sx CERTIFICATES
342section for details.
343.It Fl i
344This option will read an unencrypted private (or public) key file
345in the format specified by the
346.Fl m
347option and print an OpenSSH compatible private
348(or public) key to stdout.
349This option allows importing keys from other software, including several
350commercial SSH implementations.
351The default import format is
352.Dq RFC4716 .
353.It Fl J Ar num_lines
354Exit after screening the specified number of lines
355while performing DH candidate screening using the
356.Fl T
357option.
358.It Fl j Ar start_line
359Start screening at the specified line number
360while performing DH candidate screening using the
361.Fl T
362option.
363.It Fl K Ar checkpt
364Write the last line processed to the file
365.Ar checkpt
366while performing DH candidate screening using the
367.Fl T
368option.
369This will be used to skip lines in the input file that have already been
370processed if the job is restarted.
371.It Fl k
372Generate a KRL file.
373In this mode,
374.Nm
375will generate a KRL file at the location specified via the
376.Fl f
377flag that revokes every key or certificate presented on the command line.
378Keys/certificates to be revoked may be specified by public key file or
379using the format described in the
380.Sx KEY REVOCATION LISTS
381section.
382.It Fl L
383Prints the contents of one or more certificates.
384.It Fl l
385Show fingerprint of specified public key file.
386Private RSA1 keys are also supported.
387For RSA and DSA keys
388.Nm
389tries to find the matching public key file and prints its fingerprint.
390If combined with
391.Fl v ,
392an ASCII art representation of the key is supplied with the fingerprint.
393.It Fl M Ar memory
394Specify the amount of memory to use (in megabytes) when generating
395candidate moduli for DH-GEX.
396.It Fl m Ar key_format
397Specify a key format for the
398.Fl i
399(import) or
400.Fl e
401(export) conversion options.
402The supported key formats are:
403.Dq RFC4716
404(RFC 4716/SSH2 public or private key),
405.Dq PKCS8
406(PEM PKCS8 public key)
407or
408.Dq PEM
409(PEM public key).
410The default conversion format is
411.Dq RFC4716 .
412.It Fl N Ar new_passphrase
413Provides the new passphrase.
414.It Fl n Ar principals
415Specify one or more principals (user or host names) to be included in
416a certificate when signing a key.
417Multiple principals may be specified, separated by commas.
418Please see the
419.Sx CERTIFICATES
420section for details.
421.It Fl O Ar option
422Specify a certificate option when signing a key.
423This option may be specified multiple times.
424Please see the
425.Sx CERTIFICATES
426section for details.
427The options that are valid for user certificates are:
428.Bl -tag -width Ds
429.It Ic clear
430Clear all enabled permissions.
431This is useful for clearing the default set of permissions so permissions may
432be added individually.
433.It Ic force-command Ns = Ns Ar command
434Forces the execution of
435.Ar command
436instead of any shell or command specified by the user when
437the certificate is used for authentication.
438.It Ic no-agent-forwarding
439Disable
440.Xr ssh-agent 1
441forwarding (permitted by default).
442.It Ic no-port-forwarding
443Disable port forwarding (permitted by default).
444.It Ic no-pty
445Disable PTY allocation (permitted by default).
446.It Ic no-user-rc
447Disable execution of
448.Pa ~/.ssh/rc
449by
450.Xr sshd 8
451(permitted by default).
452.It Ic no-x11-forwarding
453Disable X11 forwarding (permitted by default).
454.It Ic permit-agent-forwarding
455Allows
456.Xr ssh-agent 1
457forwarding.
458.It Ic permit-port-forwarding
459Allows port forwarding.
460.It Ic permit-pty
461Allows PTY allocation.
462.It Ic permit-user-rc
463Allows execution of
464.Pa ~/.ssh/rc
465by
466.Xr sshd 8 .
467.It Ic permit-x11-forwarding
468Allows X11 forwarding.
469.It Ic source-address Ns = Ns Ar address_list
470Restrict the source addresses from which the certificate is considered valid.
471The
472.Ar address_list
473is a comma-separated list of one or more address/netmask pairs in CIDR
474format.
475.El
476.Pp
477At present, no options are valid for host keys.
478.It Fl o
479Causes
480.Nm
481to save private keys using the new OpenSSH format rather than
482the more compatible PEM format.
483The new format has increased resistance to brute-force password cracking
484but is not supported by versions of OpenSSH prior to 6.5.
485Ed25519 keys always use the new private key format.
486.It Fl P Ar passphrase
487Provides the (old) passphrase.
488.It Fl p
489Requests changing the passphrase of a private key file instead of
490creating a new private key.
491The program will prompt for the file
492containing the private key, for the old passphrase, and twice for the
493new passphrase.
494.It Fl Q
495Test whether keys have been revoked in a KRL.
496.It Fl q
497Silence
498.Nm ssh-keygen .
499.It Fl R Ar hostname
500Removes all keys belonging to
501.Ar hostname
502from a
503.Pa known_hosts
504file.
505This option is useful to delete hashed hosts (see the
506.Fl H
507option above).
508.It Fl r Ar hostname
509Print the SSHFP fingerprint resource record named
510.Ar hostname
511for the specified public key file.
512.It Fl S Ar start
513Specify start point (in hex) when generating candidate moduli for DH-GEX.
514.It Fl s Ar ca_key
515Certify (sign) a public key using the specified CA key.
516Please see the
517.Sx CERTIFICATES
518section for details.
519.Pp
520When generating a KRL,
521.Fl s
522specifies a path to a CA public key file used to revoke certificates directly
523by key ID or serial number.
524See the
525.Sx KEY REVOCATION LISTS
526section for details.
527.It Fl T Ar output_file
528Test DH group exchange candidate primes (generated using the
529.Fl G
530option) for safety.
531.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
532Specifies the type of key to create.
533The possible values are
534.Dq rsa1
535for protocol version 1 and
536.Dq dsa ,
537.Dq ecdsa ,
538.Dq ed25519 ,
539or
540.Dq rsa
541for protocol version 2.
542.It Fl u
543Update a KRL.
544When specified with
545.Fl k ,
546keys listed via the command line are added to the existing KRL rather than
547a new KRL being created.
548.It Fl V Ar validity_interval
549Specify a validity interval when signing a certificate.
550A validity interval may consist of a single time, indicating that the
551certificate is valid beginning now and expiring at that time, or may consist
552of two times separated by a colon to indicate an explicit time interval.
553The start time may be specified as a date in YYYYMMDD format, a time
554in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
555of a minus sign followed by a relative time in the format described in the
556TIME FORMATS section of
557.Xr sshd_config 5 .
558The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
559a relative time starting with a plus character.
560.Pp
561For example:
562.Dq +52w1d
563(valid from now to 52 weeks and one day from now),
564.Dq -4w:+4w
565(valid from four weeks ago to four weeks from now),
566.Dq 20100101123000:20110101123000
567(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
568.Dq -1d:20110101
569(valid from yesterday to midnight, January 1st, 2011).
570.It Fl v
571Verbose mode.
572Causes
573.Nm
574to print debugging messages about its progress.
575This is helpful for debugging moduli generation.
576Multiple
577.Fl v
578options increase the verbosity.
579The maximum is 3.
580.It Fl W Ar generator
581Specify desired generator when testing candidate moduli for DH-GEX.
582.It Fl y
583This option will read a private
584OpenSSH format file and print an OpenSSH public key to stdout.
585.It Fl z Ar serial_number
586Specifies a serial number to be embedded in the certificate to distinguish
587this certificate from others from the same CA.
588The default serial number is zero.
589.Pp
590When generating a KRL, the
591.Fl z
592flag is used to specify a KRL version number.
593.El
594.Sh MODULI GENERATION
595.Nm
596may be used to generate groups for the Diffie-Hellman Group Exchange
597(DH-GEX) protocol.
598Generating these groups is a two-step process: first, candidate
599primes are generated using a fast, but memory intensive process.
600These candidate primes are then tested for suitability (a CPU-intensive
601process).
602.Pp
603Generation of primes is performed using the
604.Fl G
605option.
606The desired length of the primes may be specified by the
607.Fl b
608option.
609For example:
610.Pp
611.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
612.Pp
613By default, the search for primes begins at a random point in the
614desired length range.
615This may be overridden using the
616.Fl S
617option, which specifies a different start point (in hex).
618.Pp
619Once a set of candidates have been generated, they must be screened for
620suitability.
621This may be performed using the
622.Fl T
623option.
624In this mode
625.Nm
626will read candidates from standard input (or a file specified using the
627.Fl f
628option).
629For example:
630.Pp
631.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
632.Pp
633By default, each candidate will be subjected to 100 primality tests.
634This may be overridden using the
635.Fl a
636option.
637The DH generator value will be chosen automatically for the
638prime under consideration.
639If a specific generator is desired, it may be requested using the
640.Fl W
641option.
642Valid generator values are 2, 3, and 5.
643.Pp
644Screened DH groups may be installed in
645.Pa /etc/moduli .
646It is important that this file contains moduli of a range of bit lengths and
647that both ends of a connection share common moduli.
648.Sh CERTIFICATES
649.Nm
650supports signing of keys to produce certificates that may be used for
651user or host authentication.
652Certificates consist of a public key, some identity information, zero or
653more principal (user or host) names and a set of options that
654are signed by a Certification Authority (CA) key.
655Clients or servers may then trust only the CA key and verify its signature
656on a certificate rather than trusting many user/host keys.
657Note that OpenSSH certificates are a different, and much simpler, format to
658the X.509 certificates used in
659.Xr ssl 8 .
660.Pp
661.Nm
662supports two types of certificates: user and host.
663User certificates authenticate users to servers, whereas host certificates
664authenticate server hosts to users.
665To generate a user certificate:
666.Pp
667.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
668.Pp
669The resultant certificate will be placed in
670.Pa /path/to/user_key-cert.pub .
671A host certificate requires the
672.Fl h
673option:
674.Pp
675.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
676.Pp
677The host certificate will be output to
678.Pa /path/to/host_key-cert.pub .
679.Pp
680It is possible to sign using a CA key stored in a PKCS#11 token by
681providing the token library using
682.Fl D
683and identifying the CA key by providing its public half as an argument
684to
685.Fl s :
686.Pp
687.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
688.Pp
689In all cases,
690.Ar key_id
691is a "key identifier" that is logged by the server when the certificate
692is used for authentication.
693.Pp
694Certificates may be limited to be valid for a set of principal (user/host)
695names.
696By default, generated certificates are valid for all users or hosts.
697To generate a certificate for a specified set of principals:
698.Pp
699.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
700.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
701.Pp
702Additional limitations on the validity and use of user certificates may
703be specified through certificate options.
704A certificate option may disable features of the SSH session, may be
705valid only when presented from particular source addresses or may
706force the use of a specific command.
707For a list of valid certificate options, see the documentation for the
708.Fl O
709option above.
710.Pp
711Finally, certificates may be defined with a validity lifetime.
712The
713.Fl V
714option allows specification of certificate start and end times.
715A certificate that is presented at a time outside this range will not be
716considered valid.
717By default, certificates are valid from
718.Ux
719Epoch to the distant future.
720.Pp
721For certificates to be used for user or host authentication, the CA
722public key must be trusted by
723.Xr sshd 8
724or
725.Xr ssh 1 .
726Please refer to those manual pages for details.
727.Sh KEY REVOCATION LISTS
728.Nm
729is able to manage OpenSSH format Key Revocation Lists (KRLs).
730These binary files specify keys or certificates to be revoked using a
731compact format, taking as little as one bit per certificate if they are being
732revoked by serial number.
733.Pp
734KRLs may be generated using the
735.Fl k
736flag.
737This option reads one or more files from the command line and generates a new
738KRL.
739The files may either contain a KRL specification (see below) or public keys,
740listed one per line.
741Plain public keys are revoked by listing their hash or contents in the KRL and
742certificates revoked by serial number or key ID (if the serial is zero or
743not available).
744.Pp
745Revoking keys using a KRL specification offers explicit control over the
746types of record used to revoke keys and may be used to directly revoke
747certificates by serial number or key ID without having the complete original
748certificate on hand.
749A KRL specification consists of lines containing one of the following directives
750followed by a colon and some directive-specific information.
751.Bl -tag -width Ds
752.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
753Revokes a certificate with the specified serial number.
754Serial numbers are 64-bit values, not including zero and may be expressed
755in decimal, hex or octal.
756If two serial numbers are specified separated by a hyphen, then the range
757of serial numbers including and between each is revoked.
758The CA key must have been specified on the
759.Nm
760command line using the
761.Fl s
762option.
763.It Cm id : Ar key_id
764Revokes a certificate with the specified key ID string.
765The CA key must have been specified on the
766.Nm
767command line using the
768.Fl s
769option.
770.It Cm key : Ar public_key
771Revokes the specified key.
772If a certificate is listed, then it is revoked as a plain public key.
773.It Cm sha1 : Ar public_key
774Revokes the specified key by its SHA1 hash.
775.El
776.Pp
777KRLs may be updated using the
778.Fl u
779flag in addition to
780.Fl k .
781When this option is specified, keys listed via the command line are merged into
782the KRL, adding to those already there.
783.Pp
784It is also possible, given a KRL, to test whether it revokes a particular key
785(or keys).
786The
787.Fl Q
788flag will query an existing KRL, testing each key specified on the command line.
789If any key listed on the command line has been revoked (or an error encountered)
790then
791.Nm
792will exit with a non-zero exit status.
793A zero exit status will only be returned if no key was revoked.
794.Sh FILES
795.Bl -tag -width Ds -compact
796.It Pa ~/.ssh/identity
797Contains the protocol version 1 RSA authentication identity of the user.
798This file should not be readable by anyone but the user.
799It is possible to
800specify a passphrase when generating the key; that passphrase will be
801used to encrypt the private part of this file using 3DES.
802This file is not automatically accessed by
803.Nm
804but it is offered as the default file for the private key.
805.Xr ssh 1
806will read this file when a login attempt is made.
807.Pp
808.It Pa ~/.ssh/identity.pub
809Contains the protocol version 1 RSA public key for authentication.
810The contents of this file should be added to
811.Pa ~/.ssh/authorized_keys
812on all machines
813where the user wishes to log in using RSA authentication.
814There is no need to keep the contents of this file secret.
815.Pp
816.It Pa ~/.ssh/id_dsa
817.It Pa ~/.ssh/id_ecdsa
818.It Pa ~/.ssh/id_ed25519
819.It Pa ~/.ssh/id_rsa
820Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
821authentication identity of the user.
822This file should not be readable by anyone but the user.
823It is possible to
824specify a passphrase when generating the key; that passphrase will be
825used to encrypt the private part of this file using 128-bit AES.
826This file is not automatically accessed by
827.Nm
828but it is offered as the default file for the private key.
829.Xr ssh 1
830will read this file when a login attempt is made.
831.Pp
832.It Pa ~/.ssh/id_dsa.pub
833.It Pa ~/.ssh/id_ecdsa.pub
834.It Pa ~/.ssh/id_ed25519.pub
835.It Pa ~/.ssh/id_rsa.pub
836Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
837public key for authentication.
838The contents of this file should be added to
839.Pa ~/.ssh/authorized_keys
840on all machines
841where the user wishes to log in using public key authentication.
842There is no need to keep the contents of this file secret.
843.Pp
844.It Pa /etc/moduli
845Contains Diffie-Hellman groups used for DH-GEX.
846The file format is described in
847.Xr moduli 5 .
848.El
849.Sh SEE ALSO
850.Xr ssh 1 ,
851.Xr ssh-add 1 ,
852.Xr ssh-agent 1 ,
853.Xr moduli 5 ,
854.Xr sshd 8
855.Rs
856.%R RFC 4716
857.%T "The Secure Shell (SSH) Public Key File Format"
858.%D 2006
859.Re
860.Sh AUTHORS
861OpenSSH is a derivative of the original and free
862ssh 1.2.12 release by Tatu Ylonen.
863Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
864Theo de Raadt and Dug Song
865removed many bugs, re-added newer features and
866created OpenSSH.
867Markus Friedl contributed the support for SSH
868protocol versions 1.5 and 2.0.
869