1.\" $OpenBSD: ssh-keygen.1,v 1.125 2015/02/24 15:24:05 naddy Exp $ 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" 14.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 17.\" 18.\" Redistribution and use in source and binary forms, with or without 19.\" modification, are permitted provided that the following conditions 20.\" are met: 21.\" 1. Redistributions of source code must retain the above copyright 22.\" notice, this list of conditions and the following disclaimer. 23.\" 2. Redistributions in binary form must reproduce the above copyright 24.\" notice, this list of conditions and the following disclaimer in the 25.\" documentation and/or other materials provided with the distribution. 26.\" 27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" 38.Dd $Mdocdate: February 24 2015 $ 39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen 43.Nd authentication key generation, management and conversion 44.Sh SYNOPSIS 45.Bk -words 46.Nm ssh-keygen 47.Op Fl q 48.Op Fl b Ar bits 49.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1 50.Op Fl N Ar new_passphrase 51.Op Fl C Ar comment 52.Op Fl f Ar output_keyfile 53.Nm ssh-keygen 54.Fl p 55.Op Fl P Ar old_passphrase 56.Op Fl N Ar new_passphrase 57.Op Fl f Ar keyfile 58.Nm ssh-keygen 59.Fl i 60.Op Fl m Ar key_format 61.Op Fl f Ar input_keyfile 62.Nm ssh-keygen 63.Fl e 64.Op Fl m Ar key_format 65.Op Fl f Ar input_keyfile 66.Nm ssh-keygen 67.Fl y 68.Op Fl f Ar input_keyfile 69.Nm ssh-keygen 70.Fl c 71.Op Fl P Ar passphrase 72.Op Fl C Ar comment 73.Op Fl f Ar keyfile 74.Nm ssh-keygen 75.Fl l 76.Op Fl v 77.Op Fl E Ar fingerprint_hash 78.Op Fl f Ar input_keyfile 79.Nm ssh-keygen 80.Fl B 81.Op Fl f Ar input_keyfile 82.Nm ssh-keygen 83.Fl D Ar pkcs11 84.Nm ssh-keygen 85.Fl F Ar hostname 86.Op Fl f Ar known_hosts_file 87.Op Fl l 88.Nm ssh-keygen 89.Fl H 90.Op Fl f Ar known_hosts_file 91.Nm ssh-keygen 92.Fl R Ar hostname 93.Op Fl f Ar known_hosts_file 94.Nm ssh-keygen 95.Fl r Ar hostname 96.Op Fl f Ar input_keyfile 97.Op Fl g 98.Nm ssh-keygen 99.Fl G Ar output_file 100.Op Fl v 101.Op Fl b Ar bits 102.Op Fl M Ar memory 103.Op Fl S Ar start_point 104.Nm ssh-keygen 105.Fl T Ar output_file 106.Fl f Ar input_file 107.Op Fl v 108.Op Fl a Ar rounds 109.Op Fl J Ar num_lines 110.Op Fl j Ar start_line 111.Op Fl K Ar checkpt 112.Op Fl W Ar generator 113.Nm ssh-keygen 114.Fl s Ar ca_key 115.Fl I Ar certificate_identity 116.Op Fl h 117.Op Fl n Ar principals 118.Op Fl O Ar option 119.Op Fl V Ar validity_interval 120.Op Fl z Ar serial_number 121.Ar 122.Nm ssh-keygen 123.Fl L 124.Op Fl f Ar input_keyfile 125.Nm ssh-keygen 126.Fl A 127.Nm ssh-keygen 128.Fl k 129.Fl f Ar krl_file 130.Op Fl u 131.Op Fl s Ar ca_public 132.Op Fl z Ar version_number 133.Ar 134.Nm ssh-keygen 135.Fl Q 136.Fl f Ar krl_file 137.Ar 138.Ek 139.Sh DESCRIPTION 140.Nm 141generates, manages and converts authentication keys for 142.Xr ssh 1 . 143.Nm 144can create RSA keys for use by SSH protocol version 1 and 145DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2. 146The type of key to be generated is specified with the 147.Fl t 148option. 149If invoked without any arguments, 150.Nm 151will generate an RSA key for use in SSH protocol 2 connections. 152.Pp 153.Nm 154is also used to generate groups for use in Diffie-Hellman group 155exchange (DH-GEX). 156See the 157.Sx MODULI GENERATION 158section for details. 159.Pp 160Finally, 161.Nm 162can be used to generate and update Key Revocation Lists, and to test whether 163given keys have been revoked by one. 164See the 165.Sx KEY REVOCATION LISTS 166section for details. 167.Pp 168Normally each user wishing to use SSH 169with public key authentication runs this once to create the authentication 170key in 171.Pa ~/.ssh/identity , 172.Pa ~/.ssh/id_dsa , 173.Pa ~/.ssh/id_ecdsa , 174.Pa ~/.ssh/id_ed25519 175or 176.Pa ~/.ssh/id_rsa . 177Additionally, the system administrator may use this to generate host keys, 178as seen in 179.Pa /etc/rc . 180.Pp 181Normally this program generates the key and asks for a file in which 182to store the private key. 183The public key is stored in a file with the same name but 184.Dq .pub 185appended. 186The program also asks for a passphrase. 187The passphrase may be empty to indicate no passphrase 188(host keys must have an empty passphrase), or it may be a string of 189arbitrary length. 190A passphrase is similar to a password, except it can be a phrase with a 191series of words, punctuation, numbers, whitespace, or any string of 192characters you want. 193Good passphrases are 10-30 characters long, are 194not simple sentences or otherwise easily guessable (English 195prose has only 1-2 bits of entropy per character, and provides very bad 196passphrases), and contain a mix of upper and lowercase letters, 197numbers, and non-alphanumeric characters. 198The passphrase can be changed later by using the 199.Fl p 200option. 201.Pp 202There is no way to recover a lost passphrase. 203If the passphrase is lost or forgotten, a new key must be generated 204and the corresponding public key copied to other machines. 205.Pp 206For RSA1 keys, 207there is also a comment field in the key file that is only for 208convenience to the user to help identify the key. 209The comment can tell what the key is for, or whatever is useful. 210The comment is initialized to 211.Dq user@host 212when the key is created, but can be changed using the 213.Fl c 214option. 215.Pp 216After a key is generated, instructions below detail where the keys 217should be placed to be activated. 218.Pp 219The options are as follows: 220.Bl -tag -width Ds 221.It Fl A 222For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) 223for which host keys 224do not exist, generate the host keys with the default key file path, 225an empty passphrase, default bits for the key type, and default comment. 226This is used by 227.Pa /etc/rc 228to generate new host keys. 229.It Fl a Ar rounds 230When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 2312 key when the 232.Fl o 233flag is set), this option specifies the number of KDF (key derivation function) 234rounds used. 235Higher numbers result in slower passphrase verification and increased 236resistance to brute-force password cracking (should the keys be stolen). 237.Pp 238When screening DH-GEX candidates ( 239using the 240.Fl T 241command). 242This option specifies the number of primality tests to perform. 243.It Fl B 244Show the bubblebabble digest of specified private or public key file. 245.It Fl b Ar bits 246Specifies the number of bits in the key to create. 247For RSA keys, the minimum size is 768 bits and the default is 2048 bits. 248Generally, 2048 bits is considered sufficient. 249DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 250For ECDSA keys, the 251.Fl b 252flag determines the key length by selecting from one of three elliptic 253curve sizes: 256, 384 or 521 bits. 254Attempting to use bit lengths other than these three values for ECDSA keys 255will fail. 256Ed25519 keys have a fixed length and the 257.Fl b 258flag will be ignored. 259.It Fl C Ar comment 260Provides a new comment. 261.It Fl c 262Requests changing the comment in the private and public key files. 263This operation is only supported for RSA1 keys. 264The program will prompt for the file containing the private keys, for 265the passphrase if the key has one, and for the new comment. 266.It Fl D Ar pkcs11 267Download the RSA public keys provided by the PKCS#11 shared library 268.Ar pkcs11 . 269When used in combination with 270.Fl s , 271this option indicates that a CA key resides in a PKCS#11 token (see the 272.Sx CERTIFICATES 273section for details). 274.It Fl E Ar fingerprint_hash 275Specifies the hash algorithm used when displaying key fingerprints. 276Valid options are: 277.Dq md5 278and 279.Dq sha256 . 280The default is 281.Dq sha256 . 282.It Fl e 283This option will read a private or public OpenSSH key file and 284print to stdout the key in one of the formats specified by the 285.Fl m 286option. 287The default export format is 288.Dq RFC4716 . 289This option allows exporting OpenSSH keys for use by other programs, including 290several commercial SSH implementations. 291.It Fl F Ar hostname 292Search for the specified 293.Ar hostname 294in a 295.Pa known_hosts 296file, listing any occurrences found. 297This option is useful to find hashed host names or addresses and may also be 298used in conjunction with the 299.Fl H 300option to print found keys in a hashed format. 301.It Fl f Ar filename 302Specifies the filename of the key file. 303.It Fl G Ar output_file 304Generate candidate primes for DH-GEX. 305These primes must be screened for 306safety (using the 307.Fl T 308option) before use. 309.It Fl g 310Use generic DNS format when printing fingerprint resource records using the 311.Fl r 312command. 313.It Fl H 314Hash a 315.Pa known_hosts 316file. 317This replaces all hostnames and addresses with hashed representations 318within the specified file; the original content is moved to a file with 319a .old suffix. 320These hashes may be used normally by 321.Nm ssh 322and 323.Nm sshd , 324but they do not reveal identifying information should the file's contents 325be disclosed. 326This option will not modify existing hashed hostnames and is therefore safe 327to use on files that mix hashed and non-hashed names. 328.It Fl h 329When signing a key, create a host certificate instead of a user 330certificate. 331Please see the 332.Sx CERTIFICATES 333section for details. 334.It Fl I Ar certificate_identity 335Specify the key identity when signing a public key. 336Please see the 337.Sx CERTIFICATES 338section for details. 339.It Fl i 340This option will read an unencrypted private (or public) key file 341in the format specified by the 342.Fl m 343option and print an OpenSSH compatible private 344(or public) key to stdout. 345This option allows importing keys from other software, including several 346commercial SSH implementations. 347The default import format is 348.Dq RFC4716 . 349.It Fl J Ar num_lines 350Exit after screening the specified number of lines 351while performing DH candidate screening using the 352.Fl T 353option. 354.It Fl j Ar start_line 355Start screening at the specified line number 356while performing DH candidate screening using the 357.Fl T 358option. 359.It Fl K Ar checkpt 360Write the last line processed to the file 361.Ar checkpt 362while performing DH candidate screening using the 363.Fl T 364option. 365This will be used to skip lines in the input file that have already been 366processed if the job is restarted. 367.It Fl k 368Generate a KRL file. 369In this mode, 370.Nm 371will generate a KRL file at the location specified via the 372.Fl f 373flag that revokes every key or certificate presented on the command line. 374Keys/certificates to be revoked may be specified by public key file or 375using the format described in the 376.Sx KEY REVOCATION LISTS 377section. 378.It Fl L 379Prints the contents of a certificate. 380.It Fl l 381Show fingerprint of specified public key file. 382Private RSA1 keys are also supported. 383For RSA and DSA keys 384.Nm 385tries to find the matching public key file and prints its fingerprint. 386If combined with 387.Fl v , 388an ASCII art representation of the key is supplied with the fingerprint. 389.It Fl M Ar memory 390Specify the amount of memory to use (in megabytes) when generating 391candidate moduli for DH-GEX. 392.It Fl m Ar key_format 393Specify a key format for the 394.Fl i 395(import) or 396.Fl e 397(export) conversion options. 398The supported key formats are: 399.Dq RFC4716 400(RFC 4716/SSH2 public or private key), 401.Dq PKCS8 402(PEM PKCS8 public key) 403or 404.Dq PEM 405(PEM public key). 406The default conversion format is 407.Dq RFC4716 . 408.It Fl N Ar new_passphrase 409Provides the new passphrase. 410.It Fl n Ar principals 411Specify one or more principals (user or host names) to be included in 412a certificate when signing a key. 413Multiple principals may be specified, separated by commas. 414Please see the 415.Sx CERTIFICATES 416section for details. 417.It Fl O Ar option 418Specify a certificate option when signing a key. 419This option may be specified multiple times. 420Please see the 421.Sx CERTIFICATES 422section for details. 423The options that are valid for user certificates are: 424.Bl -tag -width Ds 425.It Ic clear 426Clear all enabled permissions. 427This is useful for clearing the default set of permissions so permissions may 428be added individually. 429.It Ic force-command Ns = Ns Ar command 430Forces the execution of 431.Ar command 432instead of any shell or command specified by the user when 433the certificate is used for authentication. 434.It Ic no-agent-forwarding 435Disable 436.Xr ssh-agent 1 437forwarding (permitted by default). 438.It Ic no-port-forwarding 439Disable port forwarding (permitted by default). 440.It Ic no-pty 441Disable PTY allocation (permitted by default). 442.It Ic no-user-rc 443Disable execution of 444.Pa ~/.ssh/rc 445by 446.Xr sshd 8 447(permitted by default). 448.It Ic no-x11-forwarding 449Disable X11 forwarding (permitted by default). 450.It Ic permit-agent-forwarding 451Allows 452.Xr ssh-agent 1 453forwarding. 454.It Ic permit-port-forwarding 455Allows port forwarding. 456.It Ic permit-pty 457Allows PTY allocation. 458.It Ic permit-user-rc 459Allows execution of 460.Pa ~/.ssh/rc 461by 462.Xr sshd 8 . 463.It Ic permit-x11-forwarding 464Allows X11 forwarding. 465.It Ic source-address Ns = Ns Ar address_list 466Restrict the source addresses from which the certificate is considered valid. 467The 468.Ar address_list 469is a comma-separated list of one or more address/netmask pairs in CIDR 470format. 471.El 472.Pp 473At present, no options are valid for host keys. 474.It Fl o 475Causes 476.Nm 477to save SSH protocol 2 private keys using the new OpenSSH format rather than 478the more compatible PEM format. 479The new format has increased resistance to brute-force password cracking 480but is not supported by versions of OpenSSH prior to 6.5. 481Ed25519 keys always use the new private key format. 482.It Fl P Ar passphrase 483Provides the (old) passphrase. 484.It Fl p 485Requests changing the passphrase of a private key file instead of 486creating a new private key. 487The program will prompt for the file 488containing the private key, for the old passphrase, and twice for the 489new passphrase. 490.It Fl Q 491Test whether keys have been revoked in a KRL. 492.It Fl q 493Silence 494.Nm ssh-keygen . 495.It Fl R Ar hostname 496Removes all keys belonging to 497.Ar hostname 498from a 499.Pa known_hosts 500file. 501This option is useful to delete hashed hosts (see the 502.Fl H 503option above). 504.It Fl r Ar hostname 505Print the SSHFP fingerprint resource record named 506.Ar hostname 507for the specified public key file. 508.It Fl S Ar start 509Specify start point (in hex) when generating candidate moduli for DH-GEX. 510.It Fl s Ar ca_key 511Certify (sign) a public key using the specified CA key. 512Please see the 513.Sx CERTIFICATES 514section for details. 515.Pp 516When generating a KRL, 517.Fl s 518specifies a path to a CA public key file used to revoke certificates directly 519by key ID or serial number. 520See the 521.Sx KEY REVOCATION LISTS 522section for details. 523.It Fl T Ar output_file 524Test DH group exchange candidate primes (generated using the 525.Fl G 526option) for safety. 527.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1 528Specifies the type of key to create. 529The possible values are 530.Dq rsa1 531for protocol version 1 and 532.Dq dsa , 533.Dq ecdsa , 534.Dq ed25519 , 535or 536.Dq rsa 537for protocol version 2. 538.It Fl u 539Update a KRL. 540When specified with 541.Fl k , 542keys listed via the command line are added to the existing KRL rather than 543a new KRL being created. 544.It Fl V Ar validity_interval 545Specify a validity interval when signing a certificate. 546A validity interval may consist of a single time, indicating that the 547certificate is valid beginning now and expiring at that time, or may consist 548of two times separated by a colon to indicate an explicit time interval. 549The start time may be specified as a date in YYYYMMDD format, a time 550in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 551of a minus sign followed by a relative time in the format described in the 552TIME FORMATS section of 553.Xr sshd_config 5 . 554The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 555a relative time starting with a plus character. 556.Pp 557For example: 558.Dq +52w1d 559(valid from now to 52 weeks and one day from now), 560.Dq -4w:+4w 561(valid from four weeks ago to four weeks from now), 562.Dq 20100101123000:20110101123000 563(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), 564.Dq -1d:20110101 565(valid from yesterday to midnight, January 1st, 2011). 566.It Fl v 567Verbose mode. 568Causes 569.Nm 570to print debugging messages about its progress. 571This is helpful for debugging moduli generation. 572Multiple 573.Fl v 574options increase the verbosity. 575The maximum is 3. 576.It Fl W Ar generator 577Specify desired generator when testing candidate moduli for DH-GEX. 578.It Fl y 579This option will read a private 580OpenSSH format file and print an OpenSSH public key to stdout. 581.It Fl z Ar serial_number 582Specifies a serial number to be embedded in the certificate to distinguish 583this certificate from others from the same CA. 584The default serial number is zero. 585.Pp 586When generating a KRL, the 587.Fl z 588flag is used to specify a KRL version number. 589.El 590.Sh MODULI GENERATION 591.Nm 592may be used to generate groups for the Diffie-Hellman Group Exchange 593(DH-GEX) protocol. 594Generating these groups is a two-step process: first, candidate 595primes are generated using a fast, but memory intensive process. 596These candidate primes are then tested for suitability (a CPU-intensive 597process). 598.Pp 599Generation of primes is performed using the 600.Fl G 601option. 602The desired length of the primes may be specified by the 603.Fl b 604option. 605For example: 606.Pp 607.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 608.Pp 609By default, the search for primes begins at a random point in the 610desired length range. 611This may be overridden using the 612.Fl S 613option, which specifies a different start point (in hex). 614.Pp 615Once a set of candidates have been generated, they must be screened for 616suitability. 617This may be performed using the 618.Fl T 619option. 620In this mode 621.Nm 622will read candidates from standard input (or a file specified using the 623.Fl f 624option). 625For example: 626.Pp 627.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates 628.Pp 629By default, each candidate will be subjected to 100 primality tests. 630This may be overridden using the 631.Fl a 632option. 633The DH generator value will be chosen automatically for the 634prime under consideration. 635If a specific generator is desired, it may be requested using the 636.Fl W 637option. 638Valid generator values are 2, 3, and 5. 639.Pp 640Screened DH groups may be installed in 641.Pa /etc/moduli . 642It is important that this file contains moduli of a range of bit lengths and 643that both ends of a connection share common moduli. 644.Sh CERTIFICATES 645.Nm 646supports signing of keys to produce certificates that may be used for 647user or host authentication. 648Certificates consist of a public key, some identity information, zero or 649more principal (user or host) names and a set of options that 650are signed by a Certification Authority (CA) key. 651Clients or servers may then trust only the CA key and verify its signature 652on a certificate rather than trusting many user/host keys. 653Note that OpenSSH certificates are a different, and much simpler, format to 654the X.509 certificates used in 655.Xr ssl 8 . 656.Pp 657.Nm 658supports two types of certificates: user and host. 659User certificates authenticate users to servers, whereas host certificates 660authenticate server hosts to users. 661To generate a user certificate: 662.Pp 663.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 664.Pp 665The resultant certificate will be placed in 666.Pa /path/to/user_key-cert.pub . 667A host certificate requires the 668.Fl h 669option: 670.Pp 671.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 672.Pp 673The host certificate will be output to 674.Pa /path/to/host_key-cert.pub . 675.Pp 676It is possible to sign using a CA key stored in a PKCS#11 token by 677providing the token library using 678.Fl D 679and identifying the CA key by providing its public half as an argument 680to 681.Fl s : 682.Pp 683.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub 684.Pp 685In all cases, 686.Ar key_id 687is a "key identifier" that is logged by the server when the certificate 688is used for authentication. 689.Pp 690Certificates may be limited to be valid for a set of principal (user/host) 691names. 692By default, generated certificates are valid for all users or hosts. 693To generate a certificate for a specified set of principals: 694.Pp 695.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 696.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" 697.Pp 698Additional limitations on the validity and use of user certificates may 699be specified through certificate options. 700A certificate option may disable features of the SSH session, may be 701valid only when presented from particular source addresses or may 702force the use of a specific command. 703For a list of valid certificate options, see the documentation for the 704.Fl O 705option above. 706.Pp 707Finally, certificates may be defined with a validity lifetime. 708The 709.Fl V 710option allows specification of certificate start and end times. 711A certificate that is presented at a time outside this range will not be 712considered valid. 713By default, certificates are valid from 714.Ux 715Epoch to the distant future. 716.Pp 717For certificates to be used for user or host authentication, the CA 718public key must be trusted by 719.Xr sshd 8 720or 721.Xr ssh 1 . 722Please refer to those manual pages for details. 723.Sh KEY REVOCATION LISTS 724.Nm 725is able to manage OpenSSH format Key Revocation Lists (KRLs). 726These binary files specify keys or certificates to be revoked using a 727compact format, taking as little as one bit per certificate if they are being 728revoked by serial number. 729.Pp 730KRLs may be generated using the 731.Fl k 732flag. 733This option reads one or more files from the command line and generates a new 734KRL. 735The files may either contain a KRL specification (see below) or public keys, 736listed one per line. 737Plain public keys are revoked by listing their hash or contents in the KRL and 738certificates revoked by serial number or key ID (if the serial is zero or 739not available). 740.Pp 741Revoking keys using a KRL specification offers explicit control over the 742types of record used to revoke keys and may be used to directly revoke 743certificates by serial number or key ID without having the complete original 744certificate on hand. 745A KRL specification consists of lines containing one of the following directives 746followed by a colon and some directive-specific information. 747.Bl -tag -width Ds 748.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number 749Revokes a certificate with the specified serial number. 750Serial numbers are 64-bit values, not including zero and may be expressed 751in decimal, hex or octal. 752If two serial numbers are specified separated by a hyphen, then the range 753of serial numbers including and between each is revoked. 754The CA key must have been specified on the 755.Nm 756command line using the 757.Fl s 758option. 759.It Cm id : Ar key_id 760Revokes a certificate with the specified key ID string. 761The CA key must have been specified on the 762.Nm 763command line using the 764.Fl s 765option. 766.It Cm key : Ar public_key 767Revokes the specified key. 768If a certificate is listed, then it is revoked as a plain public key. 769.It Cm sha1 : Ar public_key 770Revokes the specified key by its SHA1 hash. 771.El 772.Pp 773KRLs may be updated using the 774.Fl u 775flag in addition to 776.Fl k . 777When this option is specified, keys listed via the command line are merged into 778the KRL, adding to those already there. 779.Pp 780It is also possible, given a KRL, to test whether it revokes a particular key 781(or keys). 782The 783.Fl Q 784flag will query an existing KRL, testing each key specified on the commandline. 785If any key listed on the command line has been revoked (or an error encountered) 786then 787.Nm 788will exit with a non-zero exit status. 789A zero exit status will only be returned if no key was revoked. 790.Sh FILES 791.Bl -tag -width Ds -compact 792.It Pa ~/.ssh/identity 793Contains the protocol version 1 RSA authentication identity of the user. 794This file should not be readable by anyone but the user. 795It is possible to 796specify a passphrase when generating the key; that passphrase will be 797used to encrypt the private part of this file using 3DES. 798This file is not automatically accessed by 799.Nm 800but it is offered as the default file for the private key. 801.Xr ssh 1 802will read this file when a login attempt is made. 803.Pp 804.It Pa ~/.ssh/identity.pub 805Contains the protocol version 1 RSA public key for authentication. 806The contents of this file should be added to 807.Pa ~/.ssh/authorized_keys 808on all machines 809where the user wishes to log in using RSA authentication. 810There is no need to keep the contents of this file secret. 811.Pp 812.It Pa ~/.ssh/id_dsa 813.It Pa ~/.ssh/id_ecdsa 814.It Pa ~/.ssh/id_ed25519 815.It Pa ~/.ssh/id_rsa 816Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA 817authentication identity of the user. 818This file should not be readable by anyone but the user. 819It is possible to 820specify a passphrase when generating the key; that passphrase will be 821used to encrypt the private part of this file using 128-bit AES. 822This file is not automatically accessed by 823.Nm 824but it is offered as the default file for the private key. 825.Xr ssh 1 826will read this file when a login attempt is made. 827.Pp 828.It Pa ~/.ssh/id_dsa.pub 829.It Pa ~/.ssh/id_ecdsa.pub 830.It Pa ~/.ssh/id_ed25519.pub 831.It Pa ~/.ssh/id_rsa.pub 832Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA 833public key for authentication. 834The contents of this file should be added to 835.Pa ~/.ssh/authorized_keys 836on all machines 837where the user wishes to log in using public key authentication. 838There is no need to keep the contents of this file secret. 839.Pp 840.It Pa /etc/moduli 841Contains Diffie-Hellman groups used for DH-GEX. 842The file format is described in 843.Xr moduli 5 . 844.El 845.Sh SEE ALSO 846.Xr ssh 1 , 847.Xr ssh-add 1 , 848.Xr ssh-agent 1 , 849.Xr moduli 5 , 850.Xr sshd 8 851.Rs 852.%R RFC 4716 853.%T "The Secure Shell (SSH) Public Key File Format" 854.%D 2006 855.Re 856.Sh AUTHORS 857OpenSSH is a derivative of the original and free 858ssh 1.2.12 release by Tatu Ylonen. 859Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 860Theo de Raadt and Dug Song 861removed many bugs, re-added newer features and 862created OpenSSH. 863Markus Friedl contributed the support for SSH 864protocol versions 1.5 and 2.0. 865