blob: cbaf29809bb0b3d882d06f408bbab9c14300a396 [file] [log] [blame]
djm@openbsd.orgd637c4a2019-09-03 08:35:27 +00001.\" $OpenBSD: ssh-keygen.1,v 1.164 2019/09/03 08:35:27 djm Exp $
Damien Miller32aa1441999-10-29 09:15:49 +10002.\"
Damien Miller32aa1441999-10-29 09:15:49 +10003.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
Damien Miller32aa1441999-10-29 09:15:49 +10004.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
Damien Millere4340be2000-09-16 13:29:08 +11007.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
Damien Miller32aa1441999-10-29 09:15:49 +100012.\"
Damien Millere4340be2000-09-16 13:29:08 +110013.\"
Ben Lindstrom92a2e382001-03-05 06:59:27 +000014.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +110017.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\" notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\" notice, this list of conditions and the following disclaimer in the
25.\" documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller32aa1441999-10-29 09:15:49 +100037.\"
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +000038.Dd $Mdocdate: September 3 2019 $
Damien Miller32aa1441999-10-29 09:15:49 +100039.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000043.Nd authentication key generation, management and conversion
Damien Miller32aa1441999-10-29 09:15:49 +100044.Sh SYNOPSIS
Damien Miller495dca32003-04-01 21:42:14 +100045.Bk -words
Damien Millerbad5e032010-07-16 13:59:59 +100046.Nm ssh-keygen
Damien Miller0bc1bd82000-11-13 22:57:25 +110047.Op Fl q
Damien Miller32aa1441999-10-29 09:15:49 +100048.Op Fl b Ar bits
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +000049.Op Fl t Cm dsa | ecdsa | ed25519 | rsa
Damien Miller32aa1441999-10-29 09:15:49 +100050.Op Fl N Ar new_passphrase
51.Op Fl C Ar comment
Damien Miller1a425f32000-09-02 10:08:09 +110052.Op Fl f Ar output_keyfile
djm@openbsd.orgecd2f332019-01-22 11:40:42 +000053.Op Fl m Ar format
Damien Miller32aa1441999-10-29 09:15:49 +100054.Nm ssh-keygen
55.Fl p
56.Op Fl P Ar old_passphrase
57.Op Fl N Ar new_passphrase
Damien Miller10f6f6b1999-11-17 17:29:08 +110058.Op Fl f Ar keyfile
djm@openbsd.orgecd2f332019-01-22 11:40:42 +000059.Op Fl m Ar format
Damien Miller32aa1441999-10-29 09:15:49 +100060.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000061.Fl i
Damien Miller44b25042010-07-02 13:35:01 +100062.Op Fl m Ar key_format
Damien Miller1a425f32000-09-02 10:08:09 +110063.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100064.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000065.Fl e
Damien Miller44b25042010-07-02 13:35:01 +100066.Op Fl m Ar key_format
Damien Miller1a425f32000-09-02 10:08:09 +110067.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100068.Nm ssh-keygen
69.Fl y
Damien Miller1a425f32000-09-02 10:08:09 +110070.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100071.Nm ssh-keygen
Damien Miller32aa1441999-10-29 09:15:49 +100072.Fl c
73.Op Fl P Ar passphrase
74.Op Fl C Ar comment
Damien Miller10f6f6b1999-11-17 17:29:08 +110075.Op Fl f Ar keyfile
76.Nm ssh-keygen
77.Fl l
naddy@openbsd.org6288e3a2015-02-24 15:24:05 +000078.Op Fl v
djm@openbsd.org56d1c832014-12-21 22:27:55 +000079.Op Fl E Ar fingerprint_hash
Ben Lindstrom8fd372b2001-03-12 03:02:17 +000080.Op Fl f Ar input_keyfile
81.Nm ssh-keygen
82.Fl B
Damien Miller1a425f32000-09-02 10:08:09 +110083.Op Fl f Ar input_keyfile
Ben Lindstroma1ec4a92001-08-06 21:51:34 +000084.Nm ssh-keygen
Damien Miller048dc932010-02-12 09:22:04 +110085.Fl D Ar pkcs11
Ben Lindstroma1ec4a92001-08-06 21:51:34 +000086.Nm ssh-keygen
Damien Miller4b42d7f2005-03-01 21:48:35 +110087.Fl F Ar hostname
88.Op Fl f Ar known_hosts_file
Damien Miller718ed502008-11-03 19:15:20 +110089.Op Fl l
djm@openbsd.orgbca05822019-07-19 03:38:01 +000090.Op Fl v
Damien Miller4b42d7f2005-03-01 21:48:35 +110091.Nm ssh-keygen
92.Fl H
93.Op Fl f Ar known_hosts_file
94.Nm ssh-keygen
95.Fl R Ar hostname
96.Op Fl f Ar known_hosts_file
97.Nm ssh-keygen
Damien Miller37876e92003-05-15 10:19:46 +100098.Fl r Ar hostname
99.Op Fl f Ar input_keyfile
100.Op Fl g
Darren Tucker019cefe2003-08-02 22:40:07 +1000101.Nm ssh-keygen
102.Fl G Ar output_file
Darren Tucker06930c72003-12-31 11:34:51 +1100103.Op Fl v
Darren Tucker019cefe2003-08-02 22:40:07 +1000104.Op Fl b Ar bits
105.Op Fl M Ar memory
106.Op Fl S Ar start_point
107.Nm ssh-keygen
108.Fl T Ar output_file
109.Fl f Ar input_file
Darren Tucker06930c72003-12-31 11:34:51 +1100110.Op Fl v
Damien Miller4f752cf2013-12-18 17:45:35 +1100111.Op Fl a Ar rounds
Damien Millerdfceafe2012-07-06 13:44:19 +1000112.Op Fl J Ar num_lines
113.Op Fl j Ar start_line
Damien Miller390d0562011-10-18 16:05:19 +1100114.Op Fl K Ar checkpt
Darren Tucker019cefe2003-08-02 22:40:07 +1000115.Op Fl W Ar generator
Damien Miller0a80ca12010-02-27 07:55:05 +1100116.Nm ssh-keygen
117.Fl s Ar ca_key
118.Fl I Ar certificate_identity
119.Op Fl h
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000120.Op Fl U
121.Op Fl D Ar pkcs11_provider
Damien Miller0a80ca12010-02-27 07:55:05 +1100122.Op Fl n Ar principals
Damien Miller4e270b02010-04-16 15:56:21 +1000123.Op Fl O Ar option
Damien Miller0a80ca12010-02-27 07:55:05 +1100124.Op Fl V Ar validity_interval
Damien Miller4e270b02010-04-16 15:56:21 +1000125.Op Fl z Ar serial_number
Damien Miller0a80ca12010-02-27 07:55:05 +1100126.Ar
Damien Millerf2b70ca2010-03-05 07:39:35 +1100127.Nm ssh-keygen
Damien Millerf2b70ca2010-03-05 07:39:35 +1100128.Fl L
129.Op Fl f Ar input_keyfile
Damien Miller58f1baf2011-05-05 14:06:15 +1000130.Nm ssh-keygen
131.Fl A
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000132.Op Fl f Ar prefix_path
Damien Millerf3747bf2013-01-18 11:44:04 +1100133.Nm ssh-keygen
134.Fl k
135.Fl f Ar krl_file
136.Op Fl u
Damien Millerac5542b2013-01-20 22:33:02 +1100137.Op Fl s Ar ca_public
138.Op Fl z Ar version_number
Damien Millerf3747bf2013-01-18 11:44:04 +1100139.Ar
140.Nm ssh-keygen
141.Fl Q
142.Fl f Ar krl_file
143.Ar
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000144.Nm ssh-keygen
145.Fl Y Cm sign
146.Fl f Ar key_file
147.Fl n Ar namespace
148.Ar
149.Nm ssh-keygen
150.Fl Y Cm verify
151.Fl I Ar signer_identity
152.Fl f Ar allowed_keys_file
153.Fl n Ar namespace
154.Fl s Ar signature_file
155.Op Fl r Ar revocation_file
Damien Miller15f5b562010-03-03 10:25:21 +1100156.Ek
Damien Miller22c77262000-04-13 12:26:34 +1000157.Sh DESCRIPTION
Damien Miller32aa1441999-10-29 09:15:49 +1000158.Nm
Ben Lindstrom5a707822001-04-22 17:15:46 +0000159generates, manages and converts authentication keys for
Damien Miller32aa1441999-10-29 09:15:49 +1000160.Xr ssh 1 .
Damien Millere247cc42000-05-07 12:03:14 +1000161.Nm
jmc@openbsd.org2b6f7992017-05-03 06:32:02 +0000162can create keys for use by SSH protocol version 2.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000163.Pp
Damien Millerfbf486b2003-05-23 18:44:23 +1000164The type of key to be generated is specified with the
Damien Miller0bc1bd82000-11-13 22:57:25 +1100165.Fl t
Damien Millera41c8b12002-01-22 23:05:08 +1100166option.
Damien Millerf14be5c2005-11-05 15:15:49 +1100167If invoked without any arguments,
168.Nm
naddy@openbsd.org2e9c3242017-05-05 10:41:58 +0000169will generate an RSA key.
Damien Millere247cc42000-05-07 12:03:14 +1000170.Pp
Darren Tucker019cefe2003-08-02 22:40:07 +1000171.Nm
172is also used to generate groups for use in Diffie-Hellman group
173exchange (DH-GEX).
174See the
175.Sx MODULI GENERATION
176section for details.
177.Pp
Damien Millerf3747bf2013-01-18 11:44:04 +1100178Finally,
179.Nm
180can be used to generate and update Key Revocation Lists, and to test whether
Damien Millerac5542b2013-01-20 22:33:02 +1100181given keys have been revoked by one.
182See the
Damien Millerf3747bf2013-01-18 11:44:04 +1100183.Sx KEY REVOCATION LISTS
184section for details.
185.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000186Normally each user wishing to use SSH
Damien Millereb8b60e2010-08-31 22:41:14 +1000187with public key authentication runs this once to create the authentication
Damien Miller32aa1441999-10-29 09:15:49 +1000188key in
Damien Miller8ba0ead2013-12-18 17:46:27 +1100189.Pa ~/.ssh/id_dsa ,
Damien Millereb8b60e2010-08-31 22:41:14 +1000190.Pa ~/.ssh/id_ecdsa ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100191.Pa ~/.ssh/id_ed25519
Damien Millere247cc42000-05-07 12:03:14 +1000192or
Damien Miller167ea5d2005-05-26 12:04:02 +1000193.Pa ~/.ssh/id_rsa .
Damien Millere247cc42000-05-07 12:03:14 +1000194Additionally, the system administrator may use this to generate host keys,
195as seen in
196.Pa /etc/rc .
Damien Miller32aa1441999-10-29 09:15:49 +1000197.Pp
198Normally this program generates the key and asks for a file in which
Damien Miller450a7a12000-03-26 13:04:51 +1000199to store the private key.
200The public key is stored in a file with the same name but
Damien Miller32aa1441999-10-29 09:15:49 +1000201.Dq .pub
Damien Miller450a7a12000-03-26 13:04:51 +1000202appended.
203The program also asks for a passphrase.
204The passphrase may be empty to indicate no passphrase
Ben Lindstrombf555ba2001-01-18 02:04:35 +0000205(host keys must have an empty passphrase), or it may be a string of
Damien Miller450a7a12000-03-26 13:04:51 +1000206arbitrary length.
Ben Lindstrom4e366d52001-12-06 16:43:21 +0000207A passphrase is similar to a password, except it can be a phrase with a
208series of words, punctuation, numbers, whitespace, or any string of
209characters you want.
210Good passphrases are 10-30 characters long, are
Damien Miller32aa1441999-10-29 09:15:49 +1000211not simple sentences or otherwise easily guessable (English
Ben Lindstrom2a097a42001-06-09 01:13:40 +0000212prose has only 1-2 bits of entropy per character, and provides very bad
Ben Lindstrom4e366d52001-12-06 16:43:21 +0000213passphrases), and contain a mix of upper and lowercase letters,
214numbers, and non-alphanumeric characters.
Damien Miller450a7a12000-03-26 13:04:51 +1000215The passphrase can be changed later by using the
Damien Miller32aa1441999-10-29 09:15:49 +1000216.Fl p
217option.
218.Pp
Damien Miller450a7a12000-03-26 13:04:51 +1000219There is no way to recover a lost passphrase.
Damien Miller085c90f2011-05-05 14:15:33 +1000220If the passphrase is lost or forgotten, a new key must be generated
221and the corresponding public key copied to other machines.
Damien Miller32aa1441999-10-29 09:15:49 +1000222.Pp
djm@openbsd.orgc45616a2019-01-22 11:00:15 +0000223.Nm
224will by default write keys in an OpenSSH-specific format.
225This format is preferred as it offers better protection for
226keys at rest as well as allowing storage of key comments within
227the private key file itself.
228The key comment may be useful to help identify the key.
Damien Miller450a7a12000-03-26 13:04:51 +1000229The comment is initialized to
Damien Miller32aa1441999-10-29 09:15:49 +1000230.Dq user@host
231when the key is created, but can be changed using the
232.Fl c
233option.
234.Pp
djm@openbsd.orgc45616a2019-01-22 11:00:15 +0000235It is still possible for
236.Nm
237to write the previously-used PEM format private keys using the
238.Fl m
239flag.
240This may be used when generating new keys, and existing new-format
241keys may be converted using this option in conjunction with the
242.Fl p
243(change passphrase) flag.
244.Pp
Damien Millere247cc42000-05-07 12:03:14 +1000245After a key is generated, instructions below detail where the keys
246should be placed to be activated.
247.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000248The options are as follows:
249.Bl -tag -width Ds
Damien Miller58f1baf2011-05-05 14:06:15 +1000250.It Fl A
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +0000251For each of the key types (rsa, dsa, ecdsa and ed25519)
Damien Miller8ba0ead2013-12-18 17:46:27 +1100252for which host keys
Damien Miller58f1baf2011-05-05 14:06:15 +1000253do not exist, generate the host keys with the default key file path,
254an empty passphrase, default bits for the key type, and default comment.
jmc@openbsd.orgdc44dd32017-07-08 18:32:54 +0000255If
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000256.Fl f
jmc@openbsd.orgdc44dd32017-07-08 18:32:54 +0000257has also been specified, its argument is used as a prefix to the
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000258default path for the resulting host key files.
Damien Miller3ca1eb32011-05-05 14:13:50 +1000259This is used by
Damien Miller58f1baf2011-05-05 14:06:15 +1000260.Pa /etc/rc
261to generate new host keys.
Damien Miller4f752cf2013-12-18 17:45:35 +1100262.It Fl a Ar rounds
djm@openbsd.orged7bd5d2018-08-08 01:16:01 +0000263When saving a private key this option specifies the number of KDF
264(key derivation function) rounds used.
Damien Miller4f752cf2013-12-18 17:45:35 +1100265Higher numbers result in slower passphrase verification and increased
266resistance to brute-force password cracking (should the keys be stolen).
267.Pp
jmc@openbsd.org2b6f7992017-05-03 06:32:02 +0000268When screening DH-GEX candidates (using the
Darren Tucker019cefe2003-08-02 22:40:07 +1000269.Fl T
Damien Miller4f752cf2013-12-18 17:45:35 +1100270command).
271This option specifies the number of primality tests to perform.
Damien Miller265d3092005-03-02 12:05:06 +1100272.It Fl B
273Show the bubblebabble digest of specified private or public key file.
Damien Miller32aa1441999-10-29 09:15:49 +1000274.It Fl b Ar bits
Damien Miller450a7a12000-03-26 13:04:51 +1000275Specifies the number of bits in the key to create.
dtucker@openbsd.orgd7c6e382019-04-19 05:47:44 +0000276For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
277Generally, 3072 bits is considered sufficient.
Darren Tucker9f647332005-11-28 16:41:46 +1100278DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
Damien Millerad210322011-05-05 14:15:54 +1000279For ECDSA keys, the
280.Fl b
Damien Miller6232a162011-09-22 21:36:00 +1000281flag determines the key length by selecting from one of three elliptic
Damien Millerad210322011-05-05 14:15:54 +1000282curve sizes: 256, 384 or 521 bits.
283Attempting to use bit lengths other than these three values for ECDSA keys
284will fail.
sobrado@openbsd.orgf70b22b2014-08-30 15:33:50 +0000285Ed25519 keys have a fixed length and the
Damien Miller8ba0ead2013-12-18 17:46:27 +1100286.Fl b
287flag will be ignored.
Damien Miller265d3092005-03-02 12:05:06 +1100288.It Fl C Ar comment
289Provides a new comment.
Damien Miller32aa1441999-10-29 09:15:49 +1000290.It Fl c
291Requests changing the comment in the private and public key files.
292The program will prompt for the file containing the private keys, for
Ben Lindstromaafff9c2001-05-06 03:01:02 +0000293the passphrase if the key has one, and for the new comment.
Damien Miller7ea845e2010-02-12 09:21:02 +1100294.It Fl D Ar pkcs11
naddy@openbsd.orgc13b7452019-03-05 16:17:12 +0000295Download the public keys provided by the PKCS#11 shared library
Damien Millera7618442010-02-12 09:26:02 +1100296.Ar pkcs11 .
Damien Miller757f34e2010-08-05 13:05:31 +1000297When used in combination with
298.Fl s ,
299this option indicates that a CA key resides in a PKCS#11 token (see the
300.Sx CERTIFICATES
301section for details).
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000302.It Fl E Ar fingerprint_hash
303Specifies the hash algorithm used when displaying key fingerprints.
304Valid options are:
305.Dq md5
306and
307.Dq sha256 .
308The default is
309.Dq sha256 .
Ben Lindstrom5a707822001-04-22 17:15:46 +0000310.It Fl e
Ben Lindstrom46c264f2001-04-24 16:56:58 +0000311This option will read a private or public OpenSSH key file and
djm@openbsd.org180b5202019-01-22 11:19:42 +0000312print to stdout a public key in one of the formats specified by the
Damien Miller44b25042010-07-02 13:35:01 +1000313.Fl m
314option.
315The default export format is
316.Dq RFC4716 .
Damien Millerea727282010-07-02 13:35:34 +1000317This option allows exporting OpenSSH keys for use by other programs, including
Damien Miller44b25042010-07-02 13:35:01 +1000318several commercial SSH implementations.
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000319.It Fl F Ar hostname | [hostname]:port
Damien Miller265d3092005-03-02 12:05:06 +1100320Search for the specified
321.Ar hostname
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000322(with optional port number)
Damien Miller265d3092005-03-02 12:05:06 +1100323in a
324.Pa known_hosts
325file, listing any occurrences found.
326This option is useful to find hashed host names or addresses and may also be
327used in conjunction with the
328.Fl H
329option to print found keys in a hashed format.
330.It Fl f Ar filename
331Specifies the filename of the key file.
332.It Fl G Ar output_file
333Generate candidate primes for DH-GEX.
334These primes must be screened for
335safety (using the
336.Fl T
337option) before use.
Damien Miller37876e92003-05-15 10:19:46 +1000338.It Fl g
Darren Tucker0b42e6d2004-08-13 21:22:40 +1000339Use generic DNS format when printing fingerprint resource records using the
Darren Tucker6e370372004-08-13 21:23:25 +1000340.Fl r
Darren Tucker0b42e6d2004-08-13 21:22:40 +1000341command.
Damien Miller265d3092005-03-02 12:05:06 +1100342.It Fl H
343Hash a
344.Pa known_hosts
Darren Tuckerda1adbc2005-03-14 23:15:58 +1100345file.
346This replaces all hostnames and addresses with hashed representations
347within the specified file; the original content is moved to a file with
348a .old suffix.
Damien Miller265d3092005-03-02 12:05:06 +1100349These hashes may be used normally by
350.Nm ssh
351and
352.Nm sshd ,
353but they do not reveal identifying information should the file's contents
354be disclosed.
355This option will not modify existing hashed hostnames and is therefore safe
356to use on files that mix hashed and non-hashed names.
Damien Miller0a80ca12010-02-27 07:55:05 +1100357.It Fl h
358When signing a key, create a host certificate instead of a user
359certificate.
360Please see the
361.Sx CERTIFICATES
362section for details.
Damien Miller15f5b562010-03-03 10:25:21 +1100363.It Fl I Ar certificate_identity
Damien Miller0a80ca12010-02-27 07:55:05 +1100364Specify the key identity when signing a public key.
365Please see the
366.Sx CERTIFICATES
367section for details.
Ben Lindstrom5a707822001-04-22 17:15:46 +0000368.It Fl i
369This option will read an unencrypted private (or public) key file
Damien Miller44b25042010-07-02 13:35:01 +1000370in the format specified by the
371.Fl m
372option and print an OpenSSH compatible private
Ben Lindstrom5a707822001-04-22 17:15:46 +0000373(or public) key to stdout.
Damien Miller43b156c2014-04-20 13:23:03 +1000374This option allows importing keys from other software, including several
375commercial SSH implementations.
376The default import format is
377.Dq RFC4716 .
Damien Millerdfceafe2012-07-06 13:44:19 +1000378.It Fl J Ar num_lines
379Exit after screening the specified number of lines
380while performing DH candidate screening using the
381.Fl T
382option.
383.It Fl j Ar start_line
384Start screening at the specified line number
385while performing DH candidate screening using the
386.Fl T
387option.
Damien Miller390d0562011-10-18 16:05:19 +1100388.It Fl K Ar checkpt
389Write the last line processed to the file
390.Ar checkpt
391while performing DH candidate screening using the
392.Fl T
393option.
394This will be used to skip lines in the input file that have already been
395processed if the job is restarted.
Damien Millerf3747bf2013-01-18 11:44:04 +1100396.It Fl k
397Generate a KRL file.
398In this mode,
399.Nm
400will generate a KRL file at the location specified via the
401.Fl f
Damien Miller881a7a22013-01-20 22:34:46 +1100402flag that revokes every key or certificate presented on the command line.
Damien Millerf3747bf2013-01-18 11:44:04 +1100403Keys/certificates to be revoked may be specified by public key file or
404using the format described in the
405.Sx KEY REVOCATION LISTS
406section.
Damien Millerf2b70ca2010-03-05 07:39:35 +1100407.It Fl L
djm@openbsd.org94bc0b72015-11-13 04:34:15 +0000408Prints the contents of one or more certificates.
Damien Miller10f6f6b1999-11-17 17:29:08 +1100409.It Fl l
Darren Tucker35c45532008-06-13 04:43:15 +1000410Show fingerprint of specified public key file.
Damien Millereb5fec62001-11-12 10:52:44 +1100411For RSA and DSA keys
412.Nm
Darren Tuckerf09e8252008-06-13 05:18:03 +1000413tries to find the matching public key file and prints its fingerprint.
414If combined with
415.Fl v ,
jmc@openbsd.org92838842016-05-03 18:38:12 +0000416a visual ASCII art representation of the key is supplied with the
djm@openbsd.orgcdcd9412016-05-03 14:54:08 +0000417fingerprint.
Damien Millerea727282010-07-02 13:35:34 +1000418.It Fl M Ar memory
419Specify the amount of memory to use (in megabytes) when generating
420candidate moduli for DH-GEX.
Damien Miller44b25042010-07-02 13:35:01 +1000421.It Fl m Ar key_format
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000422Specify a key format for key generation, the
Damien Miller44b25042010-07-02 13:35:01 +1000423.Fl i
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000424(import),
Damien Miller44b25042010-07-02 13:35:01 +1000425.Fl e
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000426(export) conversion options, and the
427.Fl p
428change passphrase operation.
429The latter may be used to convert between OpenSSH private key and PEM
430private key formats.
Damien Miller44b25042010-07-02 13:35:01 +1000431The supported key formats are:
432.Dq RFC4716
Damien Millerea727282010-07-02 13:35:34 +1000433(RFC 4716/SSH2 public or private key),
Damien Miller44b25042010-07-02 13:35:01 +1000434.Dq PKCS8
djm@openbsd.orgeb0d8e72019-07-15 13:16:29 +0000435(PKCS8 public or private key)
Damien Miller44b25042010-07-02 13:35:01 +1000436or
437.Dq PEM
438(PEM public key).
djm@openbsd.orgeb0d8e72019-07-15 13:16:29 +0000439By default OpenSSH will write newly-generated private keys in its own
440format, but when converting public keys for export the default format is
Damien Miller44b25042010-07-02 13:35:01 +1000441.Dq RFC4716 .
djm@openbsd.orged7bd5d2018-08-08 01:16:01 +0000442Setting a format of
443.Dq PEM
444when generating or updating a supported private key type will cause the
445key to be stored in the legacy PEM private key format.
Damien Miller265d3092005-03-02 12:05:06 +1100446.It Fl N Ar new_passphrase
447Provides the new passphrase.
Damien Miller0a80ca12010-02-27 07:55:05 +1100448.It Fl n Ar principals
449Specify one or more principals (user or host names) to be included in
450a certificate when signing a key.
451Multiple principals may be specified, separated by commas.
452Please see the
453.Sx CERTIFICATES
454section for details.
Damien Miller4e270b02010-04-16 15:56:21 +1000455.It Fl O Ar option
456Specify a certificate option when signing a key.
Damien Miller0a80ca12010-02-27 07:55:05 +1100457This option may be specified multiple times.
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000458See also the
Damien Miller0a80ca12010-02-27 07:55:05 +1100459.Sx CERTIFICATES
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000460section for further details.
djm@openbsd.org130283d2018-01-25 03:34:43 +0000461.Pp
462At present, no standard options are valid for host keys.
Damien Miller4e270b02010-04-16 15:56:21 +1000463The options that are valid for user certificates are:
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000464.Pp
465.Bl -tag -width Ds -compact
Damien Millerc59e2442010-03-22 05:50:31 +1100466.It Ic clear
467Clear all enabled permissions.
468This is useful for clearing the default set of permissions so permissions may
469be added individually.
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000470.Pp
jmc@openbsd.orgd4084cd2017-04-29 06:06:01 +0000471.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000472.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
473Includes an arbitrary certificate critical option or extension.
474The specified
djm@openbsd.org249516e2017-04-29 04:12:25 +0000475.Ar name
jmc@openbsd.orgd4084cd2017-04-29 06:06:01 +0000476should include a domain suffix, e.g.\&
djm@openbsd.org249516e2017-04-29 04:12:25 +0000477.Dq name@example.com .
jmc@openbsd.orgd4084cd2017-04-29 06:06:01 +0000478If
djm@openbsd.org249516e2017-04-29 04:12:25 +0000479.Ar contents
480is specified then it is included as the contents of the extension/option
481encoded as a string, otherwise the extension/option is created with no
482contents (usually indicating a flag).
483Extensions may be ignored by a client or server that does not recognise them,
484whereas unknown critical options will cause the certificate to be refused.
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000485.Pp
486.It Ic force-command Ns = Ns Ar command
487Forces the execution of
488.Ar command
489instead of any shell or command specified by the user when
490the certificate is used for authentication.
491.Pp
492.It Ic no-agent-forwarding
493Disable
494.Xr ssh-agent 1
495forwarding (permitted by default).
496.Pp
497.It Ic no-port-forwarding
498Disable port forwarding (permitted by default).
499.Pp
500.It Ic no-pty
501Disable PTY allocation (permitted by default).
502.Pp
503.It Ic no-user-rc
504Disable execution of
505.Pa ~/.ssh/rc
506by
507.Xr sshd 8
508(permitted by default).
509.Pp
510.It Ic no-x11-forwarding
511Disable X11 forwarding (permitted by default).
512.Pp
513.It Ic permit-agent-forwarding
514Allows
515.Xr ssh-agent 1
516forwarding.
517.Pp
518.It Ic permit-port-forwarding
519Allows port forwarding.
520.Pp
521.It Ic permit-pty
522Allows PTY allocation.
523.Pp
524.It Ic permit-user-rc
525Allows execution of
526.Pa ~/.ssh/rc
527by
528.Xr sshd 8 .
529.Pp
djm@openbsd.org130283d2018-01-25 03:34:43 +0000530.It Ic permit-X11-forwarding
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000531Allows X11 forwarding.
532.Pp
533.It Ic source-address Ns = Ns Ar address_list
534Restrict the source addresses from which the certificate is considered valid.
535The
536.Ar address_list
537is a comma-separated list of one or more address/netmask pairs in CIDR
538format.
539.El
Damien Miller265d3092005-03-02 12:05:06 +1100540.It Fl P Ar passphrase
541Provides the (old) passphrase.
Damien Miller32aa1441999-10-29 09:15:49 +1000542.It Fl p
543Requests changing the passphrase of a private key file instead of
Damien Miller450a7a12000-03-26 13:04:51 +1000544creating a new private key.
545The program will prompt for the file
Damien Miller32aa1441999-10-29 09:15:49 +1000546containing the private key, for the old passphrase, and twice for the
547new passphrase.
Damien Miller072fdcd2013-01-20 22:34:04 +1100548.It Fl Q
549Test whether keys have been revoked in a KRL.
Damien Miller32aa1441999-10-29 09:15:49 +1000550.It Fl q
551Silence
552.Nm ssh-keygen .
djm@openbsd.org63bba572018-12-07 03:33:18 +0000553.It Fl R Ar hostname | [hostname]:port
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000554Removes all keys belonging to the specified
Damien Miller4b42d7f2005-03-01 21:48:35 +1100555.Ar hostname
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000556(with optional port number)
Damien Miller4c9c6fd2005-03-02 12:03:43 +1100557from a
Damien Miller4b42d7f2005-03-01 21:48:35 +1100558.Pa known_hosts
559file.
Damien Miller4c9c6fd2005-03-02 12:03:43 +1100560This option is useful to delete hashed hosts (see the
Damien Miller4b42d7f2005-03-01 21:48:35 +1100561.Fl H
562option above).
Damien Miller265d3092005-03-02 12:05:06 +1100563.It Fl r Ar hostname
564Print the SSHFP fingerprint resource record named
565.Ar hostname
566for the specified public key file.
Darren Tucker019cefe2003-08-02 22:40:07 +1000567.It Fl S Ar start
568Specify start point (in hex) when generating candidate moduli for DH-GEX.
Damien Miller0a80ca12010-02-27 07:55:05 +1100569.It Fl s Ar ca_key
570Certify (sign) a public key using the specified CA key.
571Please see the
572.Sx CERTIFICATES
573section for details.
Damien Millerf3747bf2013-01-18 11:44:04 +1100574.Pp
575When generating a KRL,
576.Fl s
Damien Millerac5542b2013-01-20 22:33:02 +1100577specifies a path to a CA public key file used to revoke certificates directly
Damien Millerf3747bf2013-01-18 11:44:04 +1100578by key ID or serial number.
579See the
580.Sx KEY REVOCATION LISTS
581section for details.
Darren Tucker019cefe2003-08-02 22:40:07 +1000582.It Fl T Ar output_file
583Test DH group exchange candidate primes (generated using the
584.Fl G
585option) for safety.
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +0000586.It Fl t Cm dsa | ecdsa | ed25519 | rsa
Damien Miller265d3092005-03-02 12:05:06 +1100587Specifies the type of key to create.
588The possible values are
Damien Miller6186bbc2010-09-24 22:00:54 +1000589.Dq dsa ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100590.Dq ecdsa ,
591.Dq ed25519 ,
Damien Miller265d3092005-03-02 12:05:06 +1100592or
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +0000593.Dq rsa .
djm@openbsd.org476e3552019-05-20 00:20:35 +0000594.Pp
595This flag may also be used to specify the desired signature type when
jmc@openbsd.org85ceb0e2019-05-20 06:01:59 +0000596signing certificates using an RSA CA key.
djm@openbsd.org476e3552019-05-20 00:20:35 +0000597The available RSA signature variants are
598.Dq ssh-rsa
599(SHA1 signatures, not recommended),
jmc@openbsd.org85ceb0e2019-05-20 06:01:59 +0000600.Dq rsa-sha2-256 ,
601and
djm@openbsd.org476e3552019-05-20 00:20:35 +0000602.Dq rsa-sha2-512
603(the default).
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000604.It Fl U
605When used in combination with
606.Fl s ,
607this option indicates that a CA key resides in a
608.Xr ssh-agent 1 .
609See the
610.Sx CERTIFICATES
611section for more information.
Damien Millerac5542b2013-01-20 22:33:02 +1100612.It Fl u
613Update a KRL.
614When specified with
615.Fl k ,
Damien Miller881a7a22013-01-20 22:34:46 +1100616keys listed via the command line are added to the existing KRL rather than
Damien Millerac5542b2013-01-20 22:33:02 +1100617a new KRL being created.
Damien Miller0a80ca12010-02-27 07:55:05 +1100618.It Fl V Ar validity_interval
619Specify a validity interval when signing a certificate.
620A validity interval may consist of a single time, indicating that the
621certificate is valid beginning now and expiring at that time, or may consist
622of two times separated by a colon to indicate an explicit time interval.
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000623.Pp
624The start time may be specified as the string
625.Dq always
626to indicate the certificate has no specified start time,
djm@openbsd.orgbf0fbf22018-03-12 00:52:01 +0000627a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format,
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000628a relative time (to the current time) consisting of a minus sign followed by
629an interval in the format described in the
Damien Millerfecfd112013-07-18 16:11:50 +1000630TIME FORMATS section of
Damien Miller77497e12010-03-22 05:50:51 +1100631.Xr sshd_config 5 .
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000632.Pp
djm@openbsd.orgbf0fbf22018-03-12 00:52:01 +0000633The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time,
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000634a relative time starting with a plus character or the string
635.Dq forever
636to indicate that the certificate has no expirty date.
Damien Miller0a80ca12010-02-27 07:55:05 +1100637.Pp
638For example:
639.Dq +52w1d
640(valid from now to 52 weeks and one day from now),
641.Dq -4w:+4w
642(valid from four weeks ago to four weeks from now),
643.Dq 20100101123000:20110101123000
644(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
645.Dq -1d:20110101
646(valid from yesterday to midnight, January 1st, 2011).
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000647.Dq -1m:forever
648(valid from one minute ago and never expiring).
Darren Tucker06930c72003-12-31 11:34:51 +1100649.It Fl v
650Verbose mode.
651Causes
652.Nm
653to print debugging messages about its progress.
654This is helpful for debugging moduli generation.
655Multiple
656.Fl v
657options increase the verbosity.
658The maximum is 3.
Damien Miller265d3092005-03-02 12:05:06 +1100659.It Fl W Ar generator
660Specify desired generator when testing candidate moduli for DH-GEX.
661.It Fl y
662This option will read a private
663OpenSSH format file and print an OpenSSH public key to stdout.
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000664.It Fl Y Ar sign
665Cryptographically sign a file or some data using a SSH key.
666When signing,
667.Nm
668accepts zero or more files to sign on the command-line - if no files
669are specified then
670.Nm
671will sign data presented on standard input.
672Signatures are written to the path of the input file with
673.Dq .sig
674appended, or to standard output if the message to be signed was read from
675standard input.
676.Pp
677The key used for signing is specified using the
678.Fl f
679option and may refer to either a private key, or a public key with the private
680half available via
681.Xr ssh-agent 1 .
682An additional signature namespace, used to prevent signature confusion across
683different domains of use (e.g. file signing vs email signing) must be provided
684via the
685.Fl n
686flag.
687Namespaces are arbitrary strings, and may include:
688.Dq file
689for file signing,
690.Dq email
691for email signing.
692For custom uses, it is recommended to use names following a
693NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
694.It Fl Y Ar verify
695Request to verify a signature generated using
696.Nm
697.Fl Y sign
698as described above.
699When verifying a signature,
700.Nm
701accepts a message on standard input and a signature namespace using
702.Fl n .
703A file containing the corresponding signature must also be supplied using the
704.Fl s
705flag, along with the identity of the signer using
706.Fl I
707and a list of allowed signers via the
708.Fl f
709flag.
710The format of the allowed signers file is documented in the
711.Sx ALLOWED SIGNERS
712section below.
713A file containing revoked keys can be passed using the
714.Fl r
715flag. The revocation file may be a KRL or a one-per-line list
716of public keys.
717Successful verification by an authorized signer is signalled by
718.Nm
719returning a zero exit status.
Damien Miller4e270b02010-04-16 15:56:21 +1000720.It Fl z Ar serial_number
721Specifies a serial number to be embedded in the certificate to distinguish
722this certificate from others from the same CA.
djm@openbsd.orgbe063942019-01-23 04:51:02 +0000723If the
724.Ar serial_number
725is prefixed with a
726.Sq +
727character, then the serial number will be incremented for each certificate
728signed on a single command-line.
Damien Miller4e270b02010-04-16 15:56:21 +1000729The default serial number is zero.
Damien Millerf3747bf2013-01-18 11:44:04 +1100730.Pp
731When generating a KRL, the
732.Fl z
733flag is used to specify a KRL version number.
Damien Miller32aa1441999-10-29 09:15:49 +1000734.El
Darren Tucker019cefe2003-08-02 22:40:07 +1000735.Sh MODULI GENERATION
736.Nm
737may be used to generate groups for the Diffie-Hellman Group Exchange
738(DH-GEX) protocol.
739Generating these groups is a two-step process: first, candidate
740primes are generated using a fast, but memory intensive process.
741These candidate primes are then tested for suitability (a CPU-intensive
742process).
743.Pp
744Generation of primes is performed using the
745.Fl G
746option.
747The desired length of the primes may be specified by the
748.Fl b
749option.
750For example:
751.Pp
Damien Miller265d3092005-03-02 12:05:06 +1100752.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
Darren Tucker019cefe2003-08-02 22:40:07 +1000753.Pp
754By default, the search for primes begins at a random point in the
755desired length range.
756This may be overridden using the
757.Fl S
758option, which specifies a different start point (in hex).
759.Pp
Damien Millerdfceafe2012-07-06 13:44:19 +1000760Once a set of candidates have been generated, they must be screened for
Darren Tucker019cefe2003-08-02 22:40:07 +1000761suitability.
762This may be performed using the
763.Fl T
764option.
765In this mode
766.Nm
767will read candidates from standard input (or a file specified using the
768.Fl f
769option).
770For example:
771.Pp
Damien Miller265d3092005-03-02 12:05:06 +1100772.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
Darren Tucker019cefe2003-08-02 22:40:07 +1000773.Pp
774By default, each candidate will be subjected to 100 primality tests.
775This may be overridden using the
776.Fl a
777option.
778The DH generator value will be chosen automatically for the
779prime under consideration.
780If a specific generator is desired, it may be requested using the
781.Fl W
782option.
Damien Miller265d3092005-03-02 12:05:06 +1100783Valid generator values are 2, 3, and 5.
Darren Tucker019cefe2003-08-02 22:40:07 +1000784.Pp
785Screened DH groups may be installed in
786.Pa /etc/moduli .
787It is important that this file contains moduli of a range of bit lengths and
788that both ends of a connection share common moduli.
Damien Miller0a80ca12010-02-27 07:55:05 +1100789.Sh CERTIFICATES
790.Nm
791supports signing of keys to produce certificates that may be used for
792user or host authentication.
793Certificates consist of a public key, some identity information, zero or
Damien Miller1f181422010-04-18 08:08:03 +1000794more principal (user or host) names and a set of options that
Damien Miller0a80ca12010-02-27 07:55:05 +1100795are signed by a Certification Authority (CA) key.
796Clients or servers may then trust only the CA key and verify its signature
797on a certificate rather than trusting many user/host keys.
798Note that OpenSSH certificates are a different, and much simpler, format to
799the X.509 certificates used in
800.Xr ssl 8 .
801.Pp
802.Nm
803supports two types of certificates: user and host.
804User certificates authenticate users to servers, whereas host certificates
Damien Miller15f5b562010-03-03 10:25:21 +1100805authenticate server hosts to users.
806To generate a user certificate:
Damien Miller0a80ca12010-02-27 07:55:05 +1100807.Pp
808.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
809.Pp
810The resultant certificate will be placed in
Damien Miller1b61a282010-03-22 05:55:06 +1100811.Pa /path/to/user_key-cert.pub .
Damien Miller0a80ca12010-02-27 07:55:05 +1100812A host certificate requires the
813.Fl h
814option:
815.Pp
816.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
817.Pp
818The host certificate will be output to
Damien Miller1b61a282010-03-22 05:55:06 +1100819.Pa /path/to/host_key-cert.pub .
Damien Miller757f34e2010-08-05 13:05:31 +1000820.Pp
821It is possible to sign using a CA key stored in a PKCS#11 token by
822providing the token library using
823.Fl D
824and identifying the CA key by providing its public half as an argument
825to
826.Fl s :
827.Pp
naddy@openbsd.org05291e52015-08-20 19:20:06 +0000828.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
Damien Miller757f34e2010-08-05 13:05:31 +1000829.Pp
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000830Similarly, it is possible for the CA key to be hosted in a
831.Xr ssh-agent 1 .
832This is indicated by the
833.Fl U
834flag and, again, the CA key must be identified by its public half.
835.Pp
836.Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
837.Pp
Damien Miller757f34e2010-08-05 13:05:31 +1000838In all cases,
Damien Miller0a80ca12010-02-27 07:55:05 +1100839.Ar key_id
840is a "key identifier" that is logged by the server when the certificate
841is used for authentication.
842.Pp
843Certificates may be limited to be valid for a set of principal (user/host)
844names.
845By default, generated certificates are valid for all users or hosts.
846To generate a certificate for a specified set of principals:
847.Pp
848.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
naddy@openbsd.org05291e52015-08-20 19:20:06 +0000849.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
Damien Miller0a80ca12010-02-27 07:55:05 +1100850.Pp
851Additional limitations on the validity and use of user certificates may
Damien Miller1f181422010-04-18 08:08:03 +1000852be specified through certificate options.
Damien Miller4e270b02010-04-16 15:56:21 +1000853A certificate option may disable features of the SSH session, may be
Damien Miller0a80ca12010-02-27 07:55:05 +1100854valid only when presented from particular source addresses or may
855force the use of a specific command.
Damien Miller4e270b02010-04-16 15:56:21 +1000856For a list of valid certificate options, see the documentation for the
Damien Miller0a80ca12010-02-27 07:55:05 +1100857.Fl O
858option above.
859.Pp
860Finally, certificates may be defined with a validity lifetime.
861The
862.Fl V
863option allows specification of certificate start and end times.
864A certificate that is presented at a time outside this range will not be
865considered valid.
Darren Tucker3ee50c52012-09-06 21:18:11 +1000866By default, certificates are valid from
867.Ux
868Epoch to the distant future.
Damien Miller0a80ca12010-02-27 07:55:05 +1100869.Pp
870For certificates to be used for user or host authentication, the CA
871public key must be trusted by
872.Xr sshd 8
873or
874.Xr ssh 1 .
875Please refer to those manual pages for details.
Damien Millerf3747bf2013-01-18 11:44:04 +1100876.Sh KEY REVOCATION LISTS
877.Nm
878is able to manage OpenSSH format Key Revocation Lists (KRLs).
879These binary files specify keys or certificates to be revoked using a
Damien Miller13797712013-12-29 17:47:14 +1100880compact format, taking as little as one bit per certificate if they are being
Damien Millerf3747bf2013-01-18 11:44:04 +1100881revoked by serial number.
882.Pp
883KRLs may be generated using the
884.Fl k
885flag.
Damien Miller881a7a22013-01-20 22:34:46 +1100886This option reads one or more files from the command line and generates a new
Damien Millerf3747bf2013-01-18 11:44:04 +1100887KRL.
888The files may either contain a KRL specification (see below) or public keys,
889listed one per line.
890Plain public keys are revoked by listing their hash or contents in the KRL and
891certificates revoked by serial number or key ID (if the serial is zero or
892not available).
893.Pp
894Revoking keys using a KRL specification offers explicit control over the
895types of record used to revoke keys and may be used to directly revoke
896certificates by serial number or key ID without having the complete original
897certificate on hand.
898A KRL specification consists of lines containing one of the following directives
899followed by a colon and some directive-specific information.
900.Bl -tag -width Ds
Damien Millera0a7ee82013-01-20 22:35:06 +1100901.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
Damien Millerf3747bf2013-01-18 11:44:04 +1100902Revokes a certificate with the specified serial number.
Damien Millerac5542b2013-01-20 22:33:02 +1100903Serial numbers are 64-bit values, not including zero and may be expressed
Damien Millerf3747bf2013-01-18 11:44:04 +1100904in decimal, hex or octal.
905If two serial numbers are specified separated by a hyphen, then the range
906of serial numbers including and between each is revoked.
907The CA key must have been specified on the
908.Nm
Damien Miller881a7a22013-01-20 22:34:46 +1100909command line using the
Damien Millerf3747bf2013-01-18 11:44:04 +1100910.Fl s
911option.
912.It Cm id : Ar key_id
913Revokes a certificate with the specified key ID string.
914The CA key must have been specified on the
915.Nm
Damien Miller881a7a22013-01-20 22:34:46 +1100916command line using the
Damien Millerf3747bf2013-01-18 11:44:04 +1100917.Fl s
918option.
919.It Cm key : Ar public_key
920Revokes the specified key.
Damien Millerac5542b2013-01-20 22:33:02 +1100921If a certificate is listed, then it is revoked as a plain public key.
Damien Millerf3747bf2013-01-18 11:44:04 +1100922.It Cm sha1 : Ar public_key
djm@openbsd.org9405c622018-09-12 01:21:34 +0000923Revokes the specified key by including its SHA1 hash in the KRL.
924.It Cm sha256 : Ar public_key
925Revokes the specified key by including its SHA256 hash in the KRL.
926KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions
927prior to 7.9.
928.It Cm hash : Ar fingerprint
djm@openbsd.orgf0fcd7e2018-09-12 06:18:59 +0000929Revokes a key using a fingerprint hash, as obtained from a
djm@openbsd.org9405c622018-09-12 01:21:34 +0000930.Xr sshd 8
931authentication log message or the
932.Nm
933.Fl l
934flag.
935Only SHA256 fingerprints are supported here and resultant KRLs are
936not supported by OpenSSH versions prior to 7.9.
Damien Millerf3747bf2013-01-18 11:44:04 +1100937.El
938.Pp
939KRLs may be updated using the
940.Fl u
941flag in addition to
942.Fl k .
Damien Miller881a7a22013-01-20 22:34:46 +1100943When this option is specified, keys listed via the command line are merged into
Damien Millerf3747bf2013-01-18 11:44:04 +1100944the KRL, adding to those already there.
945.Pp
946It is also possible, given a KRL, to test whether it revokes a particular key
947(or keys).
948The
949.Fl Q
jmc@openbsd.org8b290082015-11-05 09:48:05 +0000950flag will query an existing KRL, testing each key specified on the command line.
Damien Miller881a7a22013-01-20 22:34:46 +1100951If any key listed on the command line has been revoked (or an error encountered)
Damien Millerf3747bf2013-01-18 11:44:04 +1100952then
953.Nm
954will exit with a non-zero exit status.
955A zero exit status will only be returned if no key was revoked.
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000956.Sh ALLOWED SIGNERS
957When verifying signatures,
958.Nm
959uses a simple list of identities and keys to determine whether a signature
960comes from an authorized source.
961This "allowed signers" file uses a format patterned after the
962AUTHORIZED_KEYS FILE FORMAT described in
963.Xr sshd(8) .
964Each line of the file contains the following space-separated fields:
965principals, options, keytype, base64-encoded key.
966Empty lines and lines starting with a
967.Ql #
968are ignored as comments.
969.Pp
970The principals field is a pattern-list (See PATTERNS in
971.Xr ssh_config 5 )
972consisting of one or more comma-separated USER@DOMAIN identity patterns
973that are accepted for signing.
974When verifying, the identity presented via the
975.Fl I option
976must match a principals pattern in order for the corresponding key to be
977considered acceptable for verification.
978.Pp
979The options (if present) consist of comma-separated option specifications.
980No spaces are permitted, except within double quotes.
981The following option specifications are supported (note that option keywords
982are case-insensitive):
983.Bl -tag -width Ds
984.It Cm cert-authority
985Indicates that this key is accepted as a certificate authority (CA) and
986that certificates signed by this CA may be accepted for verification.
987.It Cm namespaces="namespace-list"
988Specifies a pattern-list of namespaces that are accepted for this key.
djm@openbsd.orgd637c4a2019-09-03 08:35:27 +0000989If this option is present, the signature namespace embedded in the
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000990signature object and presented on the verification command-line must
991match the specified list before the key will be considered acceptable.
992.El
993.Pp
994When verifying signatures made by certificates, the expected principal
995name must match both the principals pattern in the allowed signers file and
996the principals embedded in the certificate itself.
997.Pp
998An example allowed signers file:
999.Bd -literal -offset 3n
1000# Comments allowed at start of line
1001user1@example.com,user2@example.com ssh-rsa AAAAX1...
1002# A certificate authority, trusted for all principals in a domain.
1003*@example.com cert-authority ssh-ed25519 AAAB4...
1004# A key that is accepted only for file signing.
1005user2@example.com namespaces="file" ssh-ed25519 AAA41...
1006.Ed
Damien Miller32aa1441999-10-29 09:15:49 +10001007.Sh FILES
Damien Miller6186bbc2010-09-24 22:00:54 +10001008.Bl -tag -width Ds -compact
Damien Miller167ea5d2005-05-26 12:04:02 +10001009.It Pa ~/.ssh/id_dsa
Damien Miller6186bbc2010-09-24 22:00:54 +10001010.It Pa ~/.ssh/id_ecdsa
Damien Miller8ba0ead2013-12-18 17:46:27 +11001011.It Pa ~/.ssh/id_ed25519
Damien Miller167ea5d2005-05-26 12:04:02 +10001012.It Pa ~/.ssh/id_rsa
naddy@openbsd.org2e9c3242017-05-05 10:41:58 +00001013Contains the DSA, ECDSA, Ed25519 or RSA
Damien Miller8ba0ead2013-12-18 17:46:27 +11001014authentication identity of the user.
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001015This file should not be readable by anyone but the user.
1016It is possible to
1017specify a passphrase when generating the key; that passphrase will be
Darren Tucker199ee6f2009-10-24 11:50:17 +11001018used to encrypt the private part of this file using 128-bit AES.
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001019This file is not automatically accessed by
1020.Nm
1021but it is offered as the default file for the private key.
Ben Lindstrombda98b02001-07-04 03:35:24 +00001022.Xr ssh 1
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001023will read this file when a login attempt is made.
Damien Miller6186bbc2010-09-24 22:00:54 +10001024.Pp
1025.It Pa ~/.ssh/id_dsa.pub
1026.It Pa ~/.ssh/id_ecdsa.pub
Damien Miller8ba0ead2013-12-18 17:46:27 +11001027.It Pa ~/.ssh/id_ed25519.pub
Damien Miller167ea5d2005-05-26 12:04:02 +10001028.It Pa ~/.ssh/id_rsa.pub
naddy@openbsd.org2e9c3242017-05-05 10:41:58 +00001029Contains the DSA, ECDSA, Ed25519 or RSA
Damien Miller8ba0ead2013-12-18 17:46:27 +11001030public key for authentication.
Damien Millere247cc42000-05-07 12:03:14 +10001031The contents of this file should be added to
Damien Miller167ea5d2005-05-26 12:04:02 +10001032.Pa ~/.ssh/authorized_keys
Damien Millere247cc42000-05-07 12:03:14 +10001033on all machines
Ben Lindstrom594e2032001-09-12 18:35:30 +00001034where the user wishes to log in using public key authentication.
Damien Millere247cc42000-05-07 12:03:14 +10001035There is no need to keep the contents of this file secret.
Damien Miller6186bbc2010-09-24 22:00:54 +10001036.Pp
Darren Tucker019cefe2003-08-02 22:40:07 +10001037.It Pa /etc/moduli
1038Contains Diffie-Hellman groups used for DH-GEX.
1039The file format is described in
1040.Xr moduli 5 .
Damien Miller37023962000-07-11 17:31:38 +10001041.El
Damien Miller32aa1441999-10-29 09:15:49 +10001042.Sh SEE ALSO
1043.Xr ssh 1 ,
1044.Xr ssh-add 1 ,
Damien Miller2e8b1c81999-11-15 23:33:56 +11001045.Xr ssh-agent 1 ,
Darren Tucker019cefe2003-08-02 22:40:07 +10001046.Xr moduli 5 ,
Ben Lindstrom77788dc2001-02-10 23:10:33 +00001047.Xr sshd 8
Ben Lindstrom5a707822001-04-22 17:15:46 +00001048.Rs
Damien Millerc0367fb2007-01-05 16:25:46 +11001049.%R RFC 4716
1050.%T "The Secure Shell (SSH) Public Key File Format"
1051.%D 2006
Ben Lindstrom5a707822001-04-22 17:15:46 +00001052.Re
Damien Millerf1ce5052003-06-11 22:04:39 +10001053.Sh AUTHORS
1054OpenSSH is a derivative of the original and free
1055ssh 1.2.12 release by Tatu Ylonen.
1056Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1057Theo de Raadt and Dug Song
1058removed many bugs, re-added newer features and
1059created OpenSSH.
1060Markus Friedl contributed the support for SSH
1061protocol versions 1.5 and 2.0.