Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   ssh-keygen    ( 1 )

утилита ключа аутентификации OpenSSH (OpenSSH authentication key utility)
  Name  |  Synopsis  |  Description  |  Moduli generation  |  Certificates  |    Key revocation lists    |  Allowed signers  |  Environment  |  Files  |  See also  |

KEY REVOCATION LISTS

ssh-keygen is able to manage OpenSSH format Key Revocation Lists
     (KRLs).  These binary files specify keys or certificates to be
     revoked using a compact format, taking as little as one bit per
     certificate if they are being revoked by serial number.


     KRLs may be generated using the -k flag.  This option reads one or
     more files from the command line and generates a new KRL.  The
     files may either contain a KRL specification (see below) or public
     keys, listed one per line.  Plain public keys are revoked by
     listing their hash or contents in the KRL and certificates revoked
     by serial number or key ID (if the serial is zero or not
     available).


     Revoking keys using a KRL specification offers explicit control
     over the types of record used to revoke keys and may be used to
     directly revoke certificates by serial number or key ID without
     having the complete original certificate on hand.  A KRL
     specification consists of lines containing one of the following
     directives followed by a colon and some directive-specific
     information.


     serial: serial_number[-serial_number]
             Revokes a certificate with the specified serial number.
             Serial numbers are 64-bit values, not including zero and
             may be expressed in decimal, hex or octal.  If two serial
             numbers are specified separated by a hyphen, then the range
             of serial numbers including and between each is revoked.
             The CA key must have been specified on the ssh-keygen
             command line using the -s option.


     id: key_id
             Revokes a certificate with the specified key ID string.
             The CA key must have been specified on the ssh-keygen
             command line using the -s option.


     key: public_key
             Revokes the specified key.  If a certificate is listed,
             then it is revoked as a plain public key.


     sha1: public_key
             Revokes the specified key by including its SHA1 hash in the
             KRL.


     sha256: public_key
             Revokes the specified key by including its SHA256 hash in
             the KRL.  KRLs that revoke keys by SHA256 hash are not
             supported by OpenSSH versions prior to 7.9.


     hash: fingerprint
             Revokes a key using a fingerprint hash, as obtained from a
             sshd(8) authentication log message or the ssh-keygen -l
             flag.  Only SHA256 fingerprints are supported here and
             resultant KRLs are not supported by OpenSSH versions prior
             to 7.9.


     KRLs may be updated using the -u flag in addition to -k.  When this
     option is specified, keys listed via the command line are merged
     into the KRL, adding to those already there.


     It is also possible, given a KRL, to test whether it revokes a
     particular key (or keys).  The -Q flag will query an existing KRL,
     testing each key specified on the command line.  If any key listed
     on the command line has been revoked (or an error encountered) then
     ssh-keygen will exit with a non-zero exit status.  A zero exit
     status will only be returned if no key was revoked.