问题描述
根据ssh-keygen的手册 ,-k标志会生成一些KRL文件。这些KRL文件是什么意思,以及在使用此标志时如何指定KRL位置?
解决方法
根据FreeBSD手册页 BSD General Commands Manual:
主要撤销清单 ssh-keygen能够管理OpenSSH格式的密钥吊销列表(KRL)。 这些二进制文件指定要使用的密钥或证书吊销 紧凑格式,如果是,则每个证书只需花费一位 被序列号撤销。
可以使用-k标志生成KRL。此选项读取一个或多个 从命令行下载文件并生成新的KRL。这些文件可能会 其中包含一个KRL规范(见下文)或公共密钥,列出了一个 每行。普通公钥通过列出其哈希值或con-来撤销。 KRL中的帐篷和被序列号或密钥ID撤销的证书(如果 序列号为零或不可用。)
使用KRL规范撤消密钥可以显式控制密钥 用于撤销密钥的记录类型,可以用于直接撤销 没有序列号或密钥ID的完整证书 手头上有inal证书。 KRL规范包含以下行: 下列指令之一,后接一个冒号和一些指令- 专用信息。
serial: serial_number[-serial_number]
Revokes a certificate with the specified serial number. Serial
numbers are 64-bit values,not including zero and may be ex-
pressed in decimal,hex or octal. If two serial numbers are
specified separated by a hyphen,then the range of serial numbers
including and between each is revoked. The CA key must have been
specified on the ssh-keygen command line using the -s option.
id: key_id
Revokes a certificate with the specified key ID string. The CA
key must have been specified on the ssh-keygen command line using
the -s option.
key: public_key
Revokes the specified key. If a certificate is listed,then it
is revoked as a plain public key.
sha1: public_key
Revokes the specified key by its SHA1 hash.
KRLs may be updated using the -u flag in addition to -k. When this op-
tion is specified,keys listed via the command line are merged into the
KRL,adding to those already there.
It is also possible,given a KRL,to test whether it revokes a particular
key (or keys). The -Q flag will query an existing KRL,testing each key
specified on the command line. If any key listed on the command line has
been revoked (or an error encountered) then ssh-keygen will exit with a
non-zero exit status. A zero exit status will only be returned if no key
was revoked.