根据ssh keygen的手册,-k标志生成一些KRL文件。这些KRL文件是什么意思?在使用此标志时,我如何指定KRL位置?
根据FreeBSD手册页面BSD通用命令手册:
关键重新定位列表ssh-keygen能够管理OpenSSH格式的密钥吊销列表(KRL(。这些二进制文件指定要使用紧凑格式,每个证书只需要一位被序列号撤销
KRL可以使用-k标志生成。此选项读取一个或多个文件,并生成一个新的KRL。这些文件可能-ther包含KRL规范(见下文(或公钥,列出一个每行。普通公钥通过列出其哈希或密码来撤销-KRL中的帐篷和由序列号或密钥ID吊销的证书(如果串行为零或不可用(
使用KRL规范撤销密钥提供了对用于撤销密钥并可用于直接撤销的记录类型证书的序列号或密钥ID没有完整的原始-最终证书在手。KRL规范由包含以下内容的行组成-ing以下指令之一,后跟冒号和一些direc-活动特定信息。
serial: serial_number[-serial_number]
Revokes a certificate with the specified serial number. Serial
numbers are 64-bit values, not including zero and may be ex-
pressed in decimal, hex or octal. If two serial numbers are
specified separated by a hyphen, then the range of serial numbers
including and between each is revoked. The CA key must have been
specified on the ssh-keygen command line using the -s option.
id: key_id
Revokes a certificate with the specified key ID string. The CA
key must have been specified on the ssh-keygen command line using
the -s option.
key: public_key
Revokes the specified key. If a certificate is listed, then it
is revoked as a plain public key.
sha1: public_key
Revokes the specified key by its SHA1 hash.
KRLs may be updated using the -u flag in addition to -k. When this op-
tion is specified, keys listed via the command line are merged into the
KRL, adding to those already there.
It is also possible, given a KRL, to test whether it revokes a particular
key (or keys). The -Q flag will query an existing KRL, testing each key
specified on the command line. If any key listed on the command line has
been revoked (or an error encountered) then ssh-keygen will exit with a
non-zero exit status. A zero exit status will only be returned if no key
was revoked.