ssh-keygen.1 (294328) | ssh-keygen.1 (294332) |
---|---|
1.\" $OpenBSD: ssh-keygen.1,v 1.122 2014/03/31 13:39:34 jmc Exp $ | 1.\" $OpenBSD: ssh-keygen.1,v 1.125 2015/02/24 15:24:05 naddy Exp $ |
2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is --- 20 unchanged lines hidden (view full) --- 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" | 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is --- 20 unchanged lines hidden (view full) --- 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" |
38.Dd $Mdocdate: March 31 2014 $ | 38.Dd $Mdocdate: February 24 2015 $ |
39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen 43.Nd authentication key generation, management and conversion 44.Sh SYNOPSIS 45.Bk -words 46.Nm ssh-keygen --- 21 unchanged lines hidden (view full) --- 68.Op Fl f Ar input_keyfile 69.Nm ssh-keygen 70.Fl c 71.Op Fl P Ar passphrase 72.Op Fl C Ar comment 73.Op Fl f Ar keyfile 74.Nm ssh-keygen 75.Fl l | 39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen 43.Nd authentication key generation, management and conversion 44.Sh SYNOPSIS 45.Bk -words 46.Nm ssh-keygen --- 21 unchanged lines hidden (view full) --- 68.Op Fl f Ar input_keyfile 69.Nm ssh-keygen 70.Fl c 71.Op Fl P Ar passphrase 72.Op Fl C Ar comment 73.Op Fl f Ar keyfile 74.Nm ssh-keygen 75.Fl l |
76.Op Fl v 77.Op Fl E Ar fingerprint_hash |
|
76.Op Fl f Ar input_keyfile 77.Nm ssh-keygen 78.Fl B 79.Op Fl f Ar input_keyfile 80.Nm ssh-keygen 81.Fl D Ar pkcs11 82.Nm ssh-keygen 83.Fl F Ar hostname --- 51 unchanged lines hidden (view full) --- 135.Ar 136.Ek 137.Sh DESCRIPTION 138.Nm 139generates, manages and converts authentication keys for 140.Xr ssh 1 . 141.Nm 142can create RSA keys for use by SSH protocol version 1 and | 78.Op Fl f Ar input_keyfile 79.Nm ssh-keygen 80.Fl B 81.Op Fl f Ar input_keyfile 82.Nm ssh-keygen 83.Fl D Ar pkcs11 84.Nm ssh-keygen 85.Fl F Ar hostname --- 51 unchanged lines hidden (view full) --- 137.Ar 138.Ek 139.Sh DESCRIPTION 140.Nm 141generates, manages and converts authentication keys for 142.Xr ssh 1 . 143.Nm 144can create RSA keys for use by SSH protocol version 1 and |
143DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. | 145DSA, ECDSA, Ed25519 or RSA keys for use by SSH protocol version 2. |
144The type of key to be generated is specified with the 145.Fl t 146option. 147If invoked without any arguments, 148.Nm 149will generate an RSA key for use in SSH protocol 2 connections. 150.Pp 151.Nm --- 94 unchanged lines hidden (view full) --- 246Generally, 2048 bits is considered sufficient. 247DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 248For ECDSA keys, the 249.Fl b 250flag determines the key length by selecting from one of three elliptic 251curve sizes: 256, 384 or 521 bits. 252Attempting to use bit lengths other than these three values for ECDSA keys 253will fail. | 146The type of key to be generated is specified with the 147.Fl t 148option. 149If invoked without any arguments, 150.Nm 151will generate an RSA key for use in SSH protocol 2 connections. 152.Pp 153.Nm --- 94 unchanged lines hidden (view full) --- 248Generally, 2048 bits is considered sufficient. 249DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 250For ECDSA keys, the 251.Fl b 252flag determines the key length by selecting from one of three elliptic 253curve sizes: 256, 384 or 521 bits. 254Attempting to use bit lengths other than these three values for ECDSA keys 255will fail. |
254ED25519 keys have a fixed length and the | 256Ed25519 keys have a fixed length and the |
255.Fl b 256flag will be ignored. 257.It Fl C Ar comment 258Provides a new comment. 259.It Fl c 260Requests changing the comment in the private and public key files. 261This operation is only supported for RSA1 keys. 262The program will prompt for the file containing the private keys, for 263the passphrase if the key has one, and for the new comment. 264.It Fl D Ar pkcs11 265Download the RSA public keys provided by the PKCS#11 shared library 266.Ar pkcs11 . 267When used in combination with 268.Fl s , 269this option indicates that a CA key resides in a PKCS#11 token (see the 270.Sx CERTIFICATES 271section for details). | 257.Fl b 258flag will be ignored. 259.It Fl C Ar comment 260Provides a new comment. 261.It Fl c 262Requests changing the comment in the private and public key files. 263This operation is only supported for RSA1 keys. 264The program will prompt for the file containing the private keys, for 265the passphrase if the key has one, and for the new comment. 266.It Fl D Ar pkcs11 267Download the RSA public keys provided by the PKCS#11 shared library 268.Ar pkcs11 . 269When used in combination with 270.Fl s , 271this option indicates that a CA key resides in a PKCS#11 token (see the 272.Sx CERTIFICATES 273section for details). |
274.It Fl E Ar fingerprint_hash 275Specifies the hash algorithm used when displaying key fingerprints. 276Valid options are: 277.Dq md5 278and 279.Dq sha256 . 280The default is 281.Dq sha256 . |
|
272.It Fl e 273This option will read a private or public OpenSSH key file and 274print to stdout the key in one of the formats specified by the 275.Fl m 276option. 277The default export format is 278.Dq RFC4716 . 279This option allows exporting OpenSSH keys for use by other programs, including --- 518 unchanged lines hidden (view full) --- 798on all machines 799where the user wishes to log in using RSA authentication. 800There is no need to keep the contents of this file secret. 801.Pp 802.It Pa ~/.ssh/id_dsa 803.It Pa ~/.ssh/id_ecdsa 804.It Pa ~/.ssh/id_ed25519 805.It Pa ~/.ssh/id_rsa | 282.It Fl e 283This option will read a private or public OpenSSH key file and 284print to stdout the key in one of the formats specified by the 285.Fl m 286option. 287The default export format is 288.Dq RFC4716 . 289This option allows exporting OpenSSH keys for use by other programs, including --- 518 unchanged lines hidden (view full) --- 808on all machines 809where the user wishes to log in using RSA authentication. 810There is no need to keep the contents of this file secret. 811.Pp 812.It Pa ~/.ssh/id_dsa 813.It Pa ~/.ssh/id_ecdsa 814.It Pa ~/.ssh/id_ed25519 815.It Pa ~/.ssh/id_rsa |
806Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA | 816Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA |
807authentication identity of the user. 808This file should not be readable by anyone but the user. 809It is possible to 810specify a passphrase when generating the key; that passphrase will be 811used to encrypt the private part of this file using 128-bit AES. 812This file is not automatically accessed by 813.Nm 814but it is offered as the default file for the private key. 815.Xr ssh 1 816will read this file when a login attempt is made. 817.Pp 818.It Pa ~/.ssh/id_dsa.pub 819.It Pa ~/.ssh/id_ecdsa.pub 820.It Pa ~/.ssh/id_ed25519.pub 821.It Pa ~/.ssh/id_rsa.pub | 817authentication identity of the user. 818This file should not be readable by anyone but the user. 819It is possible to 820specify a passphrase when generating the key; that passphrase will be 821used to encrypt the private part of this file using 128-bit AES. 822This file is not automatically accessed by 823.Nm 824but it is offered as the default file for the private key. 825.Xr ssh 1 826will read this file when a login attempt is made. 827.Pp 828.It Pa ~/.ssh/id_dsa.pub 829.It Pa ~/.ssh/id_ecdsa.pub 830.It Pa ~/.ssh/id_ed25519.pub 831.It Pa ~/.ssh/id_rsa.pub |
822Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA | 832Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA |
823public key for authentication. 824The contents of this file should be added to 825.Pa ~/.ssh/authorized_keys 826on all machines 827where the user wishes to log in using public key authentication. 828There is no need to keep the contents of this file secret. 829.Pp 830.It Pa /etc/moduli --- 24 unchanged lines hidden --- | 833public key for authentication. 834The contents of this file should be added to 835.Pa ~/.ssh/authorized_keys 836on all machines 837where the user wishes to log in using public key authentication. 838There is no need to keep the contents of this file secret. 839.Pp 840.It Pa /etc/moduli --- 24 unchanged lines hidden --- |