ssh-keygen.1 (69587) | ssh-keygen.1 (76259) |
---|---|
1.\" $OpenBSD: ssh-keygen.1,v 1.40 2001/04/23 21:57:07 markus Exp $ 2.\" |
|
1.\" -*- nroff -*- 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" | 3.\" -*- nroff -*- 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 7.\" All rights reserved 8.\" 9.\" As far as I am concerned, the code I have written for this software 10.\" can be used freely for any purpose. Any derived versions of this 11.\" software must be clearly marked as such, and if the derived work is 12.\" incompatible with the protocol description in the RFC file, it must be 13.\" called by a name other than "ssh" or "Secure Shell". 14.\" 15.\" |
14.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. | 16.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 17.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 18.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
17.\" 18.\" Redistribution and use in source and binary forms, with or without 19.\" modification, are permitted provided that the following conditions 20.\" are met: 21.\" 1. Redistributions of source code must retain the above copyright 22.\" notice, this list of conditions and the following disclaimer. 23.\" 2. Redistributions in binary form must reproduce the above copyright 24.\" notice, this list of conditions and the following disclaimer in the --- 10 unchanged lines hidden (view full) --- 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" 38.Dd September 25, 1999 39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen | 19.\" 20.\" Redistribution and use in source and binary forms, with or without 21.\" modification, are permitted provided that the following conditions 22.\" are met: 23.\" 1. Redistributions of source code must retain the above copyright 24.\" notice, this list of conditions and the following disclaimer. 25.\" 2. Redistributions in binary form must reproduce the above copyright 26.\" notice, this list of conditions and the following disclaimer in the --- 10 unchanged lines hidden (view full) --- 37.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 38.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39.\" 40.Dd September 25, 1999 41.Dt SSH-KEYGEN 1 42.Os 43.Sh NAME 44.Nm ssh-keygen |
43.Nd authentication key generation | 45.Nd authentication key generation, management and conversion |
44.Sh SYNOPSIS 45.Nm ssh-keygen | 46.Sh SYNOPSIS 47.Nm ssh-keygen |
46.Op Fl dq | 48.Op Fl q |
47.Op Fl b Ar bits | 49.Op Fl b Ar bits |
50.Op Fl t Ar type |
|
48.Op Fl N Ar new_passphrase 49.Op Fl C Ar comment 50.Op Fl f Ar output_keyfile 51.Nm ssh-keygen 52.Fl p 53.Op Fl P Ar old_passphrase 54.Op Fl N Ar new_passphrase 55.Op Fl f Ar keyfile 56.Nm ssh-keygen | 51.Op Fl N Ar new_passphrase 52.Op Fl C Ar comment 53.Op Fl f Ar output_keyfile 54.Nm ssh-keygen 55.Fl p 56.Op Fl P Ar old_passphrase 57.Op Fl N Ar new_passphrase 58.Op Fl f Ar keyfile 59.Nm ssh-keygen |
57.Fl x | 60.Fl i |
58.Op Fl f Ar input_keyfile 59.Nm ssh-keygen | 61.Op Fl f Ar input_keyfile 62.Nm ssh-keygen |
60.Fl X | 63.Fl e |
61.Op Fl f Ar input_keyfile 62.Nm ssh-keygen 63.Fl y 64.Op Fl f Ar input_keyfile 65.Nm ssh-keygen 66.Fl c 67.Op Fl P Ar passphrase 68.Op Fl C Ar comment 69.Op Fl f Ar keyfile 70.Nm ssh-keygen 71.Fl l 72.Op Fl f Ar input_keyfile 73.Nm ssh-keygen | 64.Op Fl f Ar input_keyfile 65.Nm ssh-keygen 66.Fl y 67.Op Fl f Ar input_keyfile 68.Nm ssh-keygen 69.Fl c 70.Op Fl P Ar passphrase 71.Op Fl C Ar comment 72.Op Fl f Ar keyfile 73.Nm ssh-keygen 74.Fl l 75.Op Fl f Ar input_keyfile 76.Nm ssh-keygen |
74.Fl R | 77.Fl B 78.Op Fl f Ar input_keyfile |
75.Sh DESCRIPTION 76.Nm | 79.Sh DESCRIPTION 80.Nm |
77generates and manages authentication keys for | 81generates, manages and converts authentication keys for |
78.Xr ssh 1 . 79.Nm | 82.Xr ssh 1 . 83.Nm |
80defaults to generating an RSA key for use by protocols 1.3 and 1.5; | 84defaults to generating a RSA1 key for use by SSH protocol version 1. |
81specifying the | 85specifying the |
82.Fl d 83flag will create a DSA key instead for use by protocol 2.0. | 86.Fl t 87option allows you to create a key for use by SSH protocol version 2. |
84.Pp 85Normally each user wishing to use SSH 86with RSA or DSA authentication runs this once to create the authentication 87key in | 88.Pp 89Normally each user wishing to use SSH 90with RSA or DSA authentication runs this once to create the authentication 91key in |
88.Pa $HOME/.ssh/identity | 92.Pa $HOME/.ssh/identity , 93.Pa $HOME/.ssh/id_dsa |
89or | 94or |
90.Pa $HOME/.ssh/id_dsa . | 95.Pa $HOME/.ssh/id_rsa . |
91Additionally, the system administrator may use this to generate host keys, 92as seen in 93.Pa /etc/rc . 94.Pp 95Normally this program generates the key and asks for a file in which 96to store the private key. 97The public key is stored in a file with the same name but 98.Dq .pub 99appended. 100The program also asks for a passphrase. 101The passphrase may be empty to indicate no passphrase | 96Additionally, the system administrator may use this to generate host keys, 97as seen in 98.Pa /etc/rc . 99.Pp 100Normally this program generates the key and asks for a file in which 101to store the private key. 102The public key is stored in a file with the same name but 103.Dq .pub 104appended. 105The program also asks for a passphrase. 106The passphrase may be empty to indicate no passphrase |
102(host keys must have empty passphrase), or it may be a string of | 107(host keys must have an empty passphrase), or it may be a string of |
103arbitrary length. 104Good passphrases are 10-30 characters long and are 105not simple sentences or otherwise easily guessable (English 106prose has only 1-2 bits of entropy per word, and provides very bad 107passphrases). 108The passphrase can be changed later by using the 109.Fl p 110option. 111.Pp 112There is no way to recover a lost passphrase. 113If the passphrase is 114lost or forgotten, you will have to generate a new key and copy the 115corresponding public key to other machines. 116.Pp | 108arbitrary length. 109Good passphrases are 10-30 characters long and are 110not simple sentences or otherwise easily guessable (English 111prose has only 1-2 bits of entropy per word, and provides very bad 112passphrases). 113The passphrase can be changed later by using the 114.Fl p 115option. 116.Pp 117There is no way to recover a lost passphrase. 118If the passphrase is 119lost or forgotten, you will have to generate a new key and copy the 120corresponding public key to other machines. 121.Pp |
117For RSA, there is also a comment field in the key file that is only for | 122For RSA1 keys, 123there is also a comment field in the key file that is only for |
118convenience to the user to help identify the key. 119The comment can tell what the key is for, or whatever is useful. 120The comment is initialized to 121.Dq user@host 122when the key is created, but can be changed using the 123.Fl c 124option. 125.Pp --- 7 unchanged lines hidden (view full) --- 133Minimum is 512 bits. 134Generally 1024 bits is considered sufficient, and key sizes 135above that no longer improve security but make things slower. 136The default is 1024 bits. 137.It Fl c 138Requests changing the comment in the private and public key files. 139The program will prompt for the file containing the private keys, for 140passphrase if the key has one, and for the new comment. | 124convenience to the user to help identify the key. 125The comment can tell what the key is for, or whatever is useful. 126The comment is initialized to 127.Dq user@host 128when the key is created, but can be changed using the 129.Fl c 130option. 131.Pp --- 7 unchanged lines hidden (view full) --- 139Minimum is 512 bits. 140Generally 1024 bits is considered sufficient, and key sizes 141above that no longer improve security but make things slower. 142The default is 1024 bits. 143.It Fl c 144Requests changing the comment in the private and public key files. 145The program will prompt for the file containing the private keys, for 146passphrase if the key has one, and for the new comment. |
147.It Fl e 148This option will read a private or public OpenSSH key file and 149print the key in a 150.Sq SECSH Public Key File Format 151to stdout. 152This option allows exporting keys for use by several commercial 153SSH implementations. |
|
141.It Fl f 142Specifies the filename of the key file. | 154.It Fl f 155Specifies the filename of the key file. |
156.It Fl i 157This option will read an unencrypted private (or public) key file 158in SSH2-compatible format and print an OpenSSH compatible private 159(or public) key to stdout. 160.Nm 161also reads the 162.Sq SECSH Public Key File Format . 163This option allows importing keys from several commercial 164SSH implementations. |
|
143.It Fl l 144Show fingerprint of specified private or public key file. 145.It Fl p 146Requests changing the passphrase of a private key file instead of 147creating a new private key. 148The program will prompt for the file 149containing the private key, for the old passphrase, and twice for the 150new passphrase. 151.It Fl q 152Silence 153.Nm ssh-keygen . 154Used by 155.Pa /etc/rc 156when creating a new key. | 165.It Fl l 166Show fingerprint of specified private or public key file. 167.It Fl p 168Requests changing the passphrase of a private key file instead of 169creating a new private key. 170The program will prompt for the file 171containing the private key, for the old passphrase, and twice for the 172new passphrase. 173.It Fl q 174Silence 175.Nm ssh-keygen . 176Used by 177.Pa /etc/rc 178when creating a new key. |
179.It Fl y 180This option will read a private 181OpenSSH format file and print an OpenSSH public key to stdout. 182.It Fl t Ar type 183Specifies the type of the key to create. 184The possible values are 185.Dq rsa1 186for protocol version 1 and 187.Dq rsa 188or 189.Dq dsa 190for protocol version 2. 191The default is 192.Dq rsa1 . 193.It Fl B 194Show the bubblebabble digest of specified private or public key file. |
|
157.It Fl C Ar comment 158Provides the new comment. 159.It Fl N Ar new_passphrase 160Provides the new passphrase. 161.It Fl P Ar passphrase 162Provides the (old) passphrase. | 195.It Fl C Ar comment 196Provides the new comment. 197.It Fl N Ar new_passphrase 198Provides the new passphrase. 199.It Fl P Ar passphrase 200Provides the (old) passphrase. |
163.It Fl R 164If RSA support is functional, immediately exits with code 0. If RSA 165support is not functional, exits with code 1. This flag will be 166removed once the RSA patent expires. 167.It Fl x 168This option will read a private 169OpenSSH DSA format file and print a SSH2-compatible public key to stdout. 170.It Fl X 171This option will read a unencrypted 172SSH2-compatible private (or public) key file and 173print an OpenSSH compatible private (or public) key to stdout. 174.It Fl y 175This option will read a private 176OpenSSH DSA format file and print an OpenSSH DSA public key to stdout. | |
177.El 178.Sh FILES 179.Bl -tag -width Ds 180.It Pa $HOME/.ssh/identity | 201.El 202.Sh FILES 203.Bl -tag -width Ds 204.It Pa $HOME/.ssh/identity |
181Contains the RSA authentication identity of the user. | 205Contains the protocol version 1 RSA authentication identity of the user. |
182This file should not be readable by anyone but the user. 183It is possible to 184specify a passphrase when generating the key; that passphrase will be 185used to encrypt the private part of this file using 3DES. 186This file is not automatically accessed by 187.Nm 188but it is offered as the default file for the private key. 189.Xr sshd 8 190will read this file when a login attempt is made. 191.It Pa $HOME/.ssh/identity.pub | 206This file should not be readable by anyone but the user. 207It is possible to 208specify a passphrase when generating the key; that passphrase will be 209used to encrypt the private part of this file using 3DES. 210This file is not automatically accessed by 211.Nm 212but it is offered as the default file for the private key. 213.Xr sshd 8 214will read this file when a login attempt is made. 215.It Pa $HOME/.ssh/identity.pub |
192Contains the public key for authentication. | 216Contains the protocol version 1 RSA public key for authentication. |
193The contents of this file should be added to 194.Pa $HOME/.ssh/authorized_keys 195on all machines 196where you wish to log in using RSA authentication. 197There is no need to keep the contents of this file secret. 198.It Pa $HOME/.ssh/id_dsa | 217The contents of this file should be added to 218.Pa $HOME/.ssh/authorized_keys 219on all machines 220where you wish to log in using RSA authentication. 221There is no need to keep the contents of this file secret. 222.It Pa $HOME/.ssh/id_dsa |
199Contains the DSA authentication identity of the user. | 223Contains the protocol version 2 DSA authentication identity of the user. |
200This file should not be readable by anyone but the user. 201It is possible to 202specify a passphrase when generating the key; that passphrase will be 203used to encrypt the private part of this file using 3DES. 204This file is not automatically accessed by 205.Nm 206but it is offered as the default file for the private key. 207.Xr sshd 8 208will read this file when a login attempt is made. 209.It Pa $HOME/.ssh/id_dsa.pub | 224This file should not be readable by anyone but the user. 225It is possible to 226specify a passphrase when generating the key; that passphrase will be 227used to encrypt the private part of this file using 3DES. 228This file is not automatically accessed by 229.Nm 230but it is offered as the default file for the private key. 231.Xr sshd 8 232will read this file when a login attempt is made. 233.It Pa $HOME/.ssh/id_dsa.pub |
210Contains the public key for authentication. | 234Contains the protocol version 2 DSA public key for authentication. |
211The contents of this file should be added to 212.Pa $HOME/.ssh/authorized_keys2 213on all machines | 235The contents of this file should be added to 236.Pa $HOME/.ssh/authorized_keys2 237on all machines |
214where you wish to log in using DSA authentication. | 238where you wish to log in using public key authentication. |
215There is no need to keep the contents of this file secret. | 239There is no need to keep the contents of this file secret. |
240.It Pa $HOME/.ssh/id_rsa 241Contains the protocol version 2 RSA authentication identity of the user. 242This file should not be readable by anyone but the user. 243It is possible to 244specify a passphrase when generating the key; that passphrase will be 245used to encrypt the private part of this file using 3DES. 246This file is not automatically accessed by 247.Nm 248but it is offered as the default file for the private key. 249.Xr sshd 8 250will read this file when a login attempt is made. 251.It Pa $HOME/.ssh/id_rsa.pub 252Contains the protocol version 2 RSA public key for authentication. 253The contents of this file should be added to 254.Pa $HOME/.ssh/authorized_keys2 255on all machines 256where you wish to log in using public key authentication. 257There is no need to keep the contents of this file secret. |
|
216.El | 258.El |
217.Sh AUTHOR 218Tatu Ylonen <ylo@cs.hut.fi> 219.Pp 220OpenSSH 221is a derivative of the original (free) ssh 1.2.12 release, but with bugs 222removed and newer features re-added. 223Rapidly after the 1.2.12 release, 224newer versions bore successively more restrictive licenses. 225This version of OpenSSH 226.Bl -bullet 227.It 228has all components of a restrictive nature (i.e., patents, see 229.Xr ssl 8 ) 230directly removed from the source code; any licensed or patented components 231are chosen from 232external libraries. 233.It 234has been updated to support ssh protocol 1.5. 235.It 236contains added support for 237.Xr kerberos 8 238authentication and ticket passing. 239.It 240supports one-time password authentication with 241.Xr skey 1 . 242.El | 259.Sh AUTHORS 260OpenSSH is a derivative of the original and free 261ssh 1.2.12 release by Tatu Ylonen. 262Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 263Theo de Raadt and Dug Song 264removed many bugs, re-added newer features and 265created OpenSSH. 266Markus Friedl contributed the support for SSH 267protocol versions 1.5 and 2.0. |
243.Sh SEE ALSO 244.Xr ssh 1 , 245.Xr ssh-add 1 , 246.Xr ssh-agent 1 , | 268.Sh SEE ALSO 269.Xr ssh 1 , 270.Xr ssh-add 1 , 271.Xr ssh-agent 1 , |
247.Xr sshd 8 , 248.Xr ssl 8 | 272.Xr sshd 8 273.Rs 274.%A J. Galbraith 275.%A R. Thayer 276.%T "SECSH Public Key File Format" 277.%N draft-ietf-secsh-publickeyfile-01.txt 278.%D March 2001 279.%O work in progress material 280.Re |