diff options
| author | Colin Watson <cjwatson@debian.org> | 2014-02-10 00:18:28 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2014-02-10 00:18:28 +0000 |
| commit | 9a975a9faed7c4f334e8c8490db3e77e102f2b21 (patch) | |
| tree | 764a885ec9a963f6a8b15de6e1765f16b9ac4738 /ssh-keygen.0 | |
| parent | ee196dab7c5f97f0b80c8099343a375bead92010 (diff) | |
| parent | cdb6c90811caa5df2df856be9b0b16db020fe31d (diff) | |
Import openssh_6.5p1.orig.tar.gz
Diffstat (limited to 'ssh-keygen.0')
| -rw-r--r-- | ssh-keygen.0 | 86 |
1 files changed, 51 insertions, 35 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 2b0e9a692..a69b37d67 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
| @@ -19,8 +19,8 @@ SYNOPSIS | |||
| 19 | ssh-keygen -R hostname [-f known_hosts_file] | 19 | ssh-keygen -R hostname [-f known_hosts_file] |
| 20 | ssh-keygen -r hostname [-f input_keyfile] [-g] | 20 | ssh-keygen -r hostname [-f input_keyfile] [-g] |
| 21 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] | 21 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] |
| 22 | ssh-keygen -T output_file -f input_file [-v] [-a num_trials] | 22 | ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] |
| 23 | [-J num_lines] [-j start_line] [-K checkpt] [-W generator] | 23 | [-j start_line] [-K checkpt] [-W generator] |
| 24 | ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] | 24 | ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] |
| 25 | [-O option] [-V validity_interval] [-z serial_number] file ... | 25 | [-O option] [-V validity_interval] [-z serial_number] file ... |
| 26 | ssh-keygen -L [-f input_keyfile] | 26 | ssh-keygen -L [-f input_keyfile] |
| @@ -32,10 +32,10 @@ SYNOPSIS | |||
| 32 | DESCRIPTION | 32 | DESCRIPTION |
| 33 | ssh-keygen generates, manages and converts authentication keys for | 33 | ssh-keygen generates, manages and converts authentication keys for |
| 34 | ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 | 34 | ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 |
| 35 | and DSA, ECDSA or RSA keys for use by SSH protocol version 2. The type | 35 | and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. |
| 36 | of key to be generated is specified with the -t option. If invoked | 36 | The type of key to be generated is specified with the -t option. If |
| 37 | without any arguments, ssh-keygen will generate an RSA key for use in SSH | 37 | invoked without any arguments, ssh-keygen will generate an RSA key for |
| 38 | protocol 2 connections. | 38 | use in SSH protocol 2 connections. |
| 39 | 39 | ||
| 40 | ssh-keygen is also used to generate groups for use in Diffie-Hellman | 40 | ssh-keygen is also used to generate groups for use in Diffie-Hellman |
| 41 | group exchange (DH-GEX). See the MODULI GENERATION section for details. | 41 | group exchange (DH-GEX). See the MODULI GENERATION section for details. |
| @@ -46,9 +46,9 @@ DESCRIPTION | |||
| 46 | 46 | ||
| 47 | Normally each user wishing to use SSH with public key authentication runs | 47 | Normally each user wishing to use SSH with public key authentication runs |
| 48 | this once to create the authentication key in ~/.ssh/identity, | 48 | this once to create the authentication key in ~/.ssh/identity, |
| 49 | ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the | 49 | ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. |
| 50 | system administrator may use this to generate host keys, as seen in | 50 | Additionally, the system administrator may use this to generate host |
| 51 | /etc/rc. | 51 | keys, as seen in /etc/rc. |
| 52 | 52 | ||
| 53 | Normally this program generates the key and asks for a file in which to | 53 | Normally this program generates the key and asks for a file in which to |
| 54 | store the private key. The public key is stored in a file with the same | 54 | store the private key. The public key is stored in a file with the same |
| @@ -79,15 +79,22 @@ DESCRIPTION | |||
| 79 | 79 | ||
| 80 | The options are as follows: | 80 | The options are as follows: |
| 81 | 81 | ||
| 82 | -A For each of the key types (rsa1, rsa, dsa and ecdsa) for which | 82 | -A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for |
| 83 | host keys do not exist, generate the host keys with the default | 83 | which host keys do not exist, generate the host keys with the |
| 84 | key file path, an empty passphrase, default bits for the key | 84 | default key file path, an empty passphrase, default bits for the |
| 85 | type, and default comment. This is used by /etc/rc to generate | 85 | key type, and default comment. This is used by /etc/rc to |
| 86 | new host keys. | 86 | generate new host keys. |
| 87 | 87 | ||
| 88 | -a trials | 88 | -a rounds |
| 89 | Specifies the number of primality tests to perform when screening | 89 | When saving a new-format private key (i.e. an ed25519 key or any |
| 90 | DH-GEX candidates using the -T command. | 90 | SSH protocol 2 key when the -o flag is set), this option |
| 91 | specifies the number of KDF (key derivation function) rounds | ||
| 92 | used. Higher numbers result in slower passphrase verification | ||
| 93 | and increased resistance to brute-force password cracking (should | ||
| 94 | the keys be stolen). | ||
| 95 | |||
| 96 | When screening DH-GEX candidates ( using the -T command). This | ||
| 97 | option specifies the number of primality tests to perform. | ||
| 91 | 98 | ||
| 92 | -B Show the bubblebabble digest of specified private or public key | 99 | -B Show the bubblebabble digest of specified private or public key |
| 93 | file. | 100 | file. |
| @@ -100,7 +107,8 @@ DESCRIPTION | |||
| 100 | the -b flag determines the key length by selecting from one of | 107 | the -b flag determines the key length by selecting from one of |
| 101 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to | 108 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to |
| 102 | use bit lengths other than these three values for ECDSA keys will | 109 | use bit lengths other than these three values for ECDSA keys will |
| 103 | fail. | 110 | fail. ED25519 keys have a fixed length and the -b flag will be |
| 111 | ignored. | ||
| 104 | 112 | ||
| 105 | -C comment | 113 | -C comment |
| 106 | Provides a new comment. | 114 | Provides a new comment. |
| @@ -262,6 +270,12 @@ DESCRIPTION | |||
| 262 | 270 | ||
| 263 | At present, no options are valid for host keys. | 271 | At present, no options are valid for host keys. |
| 264 | 272 | ||
| 273 | -o Causes ssh-keygen to save SSH protocol 2 private keys using the | ||
| 274 | new OpenSSH format rather than the more compatible PEM format. | ||
| 275 | The new format has increased resistance to brute-force password | ||
| 276 | cracking but is not supported by versions of OpenSSH prior to | ||
| 277 | 6.5. Ed25519 keys always use the new private key format. | ||
| 278 | |||
| 265 | -P passphrase | 279 | -P passphrase |
| 266 | Provides the (old) passphrase. | 280 | Provides the (old) passphrase. |
| 267 | 281 | ||
| @@ -301,8 +315,8 @@ DESCRIPTION | |||
| 301 | 315 | ||
| 302 | -t type | 316 | -t type |
| 303 | Specifies the type of key to create. The possible values are | 317 | Specifies the type of key to create. The possible values are |
| 304 | ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' | 318 | ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'', |
| 305 | for protocol version 2. | 319 | ``ed25519'', or ``rsa'' for protocol version 2. |
| 306 | 320 | ||
| 307 | -u Update a KRL. When specified with -k, keys listed via the | 321 | -u Update a KRL. When specified with -k, keys listed via the |
| 308 | command line are added to the existing KRL rather than a new KRL | 322 | command line are added to the existing KRL rather than a new KRL |
| @@ -441,7 +455,7 @@ CERTIFICATES | |||
| 441 | KEY REVOCATION LISTS | 455 | KEY REVOCATION LISTS |
| 442 | ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs). | 456 | ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs). |
| 443 | These binary files specify keys or certificates to be revoked using a | 457 | These binary files specify keys or certificates to be revoked using a |
| 444 | compact format, taking as little a one bit per certificate if they are | 458 | compact format, taking as little as one bit per certificate if they are |
| 445 | being revoked by serial number. | 459 | being revoked by serial number. |
| 446 | 460 | ||
| 447 | KRLs may be generated using the -k flag. This option reads one or more | 461 | KRLs may be generated using the -k flag. This option reads one or more |
| @@ -508,24 +522,26 @@ FILES | |||
| 508 | 522 | ||
| 509 | ~/.ssh/id_dsa | 523 | ~/.ssh/id_dsa |
| 510 | ~/.ssh/id_ecdsa | 524 | ~/.ssh/id_ecdsa |
| 525 | ~/.ssh/id_ed25519 | ||
| 511 | ~/.ssh/id_rsa | 526 | ~/.ssh/id_rsa |
| 512 | Contains the protocol version 2 DSA, ECDSA or RSA authentication | 527 | Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA |
| 513 | identity of the user. This file should not be readable by anyone | 528 | authentication identity of the user. This file should not be |
| 514 | but the user. It is possible to specify a passphrase when | 529 | readable by anyone but the user. It is possible to specify a |
| 515 | generating the key; that passphrase will be used to encrypt the | 530 | passphrase when generating the key; that passphrase will be used |
| 516 | private part of this file using 128-bit AES. This file is not | 531 | to encrypt the private part of this file using 128-bit AES. This |
| 517 | automatically accessed by ssh-keygen but it is offered as the | 532 | file is not automatically accessed by ssh-keygen but it is |
| 518 | default file for the private key. ssh(1) will read this file | 533 | offered as the default file for the private key. ssh(1) will |
| 519 | when a login attempt is made. | 534 | read this file when a login attempt is made. |
| 520 | 535 | ||
| 521 | ~/.ssh/id_dsa.pub | 536 | ~/.ssh/id_dsa.pub |
| 522 | ~/.ssh/id_ecdsa.pub | 537 | ~/.ssh/id_ecdsa.pub |
| 538 | ~/.ssh/id_ed25519.pub | ||
| 523 | ~/.ssh/id_rsa.pub | 539 | ~/.ssh/id_rsa.pub |
| 524 | Contains the protocol version 2 DSA, ECDSA or RSA public key for | 540 | Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA public |
| 525 | authentication. The contents of this file should be added to | 541 | key for authentication. The contents of this file should be |
| 526 | ~/.ssh/authorized_keys on all machines where the user wishes to | 542 | added to ~/.ssh/authorized_keys on all machines where the user |
| 527 | log in using public key authentication. There is no need to keep | 543 | wishes to log in using public key authentication. There is no |
| 528 | the contents of this file secret. | 544 | need to keep the contents of this file secret. |
| 529 | 545 | ||
| 530 | /etc/moduli | 546 | /etc/moduli |
| 531 | Contains Diffie-Hellman groups used for DH-GEX. The file format | 547 | Contains Diffie-Hellman groups used for DH-GEX. The file format |
| @@ -543,4 +559,4 @@ AUTHORS | |||
| 543 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 559 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 544 | versions 1.5 and 2.0. | 560 | versions 1.5 and 2.0. |
| 545 | 561 | ||
| 546 | OpenBSD 5.4 June 27, 2013 OpenBSD 5.4 | 562 | OpenBSD 5.4 December 21, 2013 OpenBSD 5.4 |