summaryrefslogtreecommitdiff
path: root/ssh-keygen.0
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2019-10-09 22:59:48 +0100
committerColin Watson <cjwatson@debian.org>2019-10-09 22:59:48 +0100
commit4213eec74e74de6310c27a40c3e9759a08a73996 (patch)
treee97a6dcafc6763aea7c804e4e113c2750cb1400d /ssh-keygen.0
parent102062f825fb26a74295a1c089c00c4c4c76b68a (diff)
parentcdf1d0a9f5d18535e0a18ff34860e81a6d83aa5c (diff)
Import openssh_8.1p1.orig.tar.gz
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r--ssh-keygen.0149
1 files changed, 122 insertions, 27 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 1fe19f0b6..b68736c11 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -4,33 +4,36 @@ NAME
4 ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion 4 ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion
5 5
6SYNOPSIS 6SYNOPSIS
7 ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa] 7 ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]
8 [-N new_passphrase] [-C comment] [-f output_keyfile] 8 [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa]
9 [-m format] 9 ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]
10 ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] 10 [-P old_passphrase]
11 [-m format] 11 ssh-keygen -i [-f input_keyfile] [-m key_format]
12 ssh-keygen -i [-m key_format] [-f input_keyfile] 12 ssh-keygen -e [-f input_keyfile] [-m key_format]
13 ssh-keygen -e [-m key_format] [-f input_keyfile]
14 ssh-keygen -y [-f input_keyfile] 13 ssh-keygen -y [-f input_keyfile]
15 ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] 14 ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase]
16 ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] 15 ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
17 ssh-keygen -B [-f input_keyfile] 16 ssh-keygen -B [-f input_keyfile]
18 ssh-keygen -D pkcs11 17 ssh-keygen -D pkcs11
19 ssh-keygen -F hostname [-f known_hosts_file] [-l] 18 ssh-keygen -F hostname [-lv] [-f known_hosts_file]
20 ssh-keygen -H [-f known_hosts_file] 19 ssh-keygen -H [-f known_hosts_file]
21 ssh-keygen -R hostname [-f known_hosts_file] 20 ssh-keygen -R hostname [-f known_hosts_file]
22 ssh-keygen -r hostname [-f input_keyfile] [-g] 21 ssh-keygen -r hostname [-g] [-f input_keyfile]
23 ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] 22 ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
24 ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] 23 ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines]
25 [-j start_line] [-K checkpt] [-W generator] 24 [-j start_line] [-K checkpt] [-W generator]
26 ssh-keygen -s ca_key -I certificate_identity [-h] [-U] 25 ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
27 [-D pkcs11_provider] [-n principals] [-O option] 26 [-n principals] [-O option] [-V validity_interval]
28 [-V validity_interval] [-z serial_number] file ... 27 [-z serial_number] file ...
29 ssh-keygen -L [-f input_keyfile] 28 ssh-keygen -L [-f input_keyfile]
30 ssh-keygen -A [-f prefix_path] 29 ssh-keygen -A [-f prefix_path]
31 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] 30 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
32 file ... 31 file ...
33 ssh-keygen -Q -f krl_file file ... 32 ssh-keygen -Q -f krl_file file ...
33 ssh-keygen -Y check-novalidate -n namespace -s signature_file
34 ssh-keygen -Y sign -f key_file -n namespace file ...
35 ssh-keygen -Y verify -f allowed_signers_file -I signer_identity
36 -n namespace -s signature_file [-r revocation_file]
34 37
35DESCRIPTION 38DESCRIPTION
36 ssh-keygen generates, manages and converts authentication keys for 39 ssh-keygen generates, manages and converts authentication keys for
@@ -96,12 +99,12 @@ DESCRIPTION
96 new host keys. 99 new host keys.
97 100
98 -a rounds 101 -a rounds
99 When saving a private key this option specifies the number of KDF 102 When saving a private key, this option specifies the number of
100 (key derivation function) rounds used. Higher numbers result in 103 KDF (key derivation function) rounds used. Higher numbers result
101 slower passphrase verification and increased resistance to brute- 104 in slower passphrase verification and increased resistance to
102 force password cracking (should the keys be stolen). 105 brute-force password cracking (should the keys be stolen).
103 106
104 When screening DH-GEX candidates (using the -T command). This 107 When screening DH-GEX candidates (using the -T command), this
105 option specifies the number of primality tests to perform. 108 option specifies the number of primality tests to perform.
106 109
107 -B Show the bubblebabble digest of specified private or public key 110 -B Show the bubblebabble digest of specified private or public key
@@ -109,8 +112,8 @@ DESCRIPTION
109 112
110 -b bits 113 -b bits
111 Specifies the number of bits in the key to create. For RSA keys, 114 Specifies the number of bits in the key to create. For RSA keys,
112 the minimum size is 1024 bits and the default is 2048 bits. 115 the minimum size is 1024 bits and the default is 3072 bits.
113 Generally, 2048 bits is considered sufficient. DSA keys must be 116 Generally, 3072 bits is considered sufficient. DSA keys must be
114 exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, 117 exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys,
115 the -b flag determines the key length by selecting from one of 118 the -b flag determines the key length by selecting from one of
116 three elliptic curve sizes: 256, 384 or 521 bits. Attempting to 119 three elliptic curve sizes: 256, 384 or 521 bits. Attempting to
@@ -220,11 +223,12 @@ DESCRIPTION
220 operation. The latter may be used to convert between OpenSSH 223 operation. The latter may be used to convert between OpenSSH
221 private key and PEM private key formats. The supported key 224 private key and PEM private key formats. The supported key
222 formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key), 225 formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key),
223 M-bM-^@M-^\PKCS8M-bM-^@M-^] (PEM PKCS8 public key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). The 226 M-bM-^@M-^\PKCS8M-bM-^@M-^] (PKCS8 public or private key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key).
224 default conversion format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of 227 By default OpenSSH will write newly-generated private keys in its
225 M-bM-^@M-^\PEMM-bM-^@M-^] when generating or updating a supported private key type 228 own format, but when converting public keys for export the
226 will cause the key to be stored in the legacy PEM private key 229 default format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of M-bM-^@M-^\PEMM-bM-^@M-^] when
227 format. 230 generating or updating a supported private key type will cause
231 the key to be stored in the legacy PEM private key format.
228 232
229 -N new_passphrase 233 -N new_passphrase
230 Provides the new passphrase. 234 Provides the new passphrase.
@@ -342,6 +346,11 @@ DESCRIPTION
342 Specifies the type of key to create. The possible values are 346 Specifies the type of key to create. The possible values are
343 M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. 347 M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^].
344 348
349 This flag may also be used to specify the desired signature type
350 when signing certificates using an RSA CA key. The available RSA
351 signature variants are M-bM-^@M-^\ssh-rsaM-bM-^@M-^] (SHA1 signatures, not
352 recommended), M-bM-^@M-^\rsa-sha2-256M-bM-^@M-^], and M-bM-^@M-^\rsa-sha2-512M-bM-^@M-^] (the default).
353
345 -U When used in combination with -s, this option indicates that a CA 354 -U When used in combination with -s, this option indicates that a CA
346 key resides in a ssh-agent(1). See the CERTIFICATES section for 355 key resides in a ssh-agent(1). See the CERTIFICATES section for
347 more information. 356 more information.
@@ -388,6 +397,47 @@ DESCRIPTION
388 -y This option will read a private OpenSSH format file and print an 397 -y This option will read a private OpenSSH format file and print an
389 OpenSSH public key to stdout. 398 OpenSSH public key to stdout.
390 399
400 -Y sign
401 Cryptographically sign a file or some data using a SSH key. When
402 signing, ssh-keygen accepts zero or more files to sign on the
403 command-line - if no files are specified then ssh-keygen will
404 sign data presented on standard input. Signatures are written to
405 the path of the input file with M-bM-^@M-^\.sigM-bM-^@M-^] appended, or to standard
406 output if the message to be signed was read from standard input.
407
408 The key used for signing is specified using the -f option and may
409 refer to either a private key, or a public key with the private
410 half available via ssh-agent(1). An additional signature
411 namespace, used to prevent signature confusion across different
412 domains of use (e.g. file signing vs email signing) must be
413 provided via the -n flag. Namespaces are arbitrary strings, and
414 may include: M-bM-^@M-^\fileM-bM-^@M-^] for file signing, M-bM-^@M-^\emailM-bM-^@M-^] for email signing.
415 For custom uses, it is recommended to use names following a
416 NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
417
418 -Y verify
419 Request to verify a signature generated using ssh-keygen -Y sign
420 as described above. When verifying a signature, ssh-keygen
421 accepts a message on standard input and a signature namespace
422 using -n. A file containing the corresponding signature must
423 also be supplied using the -s flag, along with the identity of
424 the signer using -I and a list of allowed signers via the -f
425 flag. The format of the allowed signers file is documented in
426 the ALLOWED SIGNERS section below. A file containing revoked
427 keys can be passed using the -r flag. The revocation file may be
428 a KRL or a one-per-line list of public keys. Successful
429 verification by an authorized signer is signalled by ssh-keygen
430
431 -Y check-novalidate
432 Checks that a signature generated using ssh-keygen -Y sign has a
433 valid structure. This does not validate if a signature comes
434 from an authorized signer. When testing a signature, ssh-keygen
435 accepts a message on standard input and a signature namespace
436 using -n. A file containing the corresponding signature must
437 also be supplied using the -s flag. Successful testing of the
438 signature is signalled by ssh-keygen returning a zero exit
439 status.
440
391 -z serial_number 441 -z serial_number
392 Specifies a serial number to be embedded in the certificate to 442 Specifies a serial number to be embedded in the certificate to
393 distinguish this certificate from others from the same CA. If 443 distinguish this certificate from others from the same CA. If
@@ -556,6 +606,51 @@ KEY REVOCATION LISTS
556 non-zero exit status. A zero exit status will only be returned if no key 606 non-zero exit status. A zero exit status will only be returned if no key
557 was revoked. 607 was revoked.
558 608
609ALLOWED SIGNERS
610 When verifying signatures, ssh-keygen uses a simple list of identities
611 and keys to determine whether a signature comes from an authorized
612 source. This "allowed signers" file uses a format patterned after the
613 AUTHORIZED_KEYS FILE FORMAT described in sshd(8). Each line of the file
614 contains the following space-separated fields: principals, options,
615 keytype, base64-encoded key. Empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y
616 are ignored as comments.
617
618 The principals field is a pattern-list (See PATTERNS in ssh_config(5))
619 consisting of one or more comma-separated USER@DOMAIN identity patterns
620 that are accepted for signing. When verifying, the identity presented
621 via the -I -option must match a principals pattern in order for the
622 corresponding key to be considered acceptable for verification.
623
624 The options (if present) consist of comma-separated option
625 specifications. No spaces are permitted, except within double quotes.
626 The following option specifications are supported (note that option
627 keywords are case-insensitive):
628
629 cert-authority
630 Indicates that this key is accepted as a certificate authority
631 (CA) and that certificates signed by this CA may be accepted for
632 verification.
633
634 namespaces="namespace-list"
635 Specifies a pattern-list of namespaces that are accepted for this
636 key. If this option is present, the signature namespace embedded
637 in the signature object and presented on the verification
638 command-line must match the specified list before the key will be
639 considered acceptable.
640
641 When verifying signatures made by certificates, the expected principal
642 name must match both the principals pattern in the allowed signers file
643 and the principals embedded in the certificate itself.
644
645 An example allowed signers file:
646
647 # Comments allowed at start of line
648 user1@example.com,user2@example.com ssh-rsa AAAAX1...
649 # A certificate authority, trusted for all principals in a domain.
650 *@example.com cert-authority ssh-ed25519 AAAB4...
651 # A key that is accepted only for file signing.
652 user2@example.com namespaces="file" ssh-ed25519 AAA41...
653
559FILES 654FILES
560 ~/.ssh/id_dsa 655 ~/.ssh/id_dsa
561 ~/.ssh/id_ecdsa 656 ~/.ssh/id_ecdsa
@@ -596,4 +691,4 @@ AUTHORS
596 created OpenSSH. Markus Friedl contributed the support for SSH protocol 691 created OpenSSH. Markus Friedl contributed the support for SSH protocol
597 versions 1.5 and 2.0. 692 versions 1.5 and 2.0.
598 693
599OpenBSD 6.5 March 5, 2019 OpenBSD 6.5 694OpenBSD 6.6 October 3, 2019 OpenBSD 6.6