diff options
| author | Colin Watson <cjwatson@debian.org> | 2019-10-09 22:59:48 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2019-10-09 22:59:48 +0100 |
| commit | 4213eec74e74de6310c27a40c3e9759a08a73996 (patch) | |
| tree | e97a6dcafc6763aea7c804e4e113c2750cb1400d /ssh-keygen.0 | |
| parent | 102062f825fb26a74295a1c089c00c4c4c76b68a (diff) | |
| parent | cdf1d0a9f5d18535e0a18ff34860e81a6d83aa5c (diff) | |
Import openssh_8.1p1.orig.tar.gz
Diffstat (limited to 'ssh-keygen.0')
| -rw-r--r-- | ssh-keygen.0 | 149 |
1 files changed, 122 insertions, 27 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 1fe19f0b6..b68736c11 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
| @@ -4,33 +4,36 @@ NAME | |||
| 4 | ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion | 4 | ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion |
| 5 | 5 | ||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa] | 7 | ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format] |
| 8 | [-N new_passphrase] [-C comment] [-f output_keyfile] | 8 | [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa] |
| 9 | [-m format] | 9 | ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase] |
| 10 | ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] | 10 | [-P old_passphrase] |
| 11 | [-m format] | 11 | ssh-keygen -i [-f input_keyfile] [-m key_format] |
| 12 | ssh-keygen -i [-m key_format] [-f input_keyfile] | 12 | ssh-keygen -e [-f input_keyfile] [-m key_format] |
| 13 | ssh-keygen -e [-m key_format] [-f input_keyfile] | ||
| 14 | ssh-keygen -y [-f input_keyfile] | 13 | ssh-keygen -y [-f input_keyfile] |
| 15 | ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] | 14 | ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase] |
| 16 | ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] | 15 | ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] |
| 17 | ssh-keygen -B [-f input_keyfile] | 16 | ssh-keygen -B [-f input_keyfile] |
| 18 | ssh-keygen -D pkcs11 | 17 | ssh-keygen -D pkcs11 |
| 19 | ssh-keygen -F hostname [-f known_hosts_file] [-l] | 18 | ssh-keygen -F hostname [-lv] [-f known_hosts_file] |
| 20 | ssh-keygen -H [-f known_hosts_file] | 19 | ssh-keygen -H [-f known_hosts_file] |
| 21 | ssh-keygen -R hostname [-f known_hosts_file] | 20 | ssh-keygen -R hostname [-f known_hosts_file] |
| 22 | ssh-keygen -r hostname [-f input_keyfile] [-g] | 21 | ssh-keygen -r hostname [-g] [-f input_keyfile] |
| 23 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] | 22 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] |
| 24 | ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] | 23 | ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines] |
| 25 | [-j start_line] [-K checkpt] [-W generator] | 24 | [-j start_line] [-K checkpt] [-W generator] |
| 26 | ssh-keygen -s ca_key -I certificate_identity [-h] [-U] | 25 | ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] |
| 27 | [-D pkcs11_provider] [-n principals] [-O option] | 26 | [-n principals] [-O option] [-V validity_interval] |
| 28 | [-V validity_interval] [-z serial_number] file ... | 27 | [-z serial_number] file ... |
| 29 | ssh-keygen -L [-f input_keyfile] | 28 | ssh-keygen -L [-f input_keyfile] |
| 30 | ssh-keygen -A [-f prefix_path] | 29 | ssh-keygen -A [-f prefix_path] |
| 31 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] | 30 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] |
| 32 | file ... | 31 | file ... |
| 33 | ssh-keygen -Q -f krl_file file ... | 32 | ssh-keygen -Q -f krl_file file ... |
| 33 | ssh-keygen -Y check-novalidate -n namespace -s signature_file | ||
| 34 | ssh-keygen -Y sign -f key_file -n namespace file ... | ||
| 35 | ssh-keygen -Y verify -f allowed_signers_file -I signer_identity | ||
| 36 | -n namespace -s signature_file [-r revocation_file] | ||
| 34 | 37 | ||
| 35 | DESCRIPTION | 38 | DESCRIPTION |
| 36 | ssh-keygen generates, manages and converts authentication keys for | 39 | ssh-keygen generates, manages and converts authentication keys for |
| @@ -96,12 +99,12 @@ DESCRIPTION | |||
| 96 | new host keys. | 99 | new host keys. |
| 97 | 100 | ||
| 98 | -a rounds | 101 | -a rounds |
| 99 | When saving a private key this option specifies the number of KDF | 102 | When saving a private key, this option specifies the number of |
| 100 | (key derivation function) rounds used. Higher numbers result in | 103 | KDF (key derivation function) rounds used. Higher numbers result |
| 101 | slower passphrase verification and increased resistance to brute- | 104 | in slower passphrase verification and increased resistance to |
| 102 | force password cracking (should the keys be stolen). | 105 | brute-force password cracking (should the keys be stolen). |
| 103 | 106 | ||
| 104 | When screening DH-GEX candidates (using the -T command). This | 107 | When screening DH-GEX candidates (using the -T command), this |
| 105 | option specifies the number of primality tests to perform. | 108 | option specifies the number of primality tests to perform. |
| 106 | 109 | ||
| 107 | -B Show the bubblebabble digest of specified private or public key | 110 | -B Show the bubblebabble digest of specified private or public key |
| @@ -109,8 +112,8 @@ DESCRIPTION | |||
| 109 | 112 | ||
| 110 | -b bits | 113 | -b bits |
| 111 | Specifies the number of bits in the key to create. For RSA keys, | 114 | Specifies the number of bits in the key to create. For RSA keys, |
| 112 | the minimum size is 1024 bits and the default is 2048 bits. | 115 | the minimum size is 1024 bits and the default is 3072 bits. |
| 113 | Generally, 2048 bits is considered sufficient. DSA keys must be | 116 | Generally, 3072 bits is considered sufficient. DSA keys must be |
| 114 | exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, | 117 | exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, |
| 115 | the -b flag determines the key length by selecting from one of | 118 | the -b flag determines the key length by selecting from one of |
| 116 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to | 119 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to |
| @@ -220,11 +223,12 @@ DESCRIPTION | |||
| 220 | operation. The latter may be used to convert between OpenSSH | 223 | operation. The latter may be used to convert between OpenSSH |
| 221 | private key and PEM private key formats. The supported key | 224 | private key and PEM private key formats. The supported key |
| 222 | formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key), | 225 | formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key), |
| 223 | M-bM-^@M-^\PKCS8M-bM-^@M-^] (PEM PKCS8 public key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). The | 226 | M-bM-^@M-^\PKCS8M-bM-^@M-^] (PKCS8 public or private key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). |
| 224 | default conversion format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of | 227 | By default OpenSSH will write newly-generated private keys in its |
| 225 | M-bM-^@M-^\PEMM-bM-^@M-^] when generating or updating a supported private key type | 228 | own format, but when converting public keys for export the |
| 226 | will cause the key to be stored in the legacy PEM private key | 229 | default format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of M-bM-^@M-^\PEMM-bM-^@M-^] when |
| 227 | format. | 230 | generating or updating a supported private key type will cause |
| 231 | the key to be stored in the legacy PEM private key format. | ||
| 228 | 232 | ||
| 229 | -N new_passphrase | 233 | -N new_passphrase |
| 230 | Provides the new passphrase. | 234 | Provides the new passphrase. |
| @@ -342,6 +346,11 @@ DESCRIPTION | |||
| 342 | Specifies the type of key to create. The possible values are | 346 | Specifies the type of key to create. The possible values are |
| 343 | M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. | 347 | M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. |
| 344 | 348 | ||
| 349 | This flag may also be used to specify the desired signature type | ||
| 350 | when signing certificates using an RSA CA key. The available RSA | ||
| 351 | signature variants are M-bM-^@M-^\ssh-rsaM-bM-^@M-^] (SHA1 signatures, not | ||
| 352 | recommended), M-bM-^@M-^\rsa-sha2-256M-bM-^@M-^], and M-bM-^@M-^\rsa-sha2-512M-bM-^@M-^] (the default). | ||
| 353 | |||
| 345 | -U When used in combination with -s, this option indicates that a CA | 354 | -U When used in combination with -s, this option indicates that a CA |
| 346 | key resides in a ssh-agent(1). See the CERTIFICATES section for | 355 | key resides in a ssh-agent(1). See the CERTIFICATES section for |
| 347 | more information. | 356 | more information. |
| @@ -388,6 +397,47 @@ DESCRIPTION | |||
| 388 | -y This option will read a private OpenSSH format file and print an | 397 | -y This option will read a private OpenSSH format file and print an |
| 389 | OpenSSH public key to stdout. | 398 | OpenSSH public key to stdout. |
| 390 | 399 | ||
| 400 | -Y sign | ||
| 401 | Cryptographically sign a file or some data using a SSH key. When | ||
| 402 | signing, ssh-keygen accepts zero or more files to sign on the | ||
| 403 | command-line - if no files are specified then ssh-keygen will | ||
| 404 | sign data presented on standard input. Signatures are written to | ||
| 405 | the path of the input file with M-bM-^@M-^\.sigM-bM-^@M-^] appended, or to standard | ||
| 406 | output if the message to be signed was read from standard input. | ||
| 407 | |||
| 408 | The key used for signing is specified using the -f option and may | ||
| 409 | refer to either a private key, or a public key with the private | ||
| 410 | half available via ssh-agent(1). An additional signature | ||
| 411 | namespace, used to prevent signature confusion across different | ||
| 412 | domains of use (e.g. file signing vs email signing) must be | ||
| 413 | provided via the -n flag. Namespaces are arbitrary strings, and | ||
| 414 | may include: M-bM-^@M-^\fileM-bM-^@M-^] for file signing, M-bM-^@M-^\emailM-bM-^@M-^] for email signing. | ||
| 415 | For custom uses, it is recommended to use names following a | ||
| 416 | NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. | ||
| 417 | |||
| 418 | -Y verify | ||
| 419 | Request to verify a signature generated using ssh-keygen -Y sign | ||
| 420 | as described above. When verifying a signature, ssh-keygen | ||
| 421 | accepts a message on standard input and a signature namespace | ||
| 422 | using -n. A file containing the corresponding signature must | ||
| 423 | also be supplied using the -s flag, along with the identity of | ||
| 424 | the signer using -I and a list of allowed signers via the -f | ||
| 425 | flag. The format of the allowed signers file is documented in | ||
| 426 | the ALLOWED SIGNERS section below. A file containing revoked | ||
| 427 | keys can be passed using the -r flag. The revocation file may be | ||
| 428 | a KRL or a one-per-line list of public keys. Successful | ||
| 429 | verification by an authorized signer is signalled by ssh-keygen | ||
| 430 | |||
| 431 | -Y check-novalidate | ||
| 432 | Checks that a signature generated using ssh-keygen -Y sign has a | ||
| 433 | valid structure. This does not validate if a signature comes | ||
| 434 | from an authorized signer. When testing a signature, ssh-keygen | ||
| 435 | accepts a message on standard input and a signature namespace | ||
| 436 | using -n. A file containing the corresponding signature must | ||
| 437 | also be supplied using the -s flag. Successful testing of the | ||
| 438 | signature is signalled by ssh-keygen returning a zero exit | ||
| 439 | status. | ||
| 440 | |||
| 391 | -z serial_number | 441 | -z serial_number |
| 392 | Specifies a serial number to be embedded in the certificate to | 442 | Specifies a serial number to be embedded in the certificate to |
| 393 | distinguish this certificate from others from the same CA. If | 443 | distinguish this certificate from others from the same CA. If |
| @@ -556,6 +606,51 @@ KEY REVOCATION LISTS | |||
| 556 | non-zero exit status. A zero exit status will only be returned if no key | 606 | non-zero exit status. A zero exit status will only be returned if no key |
| 557 | was revoked. | 607 | was revoked. |
| 558 | 608 | ||
| 609 | ALLOWED SIGNERS | ||
| 610 | When verifying signatures, ssh-keygen uses a simple list of identities | ||
| 611 | and keys to determine whether a signature comes from an authorized | ||
| 612 | source. This "allowed signers" file uses a format patterned after the | ||
| 613 | AUTHORIZED_KEYS FILE FORMAT described in sshd(8). Each line of the file | ||
| 614 | contains the following space-separated fields: principals, options, | ||
| 615 | keytype, base64-encoded key. Empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y | ||
| 616 | are ignored as comments. | ||
| 617 | |||
| 618 | The principals field is a pattern-list (See PATTERNS in ssh_config(5)) | ||
| 619 | consisting of one or more comma-separated USER@DOMAIN identity patterns | ||
| 620 | that are accepted for signing. When verifying, the identity presented | ||
| 621 | via the -I -option must match a principals pattern in order for the | ||
| 622 | corresponding key to be considered acceptable for verification. | ||
| 623 | |||
| 624 | The options (if present) consist of comma-separated option | ||
| 625 | specifications. No spaces are permitted, except within double quotes. | ||
| 626 | The following option specifications are supported (note that option | ||
| 627 | keywords are case-insensitive): | ||
| 628 | |||
| 629 | cert-authority | ||
| 630 | Indicates that this key is accepted as a certificate authority | ||
| 631 | (CA) and that certificates signed by this CA may be accepted for | ||
| 632 | verification. | ||
| 633 | |||
| 634 | namespaces="namespace-list" | ||
| 635 | Specifies a pattern-list of namespaces that are accepted for this | ||
| 636 | key. If this option is present, the signature namespace embedded | ||
| 637 | in the signature object and presented on the verification | ||
| 638 | command-line must match the specified list before the key will be | ||
| 639 | considered acceptable. | ||
| 640 | |||
| 641 | When verifying signatures made by certificates, the expected principal | ||
| 642 | name must match both the principals pattern in the allowed signers file | ||
| 643 | and the principals embedded in the certificate itself. | ||
| 644 | |||
| 645 | An example allowed signers file: | ||
| 646 | |||
| 647 | # Comments allowed at start of line | ||
| 648 | user1@example.com,user2@example.com ssh-rsa AAAAX1... | ||
| 649 | # A certificate authority, trusted for all principals in a domain. | ||
| 650 | *@example.com cert-authority ssh-ed25519 AAAB4... | ||
| 651 | # A key that is accepted only for file signing. | ||
| 652 | user2@example.com namespaces="file" ssh-ed25519 AAA41... | ||
| 653 | |||
| 559 | FILES | 654 | FILES |
| 560 | ~/.ssh/id_dsa | 655 | ~/.ssh/id_dsa |
| 561 | ~/.ssh/id_ecdsa | 656 | ~/.ssh/id_ecdsa |
| @@ -596,4 +691,4 @@ AUTHORS | |||
| 596 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 691 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 597 | versions 1.5 and 2.0. | 692 | versions 1.5 and 2.0. |
| 598 | 693 | ||
| 599 | OpenBSD 6.5 March 5, 2019 OpenBSD 6.5 | 694 | OpenBSD 6.6 October 3, 2019 OpenBSD 6.6 |