diff options
author | Colin Watson <cjwatson@debian.org> | 2019-10-09 22:59:48 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-10-09 22:59:48 +0100 |
commit | 4213eec74e74de6310c27a40c3e9759a08a73996 (patch) | |
tree | e97a6dcafc6763aea7c804e4e113c2750cb1400d /ssh-keygen.0 | |
parent | 102062f825fb26a74295a1c089c00c4c4c76b68a (diff) | |
parent | cdf1d0a9f5d18535e0a18ff34860e81a6d83aa5c (diff) |
Import openssh_8.1p1.orig.tar.gz
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r-- | ssh-keygen.0 | 149 |
1 files changed, 122 insertions, 27 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 1fe19f0b6..b68736c11 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
@@ -4,33 +4,36 @@ NAME | |||
4 | ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion | 4 | ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa] | 7 | ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format] |
8 | [-N new_passphrase] [-C comment] [-f output_keyfile] | 8 | [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa] |
9 | [-m format] | 9 | ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase] |
10 | ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] | 10 | [-P old_passphrase] |
11 | [-m format] | 11 | ssh-keygen -i [-f input_keyfile] [-m key_format] |
12 | ssh-keygen -i [-m key_format] [-f input_keyfile] | 12 | ssh-keygen -e [-f input_keyfile] [-m key_format] |
13 | ssh-keygen -e [-m key_format] [-f input_keyfile] | ||
14 | ssh-keygen -y [-f input_keyfile] | 13 | ssh-keygen -y [-f input_keyfile] |
15 | ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] | 14 | ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase] |
16 | ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] | 15 | ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] |
17 | ssh-keygen -B [-f input_keyfile] | 16 | ssh-keygen -B [-f input_keyfile] |
18 | ssh-keygen -D pkcs11 | 17 | ssh-keygen -D pkcs11 |
19 | ssh-keygen -F hostname [-f known_hosts_file] [-l] | 18 | ssh-keygen -F hostname [-lv] [-f known_hosts_file] |
20 | ssh-keygen -H [-f known_hosts_file] | 19 | ssh-keygen -H [-f known_hosts_file] |
21 | ssh-keygen -R hostname [-f known_hosts_file] | 20 | ssh-keygen -R hostname [-f known_hosts_file] |
22 | ssh-keygen -r hostname [-f input_keyfile] [-g] | 21 | ssh-keygen -r hostname [-g] [-f input_keyfile] |
23 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] | 22 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] |
24 | ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] | 23 | ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines] |
25 | [-j start_line] [-K checkpt] [-W generator] | 24 | [-j start_line] [-K checkpt] [-W generator] |
26 | ssh-keygen -s ca_key -I certificate_identity [-h] [-U] | 25 | ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] |
27 | [-D pkcs11_provider] [-n principals] [-O option] | 26 | [-n principals] [-O option] [-V validity_interval] |
28 | [-V validity_interval] [-z serial_number] file ... | 27 | [-z serial_number] file ... |
29 | ssh-keygen -L [-f input_keyfile] | 28 | ssh-keygen -L [-f input_keyfile] |
30 | ssh-keygen -A [-f prefix_path] | 29 | ssh-keygen -A [-f prefix_path] |
31 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] | 30 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] |
32 | file ... | 31 | file ... |
33 | ssh-keygen -Q -f krl_file file ... | 32 | ssh-keygen -Q -f krl_file file ... |
33 | ssh-keygen -Y check-novalidate -n namespace -s signature_file | ||
34 | ssh-keygen -Y sign -f key_file -n namespace file ... | ||
35 | ssh-keygen -Y verify -f allowed_signers_file -I signer_identity | ||
36 | -n namespace -s signature_file [-r revocation_file] | ||
34 | 37 | ||
35 | DESCRIPTION | 38 | DESCRIPTION |
36 | ssh-keygen generates, manages and converts authentication keys for | 39 | ssh-keygen generates, manages and converts authentication keys for |
@@ -96,12 +99,12 @@ DESCRIPTION | |||
96 | new host keys. | 99 | new host keys. |
97 | 100 | ||
98 | -a rounds | 101 | -a rounds |
99 | When saving a private key this option specifies the number of KDF | 102 | When saving a private key, this option specifies the number of |
100 | (key derivation function) rounds used. Higher numbers result in | 103 | KDF (key derivation function) rounds used. Higher numbers result |
101 | slower passphrase verification and increased resistance to brute- | 104 | in slower passphrase verification and increased resistance to |
102 | force password cracking (should the keys be stolen). | 105 | brute-force password cracking (should the keys be stolen). |
103 | 106 | ||
104 | When screening DH-GEX candidates (using the -T command). This | 107 | When screening DH-GEX candidates (using the -T command), this |
105 | option specifies the number of primality tests to perform. | 108 | option specifies the number of primality tests to perform. |
106 | 109 | ||
107 | -B Show the bubblebabble digest of specified private or public key | 110 | -B Show the bubblebabble digest of specified private or public key |
@@ -109,8 +112,8 @@ DESCRIPTION | |||
109 | 112 | ||
110 | -b bits | 113 | -b bits |
111 | Specifies the number of bits in the key to create. For RSA keys, | 114 | Specifies the number of bits in the key to create. For RSA keys, |
112 | the minimum size is 1024 bits and the default is 2048 bits. | 115 | the minimum size is 1024 bits and the default is 3072 bits. |
113 | Generally, 2048 bits is considered sufficient. DSA keys must be | 116 | Generally, 3072 bits is considered sufficient. DSA keys must be |
114 | exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, | 117 | exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, |
115 | the -b flag determines the key length by selecting from one of | 118 | the -b flag determines the key length by selecting from one of |
116 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to | 119 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to |
@@ -220,11 +223,12 @@ DESCRIPTION | |||
220 | operation. The latter may be used to convert between OpenSSH | 223 | operation. The latter may be used to convert between OpenSSH |
221 | private key and PEM private key formats. The supported key | 224 | private key and PEM private key formats. The supported key |
222 | formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key), | 225 | formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key), |
223 | M-bM-^@M-^\PKCS8M-bM-^@M-^] (PEM PKCS8 public key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). The | 226 | M-bM-^@M-^\PKCS8M-bM-^@M-^] (PKCS8 public or private key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). |
224 | default conversion format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of | 227 | By default OpenSSH will write newly-generated private keys in its |
225 | M-bM-^@M-^\PEMM-bM-^@M-^] when generating or updating a supported private key type | 228 | own format, but when converting public keys for export the |
226 | will cause the key to be stored in the legacy PEM private key | 229 | default format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of M-bM-^@M-^\PEMM-bM-^@M-^] when |
227 | format. | 230 | generating or updating a supported private key type will cause |
231 | the key to be stored in the legacy PEM private key format. | ||
228 | 232 | ||
229 | -N new_passphrase | 233 | -N new_passphrase |
230 | Provides the new passphrase. | 234 | Provides the new passphrase. |
@@ -342,6 +346,11 @@ DESCRIPTION | |||
342 | Specifies the type of key to create. The possible values are | 346 | Specifies the type of key to create. The possible values are |
343 | M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. | 347 | M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. |
344 | 348 | ||
349 | This flag may also be used to specify the desired signature type | ||
350 | when signing certificates using an RSA CA key. The available RSA | ||
351 | signature variants are M-bM-^@M-^\ssh-rsaM-bM-^@M-^] (SHA1 signatures, not | ||
352 | recommended), M-bM-^@M-^\rsa-sha2-256M-bM-^@M-^], and M-bM-^@M-^\rsa-sha2-512M-bM-^@M-^] (the default). | ||
353 | |||
345 | -U When used in combination with -s, this option indicates that a CA | 354 | -U When used in combination with -s, this option indicates that a CA |
346 | key resides in a ssh-agent(1). See the CERTIFICATES section for | 355 | key resides in a ssh-agent(1). See the CERTIFICATES section for |
347 | more information. | 356 | more information. |
@@ -388,6 +397,47 @@ DESCRIPTION | |||
388 | -y This option will read a private OpenSSH format file and print an | 397 | -y This option will read a private OpenSSH format file and print an |
389 | OpenSSH public key to stdout. | 398 | OpenSSH public key to stdout. |
390 | 399 | ||
400 | -Y sign | ||
401 | Cryptographically sign a file or some data using a SSH key. When | ||
402 | signing, ssh-keygen accepts zero or more files to sign on the | ||
403 | command-line - if no files are specified then ssh-keygen will | ||
404 | sign data presented on standard input. Signatures are written to | ||
405 | the path of the input file with M-bM-^@M-^\.sigM-bM-^@M-^] appended, or to standard | ||
406 | output if the message to be signed was read from standard input. | ||
407 | |||
408 | The key used for signing is specified using the -f option and may | ||
409 | refer to either a private key, or a public key with the private | ||
410 | half available via ssh-agent(1). An additional signature | ||
411 | namespace, used to prevent signature confusion across different | ||
412 | domains of use (e.g. file signing vs email signing) must be | ||
413 | provided via the -n flag. Namespaces are arbitrary strings, and | ||
414 | may include: M-bM-^@M-^\fileM-bM-^@M-^] for file signing, M-bM-^@M-^\emailM-bM-^@M-^] for email signing. | ||
415 | For custom uses, it is recommended to use names following a | ||
416 | NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. | ||
417 | |||
418 | -Y verify | ||
419 | Request to verify a signature generated using ssh-keygen -Y sign | ||
420 | as described above. When verifying a signature, ssh-keygen | ||
421 | accepts a message on standard input and a signature namespace | ||
422 | using -n. A file containing the corresponding signature must | ||
423 | also be supplied using the -s flag, along with the identity of | ||
424 | the signer using -I and a list of allowed signers via the -f | ||
425 | flag. The format of the allowed signers file is documented in | ||
426 | the ALLOWED SIGNERS section below. A file containing revoked | ||
427 | keys can be passed using the -r flag. The revocation file may be | ||
428 | a KRL or a one-per-line list of public keys. Successful | ||
429 | verification by an authorized signer is signalled by ssh-keygen | ||
430 | |||
431 | -Y check-novalidate | ||
432 | Checks that a signature generated using ssh-keygen -Y sign has a | ||
433 | valid structure. This does not validate if a signature comes | ||
434 | from an authorized signer. When testing a signature, ssh-keygen | ||
435 | accepts a message on standard input and a signature namespace | ||
436 | using -n. A file containing the corresponding signature must | ||
437 | also be supplied using the -s flag. Successful testing of the | ||
438 | signature is signalled by ssh-keygen returning a zero exit | ||
439 | status. | ||
440 | |||
391 | -z serial_number | 441 | -z serial_number |
392 | Specifies a serial number to be embedded in the certificate to | 442 | Specifies a serial number to be embedded in the certificate to |
393 | distinguish this certificate from others from the same CA. If | 443 | distinguish this certificate from others from the same CA. If |
@@ -556,6 +606,51 @@ KEY REVOCATION LISTS | |||
556 | non-zero exit status. A zero exit status will only be returned if no key | 606 | non-zero exit status. A zero exit status will only be returned if no key |
557 | was revoked. | 607 | was revoked. |
558 | 608 | ||
609 | ALLOWED SIGNERS | ||
610 | When verifying signatures, ssh-keygen uses a simple list of identities | ||
611 | and keys to determine whether a signature comes from an authorized | ||
612 | source. This "allowed signers" file uses a format patterned after the | ||
613 | AUTHORIZED_KEYS FILE FORMAT described in sshd(8). Each line of the file | ||
614 | contains the following space-separated fields: principals, options, | ||
615 | keytype, base64-encoded key. Empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y | ||
616 | are ignored as comments. | ||
617 | |||
618 | The principals field is a pattern-list (See PATTERNS in ssh_config(5)) | ||
619 | consisting of one or more comma-separated USER@DOMAIN identity patterns | ||
620 | that are accepted for signing. When verifying, the identity presented | ||
621 | via the -I -option must match a principals pattern in order for the | ||
622 | corresponding key to be considered acceptable for verification. | ||
623 | |||
624 | The options (if present) consist of comma-separated option | ||
625 | specifications. No spaces are permitted, except within double quotes. | ||
626 | The following option specifications are supported (note that option | ||
627 | keywords are case-insensitive): | ||
628 | |||
629 | cert-authority | ||
630 | Indicates that this key is accepted as a certificate authority | ||
631 | (CA) and that certificates signed by this CA may be accepted for | ||
632 | verification. | ||
633 | |||
634 | namespaces="namespace-list" | ||
635 | Specifies a pattern-list of namespaces that are accepted for this | ||
636 | key. If this option is present, the signature namespace embedded | ||
637 | in the signature object and presented on the verification | ||
638 | command-line must match the specified list before the key will be | ||
639 | considered acceptable. | ||
640 | |||
641 | When verifying signatures made by certificates, the expected principal | ||
642 | name must match both the principals pattern in the allowed signers file | ||
643 | and the principals embedded in the certificate itself. | ||
644 | |||
645 | An example allowed signers file: | ||
646 | |||
647 | # Comments allowed at start of line | ||
648 | user1@example.com,user2@example.com ssh-rsa AAAAX1... | ||
649 | # A certificate authority, trusted for all principals in a domain. | ||
650 | *@example.com cert-authority ssh-ed25519 AAAB4... | ||
651 | # A key that is accepted only for file signing. | ||
652 | user2@example.com namespaces="file" ssh-ed25519 AAA41... | ||
653 | |||
559 | FILES | 654 | FILES |
560 | ~/.ssh/id_dsa | 655 | ~/.ssh/id_dsa |
561 | ~/.ssh/id_ecdsa | 656 | ~/.ssh/id_ecdsa |
@@ -596,4 +691,4 @@ AUTHORS | |||
596 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 691 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
597 | versions 1.5 and 2.0. | 692 | versions 1.5 and 2.0. |
598 | 693 | ||
599 | OpenBSD 6.5 March 5, 2019 OpenBSD 6.5 | 694 | OpenBSD 6.6 October 3, 2019 OpenBSD 6.6 |