diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-08-08 01:16:01 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-08-08 11:18:05 +1000 |
commit | ed7bd5d93fe14c7bd90febd29b858ea985d14d45 (patch) | |
tree | d33efae6fa03d1242f851b3d2f21b808809cde37 /ssh-keygen.1 | |
parent | 967226a1bdde59ea137e8f0df871854ff7b91366 (diff) |
upstream: Use new private key format by default. This format is
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
by most OpenSSH versions in active use.
It is possible to convert new-format private keys to the older
format using "ssh-keygen -f /path/key -pm PEM".
ok deraadt dtucker
OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 24 |
1 files changed, 8 insertions, 16 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3525d7d17..dd6e7e5a8 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.147 2018/03/12 00:52:01 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: March 12 2018 $ | 38 | .Dd $Mdocdate: August 8 2018 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -233,10 +233,8 @@ This is used by | |||
233 | .Pa /etc/rc | 233 | .Pa /etc/rc |
234 | to generate new host keys. | 234 | to generate new host keys. |
235 | .It Fl a Ar rounds | 235 | .It Fl a Ar rounds |
236 | When saving a new-format private key (i.e. an ed25519 key or when the | 236 | When saving a private key this option specifies the number of KDF |
237 | .Fl o | 237 | (key derivation function) rounds used. |
238 | flag is set), this option specifies the number of KDF (key derivation function) | ||
239 | rounds used. | ||
240 | Higher numbers result in slower passphrase verification and increased | 238 | Higher numbers result in slower passphrase verification and increased |
241 | resistance to brute-force password cracking (should the keys be stolen). | 239 | resistance to brute-force password cracking (should the keys be stolen). |
242 | .Pp | 240 | .Pp |
@@ -264,8 +262,6 @@ flag will be ignored. | |||
264 | Provides a new comment. | 262 | Provides a new comment. |
265 | .It Fl c | 263 | .It Fl c |
266 | Requests changing the comment in the private and public key files. | 264 | Requests changing the comment in the private and public key files. |
267 | This operation is only supported for keys stored in the | ||
268 | newer OpenSSH format. | ||
269 | The program will prompt for the file containing the private keys, for | 265 | The program will prompt for the file containing the private keys, for |
270 | the passphrase if the key has one, and for the new comment. | 266 | the passphrase if the key has one, and for the new comment. |
271 | .It Fl D Ar pkcs11 | 267 | .It Fl D Ar pkcs11 |
@@ -410,6 +406,10 @@ or | |||
410 | (PEM public key). | 406 | (PEM public key). |
411 | The default conversion format is | 407 | The default conversion format is |
412 | .Dq RFC4716 . | 408 | .Dq RFC4716 . |
409 | Setting a format of | ||
410 | .Dq PEM | ||
411 | when generating or updating a supported private key type will cause the | ||
412 | key to be stored in the legacy PEM private key format. | ||
413 | .It Fl N Ar new_passphrase | 413 | .It Fl N Ar new_passphrase |
414 | Provides the new passphrase. | 414 | Provides the new passphrase. |
415 | .It Fl n Ar principals | 415 | .It Fl n Ar principals |
@@ -504,14 +504,6 @@ The | |||
504 | is a comma-separated list of one or more address/netmask pairs in CIDR | 504 | is a comma-separated list of one or more address/netmask pairs in CIDR |
505 | format. | 505 | format. |
506 | .El | 506 | .El |
507 | .It Fl o | ||
508 | Causes | ||
509 | .Nm | ||
510 | to save private keys using the new OpenSSH format rather than | ||
511 | the more compatible PEM format. | ||
512 | The new format has increased resistance to brute-force password cracking | ||
513 | but is not supported by versions of OpenSSH prior to 6.5. | ||
514 | Ed25519 keys always use the new private key format. | ||
515 | .It Fl P Ar passphrase | 507 | .It Fl P Ar passphrase |
516 | Provides the (old) passphrase. | 508 | Provides the (old) passphrase. |
517 | .It Fl p | 509 | .It Fl p |